If you’re looking for a detailed, definitive guide to hardening Windows 7, you can’t beat this security guide from Microsoft. It’s called the Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2 and you can download it here.

It’s a massive 387 pages long and it includes specific descriptions and recommendations for every Windows 7 security setting. Here’s an example:

Accounts: Guest account status
This policy setting enables or disables the Guest account.

Possible values:

• Enabled
• Disabled
• Not Defined

Vulnerability
The default Guest account allows unauthenticated network users to log on as Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group are accessible over the network, which could lead to the exposure or corruption of data.

Countermeasure
Disable the Accounts: Guest account status policy setting so that the built-in Guest account cannot be used.

Potential impact
All network users must be authenticated before they can access shared resources. If you disable the Guest account and the Network Access: Sharing and Security Model option is set to Guest Only, network logons fail, such as those performed by the Microsoft Network Server (SMB Service). This policy setting should have little impact on most organizations because Disabled is the default setting.

If you’re developing your own Windows 7 Hardening Guide or Windows 7 Hardening Standard, use this document as your reference and you won’t go wrong.

If you’re planning on deploying Windows Vista, make sure you follow the Windows Vista Security Guide available from Microsoft Technet here.

This is a description of the hardening guide:

This guide focuses on how to help create and maintain a secure environment for desktop and laptop computers that run Windows Vista. The guide explains the different stages of how to secure two different environments, and what each security setting addresses for the desktop and laptop computers deployed in either one. The guide provides prescriptive information and security recommendations.

Here are the chapters:

Chapter 1: Implementing the Security Baseline
Chapter 2: Defend Against Malware
Chapter 3: Protect Sensitive Data
Chapter 4: Application Compatibility
Chapter 5: Specialized Security – Limited Functionality
Appendix A: Security Group Policy Settings

Don’t install Vista without it!

First.org has several good examples of Windows hardening guides in their Best Practices Guide Library.

Jay Ward wrote the very comprehensive Windows 2003 / IIS 6.0 DMZ Hardening Guidelines. The hardening guide is has 27 steps and is more than 100 pages long.

Some of the steps include:

• Boot up Windows Server 2003 Standard Edition (Build 3790) CD-ROM to begin installation and configuration.
• Create a partition for the Operating System.
• Network Settings
• Install the latest Patch Releases
• Installing SSH Server for Remote Management
• Media Configuration and Permissions
• Installing the Anti-Virus Engine
• Disabling Protocols and Setting a Fixed IP for the Server.

This hardening guide would be a great resource for anyone developing their data security standards for Windows servers.

Check it out!