In this fast moving internet age, the biggest threats these days come from malicious trojan executables and user laziness. The trojans you can get tricked into allowing into your computer system; the laziness is what happens when users naively lower their default Operating System defenses like disabling the User Account Control (UAC) in Vista and/or Windows 7, turning off automatic patching and deactivating the built-in firewall. The UAC and firewall, by the way, performs the same functions as applications we spend money on with products like Zone Alarm, Norton, McAfee etc. where you get notified if an application is trying to do something fishy.

There are things we can do to increase the security of our systems beyond the default settings, especially if you are going to be  deploying Windows 7 in a business environment, whether small, medium of enterprise. The ultimate goal is to provide your users with an Operating System that would not hinder their productivity – they should be able to run their applications with minimal intervention and browse their favorite sites without unnecessary call to the help desk about pages not loading.

• Use BitLocker: The BitLocker drive encryption utility allows the encryption of any volume on a computer’s hard drive, including the boot and systems partitions and removable media like USB jump drives. BitLocker encryption is built into the menu system so you can right-click and encrypt any volume. As with most encryption applications, you have several options in the method of protection from PIN, passwords and smart cards to the Trusted Platform Module (TPM). The cool thing about BitLocker encryption in Windows 7 is that you can configure it to encrypt removable media by default. Be aware however, that while the encrypted data can be decrpyted on any Windows 7 computer, the media can only be accessed in a read-only mode on Windows XP and Vista computers.
• Patch Patrol: If you have any third party software installed on your client desktops and laptops, you have got to patch them whenever a patch is available. Windows Update does a good enough job about downloading and installing critical patches for Microsoft software, but you are on your own with non-Microsoft applications. For browsers, Firefox and Opera will automatically check to see if there are updates and patch themselves if needed. As Microsoft gets its act together in terms of securing its Operating Systems, unpatched third-party applications are going to be the entry point of malicious programs in end-user exploitations.
• Use the SmartScreen Filter: Internet Explorer 8 comes with a so-called smart screen filter which checks the web site you are visiting against a Microsoft database of malicious sites  and behavior such as cross-site scripting.
• Use Anti-Spam and anti-malware software: Yes it’s Windows 7, but it is still Windows. And with Windows, there is no shortage of malicious applications and programs out there waiting to get you – from fake patches and codes to fake “scanning”, music and videos that try to con the user into downloading and executing dangerous software. There are good and free applications out there like the free Comodo Internet Security.
• Spring Cleaning: As you use your computer and install and remove applications, download files etc., you accumulate stuff that will eventually bog down your system. It is therefore a good practice to occasionally take stock of what you have on your computer. You can run “msconfig” from the “Run” command to see applications that have latched themselves on to automatically start with Windows and disable what you do not need.
• Backup, Backup: The greatest security to your data is to back up your stuff. In a corporate environment, this can mean the life of the business. Storage is very affordable these days – a 1TB hard drive sells for less than $100.

How would you like to see a video of the web sites you visited, emails you sent and received, chats and instant messages, keystrokes typed, documents printed etc? There are tools available now that promise to “detail what an employee is doing every step of the way”. These tools are so advanced and detailed that they can answer questions like:

• Which employees are spending the most time surfing web sites?
• Who is spending time on shopping sites, sports sites or adult sites?
• Which employees chat or use anonymous email services like Hotmail and Gmail?
• Who is sending the most emails with attachments?
• Which employees may be leaking company confidential information via removable media like flash drives, CDs and DVDs?
• Which employees are printing sensitive documents?
• Who is arriving to work late and leaving early? Who takes long lunch breaks?
• What are my employees searching for on Google, Yahoo and MSN?

Now the question is, how does this affect employee morale and sense of privacy? I am not sure I would be comfortable working in an environment that actively monitors my every single move throughout a work day. For those working in a high security position, or in environments that mandate strong security compliance (like the federal government’s requirement for keeping records of transactions and communications), there may some justification for this kind of paranoid Big Brother activity. If the end result, however, is to minimize internet abuse, there are moderate software and hardware solutions that do a decent job of keeping time-wasting web sites of your network. I mean, when is it really necessary to know:

• What web sites are being visited most frequently and who is spending the most time browsing the web? Are these web sites work-related?
• Which employees are engaging in chat or instant messaging? Is it work-related?
• Who is using Hotmail, AOL mail, Gmail or Yahoo mail to communicate sensitive documents?
• What are employees searching for on Google, Yahoo, MSN and AOL?
• Who is sending the most email with attachments and where is it going? What is contained in those attachments? Is the employee authorized to send out this information?
• What are the top programs being run and are any of them non-work-related?
• Which employees are playing games like Solitaire at work? How much time are they spending playing games?
• Who is transferring the most files and what exactly are they sending out and to whom are they sending these files?
• Who is saving confidential information to removable media like flash drives or CDs or DVDs?
• Who is printing company sensitive files?
• Who are the top violators of those keywords that indicate abuse (e.g.: sex, guns, gambling)
• Which employees type the most?  Which type the least?
• Which employees use the most network bandwidth and why?
• Who is arriving at work late and leaving to go home early?
• Who takes the most breaks throughout the day?

Internal espionage in corporate environments is nothing new. Many companies put systems in place to help prevent or uncover data loss by tracking users sending sensitive files as attachments or copying them to removable storage devices such as USB keys, iPods, or CDs. So if you work in a major corporation that can afford killer internal employee monitoring software, you may want to be careful about those “business” emails to your massage therapist.

• Faster backup technology.
• Simplified restoration.
• Simplified recovery of your operating system.
• Ability to recover applications.
• Improved scheduling.
• Offsite removal of backups for disaster protection.
• Remote administration.
• Automatic disk usage management.
• Extensive command-line support.
• Support for optical media drives and removable media.

The part I have a problem with is Microsoft’s claim that “the design makes it especially well-suited for smaller organizations or individuals who are not IT professionals”. No, the old NTBackup was well suited for smaller organizations and everyone else, as a matter of fact, because it provided something we all cherish: CHOICE. With the old software, you had a choice of backup locations. You had a choice of whether you wanted to backup an entire disk or a single file. You had a choice of backing up to tape, external devices, internal drives or network drives. You could even backup up to a floppy drive for crying out loud. It was less expensive.

The new Windows Backup system will be an expensive and even dangerous experience for the small business owner without an IT person on staff. If a non-IT person had to deal with what I just experienced, there are going to be a lot of calls for data recovery because of hosed drives and lost data. The reason is that if you get hypnotized by the “Wizard” and just click through the backup process, you may end up reformatting a non-system drive with critical data. I know this because I tried it. I plugged in an external drive with test data and clicked through the wizard. It reformatted the external drive before creating the backup.

The latest iteration of Windows Backup is another example of the constant argument that Microsoft sometimes has a tendency of wanting to think for the consumer. Having been around this long, we expect more from the software giant. I have a suspicion that backup software vendors had a hand in the creation of this product. With the old software, I had no compelling reason to buy expensive solutions from third party vendors. It just worked. Backup was simple and restoration was the easiest you can imagine: locate your backup file, restore to your preferred location, done.

This latest disappointment came about because I was at a location the other day and we had just finished installing SBS 2008. The client had a Line of Business application with a database of about 100MB so I wanted to set up a nightly schedule to backup that one file. Never happened. It turned out that there was no option to backup single files. I either had to reformat a 1TB external drive to accomplish that goal, or backup the entire disk content totalling about 150GB. All because Microsoft got infatuated with a technology called VDI.