Securing Windows 7

Windows 7 has been released to the consumer market and small business integrators, administrators and owners should start thinking about their strategy for deployment and how they will go about securing their environment. From our experiences with the beta, release candidate and official release (RTM) versions of Windows 7, I must say we’ve come a long way from the days of using National Security Agency (NSA) templates to harden and secure enterprise computers. Starting with Windows Vista, Microsoft started delivering products that were significantly more secure than previous versions out of the box.

In this fast moving internet age, the biggest threats these days come from malicious trojan executables and user laziness. The trojans you can get tricked into allowing into your computer system; the laziness is what happens when users naively lower their default Operating System defenses like disabling the User Account Control (UAC) in Vista and/or Windows 7, turning off automatic patching and deactivating the built-in firewall. The UAC and firewall, by the way, performs the same functions as applications we spend money on with products like Zone Alarm, Norton, McAfee etc. where you get notified if an application is trying to do something fishy.

There are things we can do to increase the security of our systems beyond the default settings, especially if you are going to beĀ  deploying Windows 7 in a business environment, whether small, medium of enterprise. The ultimate goal is to provide your users with an Operating System that would not hinder their productivity – they should be able to run their applications with minimal intervention and browse their favorite sites without unnecessary call to the help desk about pages not loading.

  • Use BitLocker: The BitLocker drive encryption utility allows the encryption of any volume on a computer’s hard drive, including the boot and systems partitions and removable media like USB jump drives. BitLocker encryption is built into the menu system so you can right-click and encrypt any volume. As with most encryption applications, you have several options in the method of protection from PIN, passwords and smart cards to the Trusted Platform Module (TPM). The cool thing about BitLocker encryption in Windows 7 is that you can configure it to encrypt removable media by default. Be aware however, that while the encrypted data can be decrpyted on any Windows 7 computer, the media can only be accessed in a read-only mode on Windows XP and Vista computers.
  • Patch Patrol: If you have any third party software installed on your client desktops and laptops, you have got to patch them whenever a patch is available. Windows Update does a good enough job about downloading and installing critical patches for Microsoft software, but you are on your own with non-Microsoft applications. For browsers, Firefox and Opera will automatically check to see if there are updates and patch themselves if needed. As Microsoft gets its act together in terms of securing its Operating Systems, unpatched third-party applications are going to be the entry point of malicious programs in end-user exploitations.
  • Use the SmartScreen Filter: Internet Explorer 8 comes with a so-called smart screen filter which checks the web site you are visiting against a Microsoft database of malicious sitesĀ  and behavior such as cross-site scripting.
  • Use Anti-Spam and anti-malware software: Yes it’s Windows 7, but it is still Windows. And with Windows, there is no shortage of malicious applications and programs out there waiting to get you – from fake patches and codes to fake “scanning”, music and videos that try to con the user into downloading and executing dangerous software. There are good and free applications out there like the free Comodo Internet Security.
  • Spring Cleaning: As you use your computer and install and remove applications, download files etc., you accumulate stuff that will eventually bog down your system. It is therefore a good practice to occasionally take stock of what you have on your computer. You can run “msconfig” from the “Run” command to see applications that have latched themselves on to automatically start with Windows and disable what you do not need.
  • Backup, Backup: The greatest security to your data is to back up your stuff. In a corporate environment, this can mean the life of the business. Storage is very affordable these days – a 1TB hard drive sells for less than $100.