Computer/Network Tips & Tricks, ICT latest and Old useful info, Network/Computer Security Tips & Tricks, General Security/Safety Tips
Sunday, April 28, 2013
Seven Ways to Secure Windows 7
Software makers
routinely sacrifice some security for the sake of usability, and
Microsoft is no exception. Most of today's client-side threats come from users being tricked into running malicious Trojan horse executables
and naively lowering the default defenses, such as by disabling
UAC (User Account Control), turning off automatic patching, or
deactivating the built-in Windows Firewall.
That's not to say there aren't things you can do to increase the
security of Windows 7 beyond basic defaults. This article covers the
recommendations for any administrator or home user who wants to crank
out a bit more security while still operating a computer that will run
most applications without causing too many problems. These tips won't
result in applications that refuse to run or Web sites that refuse to
Step 1: Enable BitLocker
BitLocker Drive Encryption can be used to encrypt any volume on
your hard drive, including boot, system, and even removable media, such
as USB keys. The rough edges from Vista are gone. You can now
right-click and encrypt any volume from within Windows Explorer. There
are several protection methods, including combinations of the Trusted
Platform Module (TPM) chip, PIN, password, and smart card.
I especially like the new feature that allows removable media, both
NTFS and FAT volumes, to be encrypted. You can encrypt removable drives
one at a time or require that all removable media be encrypted by
default. Encrypted removable media can be decrypted and re-encrypted on
any Windows 7 computers -- not just the one it was originally encrypted
on. Encrypted FAT, exFAT, and FAT32 media can also be shared with
Windows XP and Windows Vista clients, but the encrypted data is
read-only and cannot be re-encrypted.
A word to the wise: Save your BitLocker recovery information
somewhere safe and reliable off the computer. BitLocker is good
encryption and will scramble your data for good if you cannot supply the
recovery password. Most organizations should automatically back up
users' recovery passwords to Active Directory. BitLocker recovery
information is stored in the computer object as an attribute, so make
sure to adjust users' access to those attributes to match your
organization's security policy.
Step 2: Raise the UAC slider bar
User Account Control has been significantly improved to be both
less intrusive and smarter at distinguishing between legitimate and
potentially malicious activities in Windows 7. However, depending on
whether you are logged on as administrator or a standard user, some
installs of Windows 7 may have a default UAC security setting that's one
level lower than some experts (including yours truly) recommend.
Standard users have UAC security default to to the most secure setting,
while administrator accounts reside a notch below the highest setting,
which is potentially more risky. For best results, shift the User Account Control Settings slider bar into "Always notify."
Microsoft created an easy UAC slider bar to allow administrators and users to adjust their UAC security
level. After installing all the initial software and configuring Windows
7 the way you want it, I recommend raising the UAC slider bar to
"Always notify," the most secure setting. Even in "Always notify" mode,
you'll encounter fewer UAC prompts than you did in Windows Vista.
Note: Although UAC provides a much-needed mechanism to prevent the
misuse of administrator privileges, it can be bypassed. If you need
high security, don't log on with an elevated user account until you need
Step 3: Patch everything
In Windows 7 default settings, the Windows Update service will be
appropriately configured to download and install critical Windows
operating system and Microsoft application files in a timely manner.
Multiple studies have shown that Microsoft software is among the most
patched software in the world. But Windows has nothing built in to help
you keep up with all the non-Microsoft patches. Install software or
enable processes to ensure that all programs are patched -- especially your browser plug-ins
. Malicious hackers are quickly moving to less frequently patched third-party programs to silently exploit the end-user.
Step 4: Install anti-spam and anti-malware software
The biggest threat to client systems is the Trojan horse -- fake
Outlook patch, fake anti-virus scanner, fake codec for that must-see Rihanna sex tapes -- that dupes the end-user into downloading and
executing malicious software. Long gone are the days when you could rely
on bad grammar and misspellings to point out the bad stuff. Today, even
the most knowledgeable security people can be fooled. Unless you (or
the end-user you are administrating) can tell the difference between
good and bad software with perfect accuracy, you should install and use
up-to-date anti-spam and anti-malware software.
Step 5: Enable the SmartScreen Filter in Internet Explorer 8
When you first start IE8, one of the startup wizards asks if you
want to enable the SmartScreen Filter, which checks a local database or a
Microsoft site to see if surfed Web sites have been previously marked
as legitimate or malicious. SmartScreen also checks for many predefined
malicious behaviors such as cross-site scripting. SmartScreen results in a slight, just noticeable delay when
enabled. The savviest security users may want to disable this setting,
while most users should make sure it's enabled. If you're already
running IE8, check by selecting SmartScreen Filter from the Safety menu.
Step 6: Take an inventory
Over time, most systems accumulate more and more -- often
unnecessary -- programs that end up exacting a toll on memory resources.
Without an active cleanup of your system, it will become slower, more
prone to crashing, and stocked with additional attack vectors for bad
stuff to exploit.
To fight software creep, periodically inventory the software and
services running on your system, and remove what isn't needed. You can
manually inspect your system or use a utility like Microsoft's Autoruns, a free download. Autoruns will list every program and service
running on your system and allow you to disable what is not needed with a
click of the mouse. My advice is to do your research before disabling
anything you don't recognize, so you don't cause yourself unexplainable
operational issues later on, after you've forgotten what you disabled.
Step 7: Back up your data
We've all been using computers for a long time now, and we know
that stuff happens. It's good to have a multiyear computer warranty, but
to minimize the damage when your computer crashes, make sure to back up
your irreplaceable data. Windows 7 includes a reliable backup program
that you can set up at Control Panel > System and Security >
Backup and Restore. Or just search on the keyword "backup" in Help and
Support to learn everything you need to know about Windows backups.
This article covered the items that should be done to make an
already secure Windows 7 system more secure. If your OS and all
applications stay fully patched and you don't get tricked into running
Trojan horse executables, you will have significantly less risk than the
average user. Don't fall into the trap of disabling the Windows 7
defaults (UAC, Internet Explorer's Protected Mode, Windows Firewall, and
so on). Many well-meaning advisers don't have access to the cumulative
customer experiences that Microsoft does.
No comments:
Post a Comment