Although Windows 7 is far more secure than some of Microsoft's earlier desktop operating systems, Windows 7 remains vulnerable to malware and other security threats. Thankfully, there are several steps you can take in securing Windows 7 desktops
Requires Free Membership to View
to help mitigate some of these threats. In this tip, you will learn five
steps for hardening Windows 7 desktops.
Local security policies
The first step is to create a local security policy for your Windows 7 desktops. Remember that even
if a desktop is a domain member, Group
Policy settings residing in Active Directory do not apply until a user logs in to the domain.
Local security policy settings are the primary defense mechanism against a user who logs on to the
machine locally. When a user does log in to a domain, the local security policy settings are merged
with Active Directory-level policy settings to form the effective policy. As such, a local security
policy can also help to protect against any accidental omissions in your group policy objects.
A local security policy contains most of the same settings as the Active Directory-based Group Policy settings. You can access the local security policy by opening the Control Panel and clicking on System and Security/Administrative Tools/Local Security Policy. See the Local Security Policy interface shown in Figure A.
Figure A - Click to enlarge
A local security policy can help to protect desktops
when they are not logged into a domain.
User Account Control
When Microsoft created Windows Vista, it included a new security mechanism called User
Account Control (UAC). UAC intercepted changes that were made to the system, and asked the user
for approval. That way, if a change was being made as the result of a malware infection, the user
would have a way of preventing the action.
Unfortunately, User Account Control went down in history as the single most annoying Windows feature of all time, as many security pros know, because Vista users could hardly do anything that affected the operating system's configuration without coming face to face with a UAC prompt. That being the case, Microsoft made some changes to User Account Control in Windows 7.
In Windows 7, Microsoft provides a slide bar, which is shown in Figure B below. This slide bar allows administrators to tune how aggressively User Account Control behaves, and specifically the volume of confirmation prompts users receive. Although some may find it annoying, I recommend making User Account Control behave more aggressively. I have recently encountered a couple of situations in which serious malware infections could have been prevented had User Account Control provided notification of the impending infection.
Figure B - Click to enlarge
User Account Control can be configured
with a slide bar.
User rights
When malware attempts to infect a PC, that malware has the same rights as the account that it is
running under. Although malware may occasionally exploit a service account, it is far more common
for it to run under the same context as the user who is logged in. Because of this, Microsoft
recommends users be given the lowest level of access to the system possible. That way, if a malware
file is executed, it may not have sufficient rights to cause any damage.
The level of access granted to local user accounts can be controlled by opening the Control Panel and clicking on User Accounts/User Accounts/Manage User Accounts. You can control the user account permissions through the resulting dialog box, which is shown in Figure C below.
Figure C - Click to enlarge
Decreasing a user's permissions is another step
in securing Windows 7.
Malware protection
Even though Windows 7 is far more resistant to malware infections than Windows
XP, malware infections can and sometimes do occur. While there is no substitute for third-party
antivirus software, Microsoft provides a couple of different antimalware features that you can use
to provide a basic level of antimalware protection.
One such feature is Microsoft Security Essentials, which is a free antimalware application designed for home and small business users with 10 or fewer users. You can download Microsoft Security Essentials at the Microsoft website.
Microsoft provides another antimalware feature called Windows Defender. This is an option for enterprises with more than 10 users. Unlike Microsoft Security Essentials, Windows Defender is built into the operating system. However, organizations must "turn on" Windows Defender because it is not enabled by default. See Windows Defender in Figure D.
Figure D- Click to enlarge
Windows Defender is a built-in antimalware feature.
AppLocker
In Windows XP, Microsoft introduced a feature called Software Restriction Policies. Software
Restriction Policies were a collection of Group Policy settings designed to prevent users from
running unauthorized software on their desktops.
Ultimately, Software Restriction Policies proved to be minimally effective. The policy settings were complicated and easy to circumvent. In Windows 7, Microsoft created a next-generation version of Software Restriction Policies, which is called AppLocker.
AppLocker lacks a centralized management console, so it isn't effective in large organizations or in organizations with highly dynamic desktops. However, AppLocker can help smaller organizations prevent malware infections by preventing unauthorized software from running on user's desktops. AppLocker is shown in Figure E.
Figure E- Click to enlarge
AppLocker can prevent unauthorized software from running
on users' desktops.
Although there will be times when additional steps will be needed in securing Windows 7 desktops, these five security techniques can go a long way toward effectively securing Windows 7 endpoint deployments.
About the author
Brien M. Posey is a freelance technical writer. He was a CIO at a national chain of hospitals
and healthcare facilities, and served as a network administrator for the Department of Defense at
Fort Knox.
This was first published in December 2010