Although Windows 7 is far more secure than some of Microsoft's earlier desktop operating systems, Windows 7 remains vulnerable to malware and other security threats. Thankfully, there are several steps you can take in securing Windows 7 desktops
Local security policies
The first step is to create a local security policy for your Windows 7 desktops. Remember that even if a desktop is a domain member, Group Policy settings residing in Active Directory do not apply until a user logs in to the domain. Local security policy settings are the primary defense mechanism against a user who logs on to the machine locally. When a user does log in to a domain, the local security policy settings are merged with Active Directory-level policy settings to form the effective policy. As such, a local security policy can also help to protect against any accidental omissions in your group policy objects.
A local security policy contains most of the same settings as the Active Directory-based Group Policy settings. You can access the local security policy by opening the Control Panel and clicking on System and Security/Administrative Tools/Local Security Policy. See the Local Security Policy interface shown in Figure A.
Figure A - Click to enlarge
A local security policy can help to protect desktops
when they are not logged into a domain.
User Account Control
When Microsoft created Windows Vista, it included a new security mechanism called User Account Control (UAC). UAC intercepted changes that were made to the system, and asked the user for approval. That way, if a change was being made as the result of a malware infection, the user would have a way of preventing the action.
Unfortunately, User Account Control went down in history as the single most annoying Windows feature of all time, as many security pros know, because Vista users could hardly do anything that affected the operating system's configuration without coming face to face with a UAC prompt. That being the case, Microsoft made some changes to User Account Control in Windows 7.
In Windows 7, Microsoft provides a slide bar, which is shown in Figure B below. This slide bar allows administrators to tune how aggressively User Account Control behaves, and specifically the volume of confirmation prompts users receive. Although some may find it annoying, I recommend making User Account Control behave more aggressively. I have recently encountered a couple of situations in which serious malware infections could have been prevented had User Account Control provided notification of the impending infection.
Figure B - Click to enlarge
User Account Control can be configured
with a slide bar.
When malware attempts to infect a PC, that malware has the same rights as the account that it is running under. Although malware may occasionally exploit a service account, it is far more common for it to run under the same context as the user who is logged in. Because of this, Microsoft recommends users be given the lowest level of access to the system possible. That way, if a malware file is executed, it may not have sufficient rights to cause any damage.
The level of access granted to local user accounts can be controlled by opening the Control Panel and clicking on User Accounts/User Accounts/Manage User Accounts. You can control the user account permissions through the resulting dialog box, which is shown in Figure C below.
Figure C - Click to enlarge
Decreasing a user's permissions is another step
in securing Windows 7.
Even though Windows 7 is far more resistant to malware infections than Windows XP, malware infections can and sometimes do occur. While there is no substitute for third-party antivirus software, Microsoft provides a couple of different antimalware features that you can use to provide a basic level of antimalware protection.
One such feature is Microsoft Security Essentials, which is a free antimalware application designed for home and small business users with 10 or fewer users. You can download Microsoft Security Essentials at the Microsoft website.
Microsoft provides another antimalware feature called Windows Defender. This is an option for enterprises with more than 10 users. Unlike Microsoft Security Essentials, Windows Defender is built into the operating system. However, organizations must "turn on" Windows Defender because it is not enabled by default. See Windows Defender in Figure D.
Figure D- Click to enlarge
Windows Defender is a built-in antimalware feature.
In Windows XP, Microsoft introduced a feature called Software Restriction Policies. Software Restriction Policies were a collection of Group Policy settings designed to prevent users from running unauthorized software on their desktops.
Ultimately, Software Restriction Policies proved to be minimally effective. The policy settings were complicated and easy to circumvent. In Windows 7, Microsoft created a next-generation version of Software Restriction Policies, which is called AppLocker.
AppLocker lacks a centralized management console, so it isn't effective in large organizations or in organizations with highly dynamic desktops. However, AppLocker can help smaller organizations prevent malware infections by preventing unauthorized software from running on user's desktops. AppLocker is shown in Figure E.
Figure E- Click to enlarge
AppLocker can prevent unauthorized software from running
on users' desktops.
Although there will be times when additional steps will be needed in securing Windows 7 desktops, these five security techniques can go a long way toward effectively securing Windows 7 endpoint deployments.
About the author
Brien M. Posey is a freelance technical writer. He was a CIO at a national chain of hospitals and healthcare facilities, and served as a network administrator for the Department of Defense at Fort Knox.
This was first published in December 2010