Windows 7 Windows 7 security: the complete guide

whoosh

Cooler King
Staff member
Joined
Apr 15, 2009
Messages
47,879
Link Removed

Windows 7 is just over six months old. It has been quickly adopted by PC users at home and in businesses. However, some IT admins are struggling with the platform's new security features. We take a look at the key features and what you need to know.In addition to changes to User Account Control, BitLocker, and other features inherited from Windows Vista, Windows 7 introduces a slew of security capabilities that businesses will want to take advantage of.

Windows 7 improves on Vista with a friendlier UAC mechanism, the ability to encrypt removable media and hard drive volumes, broader support for strong cryptographic ciphers, hassle-free secure remote access, and sophisticated protection against Trojan malware in the form of AppLocker, to name just a few.

In this guide, I'll run through these and other significant security enhancements in Windows 7, and provide my recommendations for configuring and using them.

I'll pay especially close attention to the new AppLocker application-control feature, which may be a Windows shop's most practical and affordable way to combat socially engineered Trojan malware.

New and improved
Windows 7 has literally hundreds of security changes and additions, far too many to cover in one fell swoop.

While this guide focuses on the ones that most organisations will be interested in, keep in mind that plenty of others may deserve your attention.

A few the biggies not discussed here are built-in support for smart cards and biometrics, the ability to force the use of Kerberos in a feature called Restrict NTLM, and support for the new DNSSec standards, which are becoming essential to prevent DNS exploitation attacks.

Also noteworthy is a new feature called Extended Protection for Authentication, which prevents many sophisticated man-in-the-middle attacks that can strike at some of our most trusted security protocols (such as SSL and TLS).

User Account Control
A Windows Vista feature that users loved to hate, User Account Control has been significantly improved to be both less intrusive and smarter at distinguishing between legitimate and potentially malicious activities in Windows 7.

However, depending on whether you are logged on as administrator or a standard user, some installs of Windows 7 may have a default UAC security setting that's one level lower than some experts (including yours truly) recommend.

Standard users have UAC security default to the most secure setting, while administrator accounts reside a notch below the highest setting, which is potentially riskier.

Note too that, although UAC provides a much-needed mechanism to prevent the misuse of administrator privileges, it can be bypassed. If you need high security, users should not log on with an elevated user account until they need it.

Your domain environment should already be at the highest and most secure level (‘Always notify'). If it isn't, make it so.

That way, users will be prompted to input their passwords to perform high-risk administrative actions. No matter what else, UAC should be enabled.
 

Solution
Windows 7 Security Enhancements: A Comprehensive Overview Windows 7, being a successor to Windows Vista, has introduced several key security features aimed at enhancing user experience while maintaining robust security protocols. Here’s a detailed look at the significant security capabilities in Windows 7 and recommendations for their configuration: Key Security Features
FeatureDescription
User Account Control (UAC)Now less intrusive and smarter at distinguishing activities. Standard users have a more secure default setting, while administrators are set lower, which can pose risks.
BitLocker[td][td]Allows for encryption of removable media and hard drive volumes, securing...
Windows 7 Security Enhancements: A Comprehensive Overview Windows 7, being a successor to Windows Vista, has introduced several key security features aimed at enhancing user experience while maintaining robust security protocols. Here’s a detailed look at the significant security capabilities in Windows 7 and recommendations for their configuration: Key Security Features
FeatureDescription
User Account Control (UAC)Now less intrusive and smarter at distinguishing activities. Standard users have a more secure default setting, while administrators are set lower, which can pose risks.
BitLocker[td][td]Allows for encryption of removable media and hard drive volumes, securing sensitive data against unauthorized access.
AppLockerProvides application control, helping prevent unauthorized applications from running, thus combating social engineering attacks.
Smart Card & Biometric SupportEnable organizations to utilize smart cards and biometric authentication for enhanced security protocols.
Extended Protection for AuthenticationPrevents man-in-the-middle attacks on secure protocols like SSL and TLS.
DNSSec SupportPrevents DNS exploitation attacks, which have become critical in today's cybersecurity landscape.
User Account Control (UAC) UAC has been greatly refined in Windows 7. While it remains an essential mechanism for preventing the misuse of administrator privileges, it’s advisable to configure it correctly:
  • For Standard Users: The default UAC should remain at the highest security level, prompting users when elevation is needed.
  • For Administrators: While the default is one level lower, it’s important to adjust this setting to ‘Always notify’ in domain environments to avoid security risks.
Also, encourage users to operate on standard accounts to limit potential security breaches. Recommendations for Configuration and Usage
  1. Enable UAC: Always configure UAC to the highest level. This setting requires user password confirmation for high-risk actions, ensuring greater control over administrative operations.
  2. Utilize BitLocker: Encrypt all sensitive data on removable media and drives to prevent unauthorized access, especially for mobile devices that may be lost or stolen.
  3. Implement AppLocker: Set up AppLocker policies to restrict the execution of potentially harmful applications and scripts. This is a key strategy against Trojan malware.
  4. Adopt Smart Cards and Biometrics: If your organization supports these technologies, consider their implementation for user authentication, adding an additional layer of security.
  5. Monitor and Configure DNSSec: Ensure that DNS settings are optimized to prevent attacks, especially if your organization relies heavily on internet connectivity for its operations.
  6. Extended Protection for Authentication: Implement this feature to safeguard your organization’s communications against sophisticated attacks. Conclusion Windows 7’s security features provide a substantial enhancement over its predecessor, making it a valuable platform for businesses seeking to improve their overall security posture. By carefully configuring these features, IT professionals can foster a safer computing environment that addresses contemporary security challenges. For further elaboration on any specific feature or configuration, feel free to ask!
 

Solution
Back
Top