We received a lot of questions surrounding Windows 7 and the recommended things to do and not do when setting up Windows for security, so we wanted to go through a quick primer on a few simple things out of the box that can be done to make sure your Windows installation is as secure as possible. We can divide these up into a few areas of scrutiny.
Software and Policy considerations:
- Installing a good antivirus
- Checking Windows firewall settings
- User Account Control
- Windows updates
- 3rd party software
- Local Policy including Auditing
Account setup and password considerations:
- Administrator account
- Non-administrator account(s)
- Password length
- Password changes
Behavioral and usage considerations:
- Website usage
- BitTorrent and other file sharing cautions
- Browser choice, updates, and security
Area 1 – Software and Policy
Of course one of the first things we are going to talk about is securing Windows using a good Antivirus software. One thing I observe time and time again is that many home users will buy a new desktop or laptop computer at their local BestBuy or other retail store which has either an evaluation or time limited installation of one of the major virus scan packages such as Symantec or McAfee. What gets most home users is they forget or do not realize their antivirus is actually not in effect after the expiration or they simply ignore the expiration or screen nags to enter a valid serial number.
Many continue on with normal usage after their installation expires and begins malware infections and other woes. Not to say that simply having a virus scan installed is a cure all that will keep any infection from happening, but it is a good start. NOT having a good virus scan installed is asking for trouble. There are many high quality virus scan products available out there including my favorite at the moment – Avast 5….and AVG among others. These free products provide great protection and sometimes maybe even arguably better protection than the pay versions of the other big players in the industry.
Windows firewall in Windows 7 is actually pretty good. It does a really good job of keeping the major ports blocked that attackers like to snoop around on and what is best about it, it is free! The firewall is baked into Windows and is easy to turn on and off.
Simply type in firewall.cpl at a run or search menu and it will bring up the Windows Firewall Console. In the right hand side of the pane, you will have either Green checks or Red Shields to denote if it is on or off. Windows 7 does a good job also of notifying you if the firewall is turned off, unless you have specifically told it not to notify you.
User account control is one of those things that we have a hate/love relationship with. Notice, I put hate before love. It is a drag sometimes to have to click the UAC popup boxes as they come up and prompt us to either allow or disallow an action. However, it is another step towards having and keeping a malware-free machine. Malware writers love it when we log on to our Windows systems as full on administrators without any type of SUDO action that forces us to approve certain administrative actions. This is how many get into trouble. UAC allows for that action to take place to hopefully keep certain malicious code from doing what it is designed to do and secretly install behind the scenes without user intervention or solicitation. To check your UAC settings, launch msconfig from a run or search menu. Select the Tools tab and then click Change UAC Settingsb and hit the Launch button.
Another problem that many run into is they are not automatically pulling Windows updates. Microsoft releases new updates the second Tuesday of every month. Oftentimes this includes security updates and fixes for a number of discovered vulnerabilities. To check Windows Update settings. Type in wuapp.exe at a run or search menu.
In a home environment it is probably best to allow Windows updates to download and run automatically as this will make sure your system is kept up to date without having to remember to check for updates and install them manually. However, for some who may not want their machines to automatically download and install updates. They would probably do well to select the option to “Download updates but let me choose whether to install them“. This will download the required files but will prompt the end user when he or she would like to install them.
In addition to the built-in features contained in Windows itself, there are a lot of really good 3rd party utilities out there that help to keep a system clean and running smoothly. Malwarebytes AntiMalware has a tremendously good product that not only keeps a system clean, but will also remove some of the more difficult malware infections out there. The paid version acts more proactively to keep your system clean. In a recent post we covered the Secunia PSI utility that is a great resource for keeping not only the Windows updates checked and up to date, but also all other software on your system including plugins, 3rd party readers, utilities, apps, etc.
An often underutilized tool in securing Windows 7 is using policy along with auditing. Many might think of this as more of an enterprise level tool or only something you would have turned on in a corporate network. However, that is not the case. Policy along with auditing is not hard to “turn on” and it can provide powerful protection and information in keeping a secure system.
To launch your local policy editor, type in gpedit.msc at a run menu or search menu. Under the local policy items you will see entries for both the computer and user that can be configured. The audit policy is found under your computer configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. Various things can be audited including, account logon events, account management, logon events, object access, policy change, privilege use, process tracking, and system events.
After turning on the various aspects of auditing, the entries are made in the Security Event Log which is found in the Windows Event Viewer. To get to the event viewer, type in eventvwr.exe in a run or search menu.
Another entry under the Local Policies section is the Security Options area. Here there are tons of things that can be restricted, but just a couple they may be interesting or useful, are the
- Interactive logon: Do not display last user name
- Interactive logon: Do not require CTRL+ALT+DEL
These are especially useful if your computer is in a more public location and you don’t want someone to be able to see what your user account is perhaps. Also, it is a good idea to force the CTRL+ALT+DELB option to add the extra layer of keystrokes for the login sequence.
Area 2 – Account Setup and Password Considerations
We cannot focus and stress enough the need for secure accounts when it comes to securing your Windows 7 computer. Many are guilty of using very weak, guessable passwords that simply provide little if any security at all. A good rule of thumb is to choose passwords based on a phrase and utilize a letter for a word type of scheme that allows for it to still be easy for you to remember but not make sense in its “password” form. Take a look at our post on how to choose strong passwords.
Also, consider NOT using an administrative account for general computer usage. When you browse the Internet as an administrator, any malicious code that gets executed will have full control over the machine since the session is running under admin user privileges to files and rights to the system. It is sometimes a headache to do this as most of us don’t want to take the time to logoff and log back in to install software. However, this is by far a much more secure way to keep your computer clean from infections and minimize the risk of having data compromised.
Area 3 – Behavioral and Usage Considerations
You can have a very secure system otherwise, including one that is up to date, great account/password schemes, and other security mechanisms in place, however the security is only as good as its weakest link. The human factor often is the most dangerous aspect of security. If we make dangerous decisions browsing the Internet, there is only so much the other security mechanisms can do to keep us safe.
The bottom line is this – Be careful which sites you visit and what files you download. It is much like making the decision to walk down a dark alleyway. Maybe something bad will not happen, but you are certainly taking a risk by putting yourself there. Maintain good browsing habits and stay within the realm of reputable websites. Many sites that are known to include malware:
- Free software sites
- BitTorrent sites
- Online game sites
- Porn sites
- Hacked password/serial sites
Many times we could inadvertantly be taken to some of the sites mentioned above just by a click on a harmless banner. Just browse safely however, and the likelihood this happens is drastically minimized.
Take a look at the post on how to avoid malware infection for other information regarding user actions as well as browser updates, etc.
Securing Windows 7 does take some time and effort. However, with the built-in tools that come with Windows 7 as well as other 3rd party utilities and tweaks to the policy and information collected through auditing, one can have a secure system that is relatively safe to browse the Internet in a secure manner.