Ten ways to lock down Windows 7 clients

Windows 7 offers several enterprise level security features that help you effectively lock down Windows 7 clients. Here's a quick Windows 7 security tour.

Windows 7 is a huge improvement over its predecessors, especially if you consider its enhanced security features. From an enterprise perspective, these new security features offer immense potential for the security administrator. Hence I will explain some of these notable Windows 7 security features before discussing best practices to secure Windows 7 machines.

DirectAccess: Typically, most line of business applications are now Web-enabled. As a result, users end up using their corporate virtual private network (VPN) to access these applications. The typical issue in such scenarios that the user has to fire up a VPN, which becomes an interruption.

Windows 7 works in conjunction with Windows Server 2008 R2 to make work outside the office simpler through DirectAccess. This feature works by automatically establishing a bi-directional connection from client computers to the corporate network.

BitLocker: For many users, USB drives are the primary method of data transfer. Over time, these USB drives end up carrying all sorts of data. This is a major security concern.

Windows 7 helps you address such data leakage concerns through its BitLocker To Go security feature. This extension to the BitLocker feature in Windows 7 allows users to encrypt the disk volume of removable storage devices with a password and an optional digital certificate stored on a smart card.

User Account Control: The User Account Control (UAC) feature is designed to improve security on the Windows Vista and Windows 7 platforms. Whenever a user tries to perform an action that requires more escalated privileges, the UAC prompts them for administrative credentials. The user cannot proceed until an administrator authorizes the action. If the user is logged in as an administrator, the UAC will display a nag screen whenever he performs an administrative action.

Now let's have a look at the basic best practices essential to secure Windows 7 clients.

• Always set the Execution Policy to "Restricted" in PowerShell.

• Use network profiles. Prior to the release of Windows Vista, Windows treated all network connections equally. Now you can use the Network and Sharing Center in Windows Vista and Windows 7 to designate each network as a public, private or domain network. Networks are automatically designated as domain networks when the machine uses the network to log on to a domain. It is important to select an appropriate network profile because Windows implements various security features based on the type of network. For example, Vista disables the network mapping feature if you are connected to a public network. The Windows Firewall also contains network profile-specific settings.

More resources for Windows 7 client

Microsoft Windows 7 security features 

Trojan poses as Windows 7 compatibility tool

• Check UAC (Control panel>User Accounts> Change User Account Control settings) for "Always Notify" when program make changes to Windows. Expert users can also use the "Always Notify" option for higher security levels.

• Set backup policies and schedules. Use encryption to avoid data loss or thefts. (Note: Don't use encryption until you understand the consequences).

• Keep your antivirus updated.

• Install and update operating system patches as well as the updates of installed software.

• Implement a strong password policy which uses alphanumeric characters and special characters. Avoid using dictionary words. Change your password every couple of weeks. If possible, use biometric devices instead of alphanumeric passwords to avoid attacks such as password sniffing and shoulder surfing.

• Disable Autorun.

• Scan USB and other removable devices using your antivirus software before use.

• Make sure the phishing filter is turned ON. The phishing filter will help users to distinguish between a legitimate website and a fraudulent website that poses as a popular website. While the phishing filter's website database is not comprehensive, it does include enough legitimate and fraudulent sites to make it useful. Just ensure that your train your users on how to use the phishing filter.

About the author: Santosh Satam is an IT professional with over 18 years of experience. Some of his multi-disciplinary skills include software quality assurance and control, application security, vulnerability management, network security and implementation of mission critical applications including card systems for the banking industry. He is also a featured speaker at ISACA annual conferences.

(As told to Jasmine Desai.)

Read more on Security policy and user awareness