Moving to Windows 7 enables organizations to realize great user productivity and IT benefits. In this article, I wanted to share information about the security benefits, and specifically, seven practices and easy to configure policies that can make your desktop environment safer and more controlled.
1. Control your desktop network access. Windows 7 enhances the firewall and provides granular control over inbound and outbound connections based on where the user is: domain (work), private (home), and public, including determining notification levels for the user. A little-known fact is that, with Windows7, there is a new capability that enables having more than one profile active. Because users typically connect to both local network (work or home) as well as the Internet (public), different rules should apply. Simply type “Windows Firewall with Advanced Security” on your Start menu to see the options. All firewalls events can be viewed in the monitoring tab and aggregated through Windows Event Log. Learn more
2. Fine-tune wireless network settings. Another very useful, albeit not new, network setting is specific to Wireless Networks. You can control the wireless networks that corporate laptops can access, setting the configuration for preferred networks and prohibiting “risky” connections to ad hoc (computer-to-computer) networks in public places, thereby preventing the use of Internet Connection Sharing on your corporate network. Learn more
3. Block access to devices. Another good existing policy is the ability to control device installation on desktops. You can set pre-approved devices and block everything else. Learn more
4. Forcing encryption on removable drives is another extremely useful capability that can be implemented in conjunction with the previous policy. Many people know about BitLocker Drive Encryption, which allows you to encrypt the hard drive to protect data in the case of laptop theft or loss. BitLocker To Go (newly available in Windows 7 Enterprise) extends that by letting you encrypt removable drives. Plus, you can set a policy that stops data writes to removable drives unless they are first encrypted. A password will be required to access the data, so that users can share data with colleagues and others securely, with no concerns of losing the drive. Learn more
5. Standard user is now feasible for most users. Previous versions of Windows offered a limited experience for standard users. In Windows 7, most users can do just fine as standard users. They can still connect to new networks, change display settings and time zones, and even install printers and Internet Explorer plug-ins. Windows 7 users will typically need administrator rights only for installing new applications, aside from legacy applications that “require” administrative rights to operate (and those can be addressed with various compatibility solutions).
6. User Account Control (UAC) is better than you think. Even if a user needs administrator rights, UAC will keep most programs running without administrator privileges, and will prompt user for approval when a program requires an escalation. The amount of prompt has been greatly reduces in Windows 7. Even better, instead of assigning administrative rights to the domain user, create a second local administrator account. This way Windows will prompt for the administrator credentials every time it needs to escalate (e.g., when installing an application). The user will be more cautious about typing those credentials than simply clicking Yes as with the first option. Learn more
7. AppLocker – control the applications users install. Assuming your users (or a subset of them) really need to download and install applications on their own, you should consider limiting those with AppLocker (available on Windows 7 Enterprise). The rules are flexible: from allowing specific applications and versions, to any program that’s from a known vendor. When rules are based on vendors, the learning curve is rather low as there is usually a rather small number of vendors that you would want to let users install. For the rest, it is better that they contact you. For internal applications (even executables), you can easily create a certificate and sign them with signtool.exe (included in the Windows SDK. Documentation on MSDN). Learn more