The ultimate guide to Windows 7 security

Learn how to put AppLocker, BitLocker to Go, security accounts, and other key Windows 7 security improvements to good use.

By Roger A. Grimes, InfoWorld |  Windows, AppLocker, BitLocker to Go

User Account Control. A Windows Vista feature that users loved to hate, User Account Control has been significantly improved to be both less intrusive and smarter at distinguishing between legitimate and potentially malicious activities in Windows 7. However, depending on whether you are logged on as administrator or a standard user, some installs of Windows 7 may have a default UAC security setting that's one level lower than some experts (including yours truly) recommend. Standard users have UAC security default to the most secure setting, while administrator accounts reside a notch below the highest setting, which is potentially riskier.

Note too that, although UAC provides a much-needed mechanism to prevent the misuse of administrator privileges, it can be bypassed. If you need high security, users should not log on with an elevated user account until they need it.

Your domain environment should already be at the highest and most secure level ("Always notify"). If it isn't, make it so. That way, users will be prompted to input their passwords to perform high-risk administrative actions. No matter what else, UAC should be enabled.

BitLocker Drive Encryption. In Windows 7, BitLocker Drive Encryption technology is extended from OS drives and fixed data drives to include removable storage devices such as portable hard drives and USB flash drives. This new capability is called BitLocker to Go.

In Windows Vista SP1, Microsoft added official support for encrypting fixed data drives, but it could only be done using command-line tools. Now you can encrypt operating system volumes, fixed data drives, and USB flash drives with a simple right-click, via the Windows Explorer GUI. Moreover, you can use smart cards to protect data volumes, and you can set up data recovery agents to automatically back up BitLocker keys. If you're using a Trusted Platform Module (TPM) chip, you can enforce a minimum PIN length; five characters should suffice for most environments.

In Windows 7, there is no need to create separate partitions before turning on BitLocker. The system partition is automatically created and does not have a drive letter, so it is not visible in Windows Explorer and data files will not be written to it inadvertently. The system partition is smaller in Windows 7 than in Windows Vista, requiring only 100MB of space.

With BitLocker to go, you can encrypt removable drives one at a time or require that all removable media be encrypted by default. Further, encrypted removable media can be decrypted and reencrypted on any Windows 7 computers -- not just the one it was originally encrypted on.


Originally published on InfoWorld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness