ProperGander

Security for the masses

Securing Windows 7

The basic security principles that apply to Windows XP also apply to Windows 7. However, Windows 7 has a few extra features and security enhancements that Windows XP lacks, these are discussed further down the page. For now let me reiterate those basic security practices.

  • Install and use anti-virus software and keep it updated.
  • Keep Windows updated with automatic updates.
  • Keep you applications patched and updated
  • Scan your hardisk regularly with decent anti spyware software.
  • Use strong passwords for logins: !Lik3bu773R? is a strong password, the name of your pet isn't.
  • Make sure Windows Firewall service runs automatically.
  • Use separate accounts for each family member.

Windows 7 Services

Windows 7 runs a lot of programs (services) in the background automatically without user awareness, some of these services are essential to the smooth running of Windows 7, some are essential for securing Windows 7, and some are an actual security risk. The following recommendations apply to a home PC. In a corporate or business environmnet needs may differ. Windows update may re-enable some of the services you disable, so check the autorun of services after each update.

Note: My experience with Windows 7 is so far limited to tinkering with the release candidate, so these recommended service settings should be confirmed on the retail version. I have no intention of using Windows 7 in the foreseeable furture considering the amount of information shared with Microsoft should Windows 7 be installed with default settings, and the recommended actions are taken when setting up the OS, Media Center and Internet Explorer. At this moment in time, I see Windows 7 as little more than spyware. This is just my opinion and not necessarily fact. I need to research this a little further, by using Windows 7 for a few days whilst running Wireshark. But again any findings would only relate to the release candidate and may not apply to the retail version.

Services that should run automatically at startup
  • Cryptographic Services.
  • Security Accounts Manager.
  • Windows Event Log.
  • Windows Firewall
  • Windows Management Instrumentation.
  • Workstation.
  • Security Center, (Delayed Start).
  • Software Protection, (Delayed Start).
  • Windows Defender, (Delayed Start).
Services that are a security risk or not needed in a home, stand alone environment and should be disabled
  • Internet Connection Sharing.
  • Media Center Extender Service.
  • Net.Tcp Port Sharing Service.
  • Routing and Remote Access.
  • Application Management.
  • Bluetooth Support Service, you may want to enable this on a laptop.
  • BranchCache.
  • Certificate Propagation.
  • Distributed Link Tracking Client.
  • IP Helper.
  • Microsoft iSCSI Initiator Service.
  • Netlogon, may want to anable this on a home network.
  • Network Access Protection Agent, may want to enable on a home network.
  • Offline Files.
  • Parental Controls, you may want to enable this if young children use the PC.
  • Remote Procedure Call (RPC) Locator.
  • Remote Registry.
  • Smart Card.
  • Smart Card Removal Policy.
  • SNMP Trap.
  • Storage Service.
  • Windows Connect Now.
  • Windows Media Player Network Sharing Service.
  • Windows Search.

Windows 7 Firewall

Windows 7 has a much more advanced firewall than that found in XP. The Windows 7 firewall has the added the ability to filter outbound traffic via the Advanced Security MMC snap-in. Microsoft has tweaked the firewall and made it much more useable, especially on mobile computers by adding support for multiple active firewall policies. A pretty comprehensive guide to using the Windows 7 firewall can be found here

Hidden Shares

The hidden or administrative shares in Windows 7 are actually secure by default and steps have to be taken to enable access to them. As the major objective of this website is to secure your computer I will not be providing a guide to enabling these shares here. However, should you wish to enable the administrative shares in Windows 7, a guide can be found here.

BitLocker

BitLocker drive encryption can be used to encrypt any volume on your hard drive, including removable media such as USB keys. You can right-click and encrypt any volume from within Windows Explorer. There are several protection methods, including combinations of the Trusted Platform Module (TPM) chip, PIN, password, and smart card. Encrypted removable media can be decrypted and re-encrypted on any Windows 7 computers, not just the one it was originally encrypted on.

Important: Save your BitLocker recovery information somewhere safe and reliable off the computer. BitLocker is good encryption and you will not be able to decrypt your data if you cannot supply the recovery password.

Increase UAC

User Account Control in Windows 7 has been significantly improved over that which was introduced with Vista. It is both less intrusive and smarter at distinguishing between legitimate and potentially malicious activities in Windows 7. However, the default install of Windows 7 may have a UAC security setting that's one level lower than I recommend. Although standard users have UAC security default to to the most secure setting, administrator accounts reside a notch below the highest setting, which is potentially more risky. The UAC slider bar will allow administrators and users to adjust their UAC security level. I recommend raising the UAC slider bar to "Always notify," the most secure setting. Even in "Always notify" mode there will be fewer UAC prompts than there were in Windows Vista. Although the UAC has been improved in Windows 7, I still recommend using a non administrative account for the everyday use of Windows 7.