Top 10 Best Hosting
 |
HostGator Review Hostgator $3.96/mo. 25% Off code: Best25PercentOff |
 |
iPage Review Cheapest Hosting - only $1.99/month Visit iPage |
 |
BlueHost Review Best Personal Hosting - $4.95/mo Visit BlueHost |
 |
A2Hosting Review Best SSD Hosting - $4.97/mo Visit A2Hosting |
 |
GoDaddy Review Best Budget Hosting - $1.99/mo Visit GoDaddy |
 |
Stablehost Review Stablehost Coupons 40% Off code: Best40PercentOff |
 |
Arvixe Review Arvixe hosting - $4/mo Visit Arvixe |
 |
InMotion Hosting Review Best Business Hosting - $5.99/mo Visit InMotion |
 |
Dreamhost Review Dreamhost $75 off code: BEST75USDOFF |
 |
IXWebHosting Review IXWebHosting - $3.95/mo Visit IXWebHosting |
| View All Web Hosting Coupons | |
Installing and Hardening Windows 7
Saturday, April 10, 2010
Windows 7 is secure by design. When deploying it, it is always recommended that you do a fresh install of the operating system on newly purchase (or renovated), compliant hardware and then harden it. System hardening is the process of increasing the level of security on your freshly installed base operating system (OS) by configuring needed security settings, removing unneeded software and adjusting advanced policy settings.
Note:
You need to do a little planning when it comes to the hardware selection for Windows 7, because if you want to use virtualization, Windows Trusted Platform Module (TPM) Management and other features such as BitLocker, you will need to purchase the correct hardware for it to function.
Once your OS is installed correctly and basically configured, the process of hardening can take place. Does it always need to be a new installation of Windows, or can you harden a system already running and in use? Yes, you can technically harden any system that is already installed and being used, but before you do, you should first familiarize yourself with it, analyze it, examine it and of course, audit the current security levels configured and in use. It doesn’t make sense to harden something that was already compromised. You also may not know how the application of security will affect the production system whether at use in the home, or in a corporate environment. Sometimes duplicate systems are set up in order to test which takes time and resources but well worth it to find and avoid problems that may occur with your design and deployment. You may cause more harm than good if you do not know how security settings changes or the templates will affect services on a production system. For example, you may apply security to a system and through strict firewall filtering changes, remove functionality from a program that you have installed and use – it may use a specific port that is now closed off by the firewall which will cause the connectivity to fail. This may cause adverse effects if the application was something used for business and was needed for productivity and may take some time to discover and correct. This is why it’s simply easier to install Windows 7 fresh, and then harden it as it takes place extremely quickly and you can verify that security remains tight until you deploy it. You can also make the process quicker, especially if using a virtual machine (VM) or VHD file] which give you options to have multiple instances of your desktop running for virtual failover or quick restoration and recovery if the redundancy option is not used. Since virtualization simplifies the installation process when creating cloned images for backup purposes, you can restore your desktop easily and within a few minutes. We will cover virtualization again later in the article. If failover is enabled and configured, the desktop user may not even experience an outage at all if virtualized.
You can harden the system, and then access your secure data through shared storage, databases and repositories – and all at high speed, with failover and redundancy options which will not only keep it secure, but separate from the data in which you access. If you plan correctly, you can create an snapshot of a fully prepped, configured, secured and updated version of Windows and in the possibility of disaster, restore your systems image back to your hardware in 1/3 the time it takes to do it without imaging or virtualization cloning. Then, once you restore the base OS, you can reattach to the shared storage to access data.
So, once you install Windows, what are the actual steps taken to harden it? And, is there a specific order to choose from? If there were an organized set of installation and hardening steps, they would be in the basic order of installation, removing anything not used, updating the system, applying basic security to it and then getting it backed up for quick restoration when needed, as seen in the following list :
This list is a simple guide. You can add more steps and extend this list further. This list is not definitive, but a good start in getting an idea of where to start when applying security to Windows 7 after a base installation. If completing a fresh install of Windows 7, then the next step is to remove any unwanted software, services, protocols and programs that you do not want or need running on it. This can be done easily in the Control Panel.
Next, you can go into the Control Panel and secure who is allowed to use the computer in the User Accounts applet. Here, you should remove any account that you do not need, or just disable it. Of course, be careful with the default users and groups, some of which are tied into your services that run, how your data is accessed and so on. You can always disable an account easily as well if concerned about removing it. Another technique used by most security professionals is to leave the local Administrator account in place and audit it for any attempts at using it, or the domain’s administrator account which is even more important to secure and audit. It is common practice to not use the default accounts when managing a large scale Microsoft network of systems and set up new administrator accounts that can be traced if need be. By auditing this default accounts and using a newly made account with administrator privileges associated with it, you increase security two-fold. One, you find out if someone is trying to get into your machine using the default accounts when nobody should be. If audited, you can see the attempts and when they occur. This application of security to an account is known as a honeypot and helpful in finding possible attempts by others trying access your system. Two, you take away half of the equation when someone is attempting to crack your account via basic credentials, such as a username and password combination. If you take away the easy to guess username credentials, then you are only left with a password which can be configured in a way to where it’s nearly impossible to crack. If you set up the default accounts as honeypot, you could create a nearly impossible to crack password and limit it to do next to nothing if compromised so that if it is compromised, there is little to nothing that can be done with it. You should change all the passwords for the default accounts from their currently configured defaults as well. Use password selection best practices when securing these accounts and audit them completely. You should also configure a policy that makes end users looking to change passwords go through a process where they will only be allowed to change it if they select a new password that is strong and not easily hacked. This is just one hardening tip that provides other benefits, such as the ability to find your attacks through logging and auditing.
Tip:
In Windows Server 2008, you can install ‘core’ functionality which is a hardening process applied to the system during actual installation. When installed, the server will only run with the minimal functionality you desire, thus reducing your risk of being subjected to security exploits. Windows 7 can be hardened but does not have an install option like 2008 that simply locks down the system upon installation. To harden Windows 7, you need to apply policies, templates or manually configure the security settings as needed.
So, that being said, how do you start to lock down and secure Windows 7? Well, the easiest way start the process of locking down the system is by using the Start menu to search for anything related to security stored within the system and indexed. To do this, simply click on the Start button to open the Start menu. Then, type the keyword ‘security’ in the Search Programs and Files field. Figure 3 shows the Start menu options based on the ‘Security’ keyword search.
Figure 3: Finding and then Viewing Security Options within the Start Menu
Here, you can see that Programs, Control Panel applets (or actions), Documents and Files are selected and organized for easy viewing and accessibility. In short, Local Security Policy (if selected) is a policy editor that allows you to view and configure the security policies of your system. The Local Security Policy editor can be seen in Figure 4. Here, you can make adjustments to any policy based setting on your operating system.
Figure 4: Viewing and Configuring Security with Local Security Policy
Tip – for full policy control, you should use Windows 7 with Windows Server products, such as Windows Server 2008 R2. If you do, then you can use Active Directory (AD) and Group Policy.
If you wanted to locally set up auditing of a specific event (such as system logon and off), then you can specify that action in the Local Security Policy console (Figure 4). In the Control Panel, you can go to the Administrative Tools applet to find the Local Security Policy editor, or simply search for it in the Start menu. When Windows 7 is used with Active Directory, you can use Group Policy which is a robust service that allows you to customize, manage and deploy settings and preferences as well as to deploy software with ease, but you will need to connect Windows 7 to an active domain and manage it correctly in order to benefit.
If you need to configure policy-based security, this is the easiest way. You can also find many of the tools you need for security configuration in the Control Panel and or in a custom MMC you design and deploy. The Microsoft Security Center (Windows Vista, XP) was used to centralize most security functions in the past. This has been replaced with the Action Center, and security actions are now easily found, viewed and acted upon with your permission. For example, as seen in the Start menu (Figure 3), the ‘Check security status’ action when selected produces a list of security configurations that Windows 7 recommends you act on, such as updating your system, or a program such as antivirus (AV). Once selected, you will be sent to the Action Center to take care of the open issues that need your attention.
Figure 5: Configure Security Actions and Control Panel Applet Options
Tip:
Figure 5 shows the security actions found within the Control Panel that you can act on. If you click the Start menu, type security and click on the Control Panel link, you will be given a list of actions and security configurations that you can customize immediately in one easy to find and access list.
Once in the Action Center (or if viewing lists of actions), you can simply go down the list and configure each one as you see fit. This is a brief overview of the security options that can be configured in the Action Center list:
So, if you need to apply security to Windows 7, the Start menu can serve as a good way to get started in the basic hardening of your system and open the door to the available tools you can use. There are many options here you can use to harden your Windows 7 system, especially within the Control Panel. Using the Start menu is also an easy way to get a security baseline of your system after initial installation. A tip you can try is to set up a baseline after the initial installation and configuration of your system, which would require you to configure all security options, applications, as well as download hot fixes and updates, and then backup the entire system image with System Restore and/or a system imaging utility. Now you have a snapshot of your system in a fresh state in case you need to revert back to it later. You can make a restore point which could be used if the system is compromised, allowing you to again have a basically configured system with basic security applied. We will cover System Restore options in the Disaster Recovery section of this article.
Note:
The Start menu can also help provide information on security related documentation on your system. This is helpful when searching for a document such as a security policy, or a hardening checklist or template.
You can quickly harden Windows by downloading the tools and documentation directly from Microsoft and go down the list of recommendations provided. For example, if you wanted to configure a basic level of security for Windows 7, you could easily download the baseline security template for use, run it and have most of your security settings adjusted for you. Figure 6 shows the Windows 7 Security Baseline Settings template with tabbed spreadsheet (workbook) entries for user account auditing, BitLocker and more. Visit the Reference Links section at the end of the article to gain access to it.
Figure 6: Configuring Baseline Security from Microsoft Templates
Take note of the ‘Security Warning’ option on the top toolbar (ribbon) of Microsoft Office Excel 2007 which prevents you from using the template by disabling the Macro until you attend to Security Warning as seen in Figure 6. Here, Security Macros have been disabled and are required for the application of this template. This is a perfect example of security vs. flexibility. To have flexibility in this instance, you need to turn off or limit the level of security applied in order to achieve it. Manually selecting the option to run, or disabling the protection, run the Macro and then boost the level of security once more to keep security in place will get the template installed.
Now that your system is ready to go and you have basic security features configured, you should now consider how to manage it, as well as monitor for intrusion, malware and for other problems found within the logs.
Note:
You should also note that Windows 7 has an option available called XP-mode, commonly used for resolving application compatibility issues with older XP-based applications. As we have discussed the topic of virtualization earlier, when considering using XP-mode, you are installing Virtual PC on Windows 7 and running an instance of XP on Virtual PC. If you use XP-mode, make sure harden any VMs running on Virtual PC the same way you harden the base OS. This includes AV protection, policy lockdown and Service Pack and software updates to name a few. You can provide a level of security through virtualization, but not completely so you still need to take hardening steps, even if virtualization is used.
A Windows 7 system at home can be locked down and managed easily. You can even configure it securely to be accessed over the Internet from another remote location if left on and active. Windows 7 can be made bullet-proof if you really wanted to harden it to the point complete lockdown. It can still become subject to attack and likely will be if you use the computer on the Internet, as an example. We can plan for this possibility and harden Windows 7 accordingly.
When considering the use of Windows 7, in today’s atmosphere of hack attacks and exploits, security options and flexibility are a top priority when making that decision. Windows 7 is absolutely secure, but it’s not 100%. You have to apply knowledge, other tools and advanced configurations in order to secure all aspects of it and then update and monitor them often. Well worth it if you want to avoid attack. Windows 7 has many security enhancements and can be configured for quick recovery.
As well, basic security principles such as Defense in Depth must be applied in conjunction with other security guidelines and best practices so that not only are you applying security for protection, but multiple layers of it that cover the full architecture and the code that runs it.
We only scratched the surface here, there is so much more to know and learn, but hopefully this articles information shines a light. To learn more, read the material listed in the Reference Links that contain more detailed information as well as free tools, templates and guides. Keep on the lookout for Windows Security Primer parts 2 and 3 coming soon, stay tuned!
Reference Links
Via Windowsecurity
Note:
You need to do a little planning when it comes to the hardware selection for Windows 7, because if you want to use virtualization, Windows Trusted Platform Module (TPM) Management and other features such as BitLocker, you will need to purchase the correct hardware for it to function.
Once your OS is installed correctly and basically configured, the process of hardening can take place. Does it always need to be a new installation of Windows, or can you harden a system already running and in use? Yes, you can technically harden any system that is already installed and being used, but before you do, you should first familiarize yourself with it, analyze it, examine it and of course, audit the current security levels configured and in use. It doesn’t make sense to harden something that was already compromised. You also may not know how the application of security will affect the production system whether at use in the home, or in a corporate environment. Sometimes duplicate systems are set up in order to test which takes time and resources but well worth it to find and avoid problems that may occur with your design and deployment. You may cause more harm than good if you do not know how security settings changes or the templates will affect services on a production system. For example, you may apply security to a system and through strict firewall filtering changes, remove functionality from a program that you have installed and use – it may use a specific port that is now closed off by the firewall which will cause the connectivity to fail. This may cause adverse effects if the application was something used for business and was needed for productivity and may take some time to discover and correct. This is why it’s simply easier to install Windows 7 fresh, and then harden it as it takes place extremely quickly and you can verify that security remains tight until you deploy it. You can also make the process quicker, especially if using a virtual machine (VM) or VHD file] which give you options to have multiple instances of your desktop running for virtual failover or quick restoration and recovery if the redundancy option is not used. Since virtualization simplifies the installation process when creating cloned images for backup purposes, you can restore your desktop easily and within a few minutes. We will cover virtualization again later in the article. If failover is enabled and configured, the desktop user may not even experience an outage at all if virtualized.
You can harden the system, and then access your secure data through shared storage, databases and repositories – and all at high speed, with failover and redundancy options which will not only keep it secure, but separate from the data in which you access. If you plan correctly, you can create an snapshot of a fully prepped, configured, secured and updated version of Windows and in the possibility of disaster, restore your systems image back to your hardware in 1/3 the time it takes to do it without imaging or virtualization cloning. Then, once you restore the base OS, you can reattach to the shared storage to access data.
So, once you install Windows, what are the actual steps taken to harden it? And, is there a specific order to choose from? If there were an organized set of installation and hardening steps, they would be in the basic order of installation, removing anything not used, updating the system, applying basic security to it and then getting it backed up for quick restoration when needed, as seen in the following list :
- Step 1 - Installation of Base OS selecting any options during installation the increases security and not selecting unneeded services, options and programs.
- Step 2 - Installation of any Administrator toolkits, security tools and needed programs.
- Step 3 - Remove services, programs and unneeded software. Disable or remove unused user accounts or groups.
- Step 4 - Service Pack update, hot fixes and service packs. Update all installed programs as well.
- Step 5 - Run security audit (scanner, template, MBSA, etc) to assess current security level
- Step 6 - Run System Restore and create a restore point. Backup and Restoration application for disaster recovery.
- Step 7 - Backup the OS with a way to quickly restore it in the event of disaster.
This list is a simple guide. You can add more steps and extend this list further. This list is not definitive, but a good start in getting an idea of where to start when applying security to Windows 7 after a base installation. If completing a fresh install of Windows 7, then the next step is to remove any unwanted software, services, protocols and programs that you do not want or need running on it. This can be done easily in the Control Panel.
Next, you can go into the Control Panel and secure who is allowed to use the computer in the User Accounts applet. Here, you should remove any account that you do not need, or just disable it. Of course, be careful with the default users and groups, some of which are tied into your services that run, how your data is accessed and so on. You can always disable an account easily as well if concerned about removing it. Another technique used by most security professionals is to leave the local Administrator account in place and audit it for any attempts at using it, or the domain’s administrator account which is even more important to secure and audit. It is common practice to not use the default accounts when managing a large scale Microsoft network of systems and set up new administrator accounts that can be traced if need be. By auditing this default accounts and using a newly made account with administrator privileges associated with it, you increase security two-fold. One, you find out if someone is trying to get into your machine using the default accounts when nobody should be. If audited, you can see the attempts and when they occur. This application of security to an account is known as a honeypot and helpful in finding possible attempts by others trying access your system. Two, you take away half of the equation when someone is attempting to crack your account via basic credentials, such as a username and password combination. If you take away the easy to guess username credentials, then you are only left with a password which can be configured in a way to where it’s nearly impossible to crack. If you set up the default accounts as honeypot, you could create a nearly impossible to crack password and limit it to do next to nothing if compromised so that if it is compromised, there is little to nothing that can be done with it. You should change all the passwords for the default accounts from their currently configured defaults as well. Use password selection best practices when securing these accounts and audit them completely. You should also configure a policy that makes end users looking to change passwords go through a process where they will only be allowed to change it if they select a new password that is strong and not easily hacked. This is just one hardening tip that provides other benefits, such as the ability to find your attacks through logging and auditing.
Tip:
In Windows Server 2008, you can install ‘core’ functionality which is a hardening process applied to the system during actual installation. When installed, the server will only run with the minimal functionality you desire, thus reducing your risk of being subjected to security exploits. Windows 7 can be hardened but does not have an install option like 2008 that simply locks down the system upon installation. To harden Windows 7, you need to apply policies, templates or manually configure the security settings as needed.
So, that being said, how do you start to lock down and secure Windows 7? Well, the easiest way start the process of locking down the system is by using the Start menu to search for anything related to security stored within the system and indexed. To do this, simply click on the Start button to open the Start menu. Then, type the keyword ‘security’ in the Search Programs and Files field. Figure 3 shows the Start menu options based on the ‘Security’ keyword search.
Figure 3: Finding and then Viewing Security Options within the Start Menu
Here, you can see that Programs, Control Panel applets (or actions), Documents and Files are selected and organized for easy viewing and accessibility. In short, Local Security Policy (if selected) is a policy editor that allows you to view and configure the security policies of your system. The Local Security Policy editor can be seen in Figure 4. Here, you can make adjustments to any policy based setting on your operating system.
Figure 4: Viewing and Configuring Security with Local Security Policy
Tip – for full policy control, you should use Windows 7 with Windows Server products, such as Windows Server 2008 R2. If you do, then you can use Active Directory (AD) and Group Policy.
If you wanted to locally set up auditing of a specific event (such as system logon and off), then you can specify that action in the Local Security Policy console (Figure 4). In the Control Panel, you can go to the Administrative Tools applet to find the Local Security Policy editor, or simply search for it in the Start menu. When Windows 7 is used with Active Directory, you can use Group Policy which is a robust service that allows you to customize, manage and deploy settings and preferences as well as to deploy software with ease, but you will need to connect Windows 7 to an active domain and manage it correctly in order to benefit.
If you need to configure policy-based security, this is the easiest way. You can also find many of the tools you need for security configuration in the Control Panel and or in a custom MMC you design and deploy. The Microsoft Security Center (Windows Vista, XP) was used to centralize most security functions in the past. This has been replaced with the Action Center, and security actions are now easily found, viewed and acted upon with your permission. For example, as seen in the Start menu (Figure 3), the ‘Check security status’ action when selected produces a list of security configurations that Windows 7 recommends you act on, such as updating your system, or a program such as antivirus (AV). Once selected, you will be sent to the Action Center to take care of the open issues that need your attention.
Figure 5: Configure Security Actions and Control Panel Applet Options
Tip:
Figure 5 shows the security actions found within the Control Panel that you can act on. If you click the Start menu, type security and click on the Control Panel link, you will be given a list of actions and security configurations that you can customize immediately in one easy to find and access list.
Once in the Action Center (or if viewing lists of actions), you can simply go down the list and configure each one as you see fit. This is a brief overview of the security options that can be configured in the Action Center list:
- Action Center – The Action Center replaces the Security Center. The Action Center is where you can specify actions that the OS can perform. With your permission, the actions can take place. Here you will be told if you are missing an Antivirus update as an example. You can access the center to perform security related operations as needed.
- Internet Options – Web browsing of any kind opens the door to Internet-based risks. If you use a proxy server, utilize Web filtering (and monitoring) and keep your OS updated with the latest hot fixes, you may still wind up in a situation where your security is compromised. Within the Internet Options Control Panel applet, you can specify zones for safety, allow only specific URLs to be accessed, deploy advanced security settings in the Advanced tab and much more. The browser itself has a Phishing filter that will prevent Phishing attacks and other configurable options such as InPrivate Browsing, which when selected will prevent the storage of your personal information, particularly helpful when using a computer at a public Kiosk.
- Windows Firewall – Like any other software or hardware-based firewall, Windows Firewall can deflect basic attacks by default, and be configured granularly for a high level of control over what can enter and exit your computer system when connected to a public or private network. By going to the Control Panel and selecting Windows Firewall, you will have access to most firewall configuration settings. You can click on the Advanced settings link in the dialog box to access the Firewall with Advanced Settings and configuration options. With Windows 7, you can also deploy multiple Firewall Policies simultaneously and use the new Domain designation for easier Windows-based firewall configuration and management.
- Personalization – Personalization options are where you can alter the way Windows looks, but it’s also where you configure a screensaver password if desired. If running Windows 7 in the enterprise, users should be taught to lock their workstations whenever they leave their desk or issued a policy setting that does it automatically after a period of inactivity, however if forgotten about, a screensaver configured to require logging in again can prove helpful. At home, this may be your best line of defense if you walk away from your system and forget to lock it.
- Windows Update – All software releases require some level of patching. You can prepare, test and attempt to develop perfect software but you can not account for everything. Also, new updates and releases also require updates to your operating system over the lifetime of the current OS version. Because there are advancements in the system, requirements needed for other developing technologies, new security vulnerabilities uncovered and driver updates for better performance and functionality required, there will always be a need for Windows Update. Windows (and Microsoft) Update, or enterprise versions of patch management (WSUS, etc.) are used for centralized control and deployment of updates. These tools are used to control, keep track of and monitor your current and future update needs. Configure to have it do it for you automatically, or get in the habit of doing it manually because it’s really important that you do. If you do not patch your OS as recommended (and sometimes required), you may be subject to attack.
- Programs and Features – Other than checking for and seeing what Windows Updates are installed, you should check to see what you have installed on your system often, especially if you work on the Internet and/or download software from Internet-based Web servers. For example, by installing a simple Java update, if you did not read the screens carefully during install, you may have also installed a toolbar on your system which integrates into your Web browser. Now, there is tighter control over this, but regardless, you should still check from time to time to see what is currently installed on your system.
- Windows Defender – Spyware is software that is used primarily for illicit marketing purposes, and does other things such as deliver a direct payload, redirects your browser or sends back information on your actions. Although Antivirus software picks up some of this, Windows Defender (or other Spyware-removal applications) can be counted on to clean up the rest. Cookies, although harmless by nature can sometimes be manipulated for the wrong reasons. Make sure Windows Defender is updated often with new definition files and its needed updates to ensure you are scanning for all of the latest Spyware currently known about. SpyNet is also a community that Microsoft watches over to learn about, talk about and prevent the spreading and damage produced by Spyware.
- User Accounts – Managing user accounts is the core to securing access to your computer as well as everything that runs within it. For example, if you create a new user account and assign it to the Administrators group, you have full access to the computer system. If you configure the account as a standard user, then the permissions granted will be very restrictive and will only allow the user to do specific things. You can also configure a password which when created with a minimum password restriction or policy, enforces the user to create a difficult to crack credential set to thwart basic password cracking attempts. Once Windows Server 2008 and Active Directory is deployed, you can access a domain that when once joined, will allow you to configure granular NT File System (NTFS) permissions to folders and files as well as other shared resources like printers.
- Power Options – The Power Options Control Panel applet is where you can configure the default behavior of the Operating System when unplugged, closed or goes to sleep. The security configuration to set is that a password be required when the computer awakes from a sleep state. Anytime you can enable the use of access control, you should consider it.
So, if you need to apply security to Windows 7, the Start menu can serve as a good way to get started in the basic hardening of your system and open the door to the available tools you can use. There are many options here you can use to harden your Windows 7 system, especially within the Control Panel. Using the Start menu is also an easy way to get a security baseline of your system after initial installation. A tip you can try is to set up a baseline after the initial installation and configuration of your system, which would require you to configure all security options, applications, as well as download hot fixes and updates, and then backup the entire system image with System Restore and/or a system imaging utility. Now you have a snapshot of your system in a fresh state in case you need to revert back to it later. You can make a restore point which could be used if the system is compromised, allowing you to again have a basically configured system with basic security applied. We will cover System Restore options in the Disaster Recovery section of this article.
Note:
The Start menu can also help provide information on security related documentation on your system. This is helpful when searching for a document such as a security policy, or a hardening checklist or template.
You can quickly harden Windows by downloading the tools and documentation directly from Microsoft and go down the list of recommendations provided. For example, if you wanted to configure a basic level of security for Windows 7, you could easily download the baseline security template for use, run it and have most of your security settings adjusted for you. Figure 6 shows the Windows 7 Security Baseline Settings template with tabbed spreadsheet (workbook) entries for user account auditing, BitLocker and more. Visit the Reference Links section at the end of the article to gain access to it.
Figure 6: Configuring Baseline Security from Microsoft Templates
Take note of the ‘Security Warning’ option on the top toolbar (ribbon) of Microsoft Office Excel 2007 which prevents you from using the template by disabling the Macro until you attend to Security Warning as seen in Figure 6. Here, Security Macros have been disabled and are required for the application of this template. This is a perfect example of security vs. flexibility. To have flexibility in this instance, you need to turn off or limit the level of security applied in order to achieve it. Manually selecting the option to run, or disabling the protection, run the Macro and then boost the level of security once more to keep security in place will get the template installed.
Now that your system is ready to go and you have basic security features configured, you should now consider how to manage it, as well as monitor for intrusion, malware and for other problems found within the logs.
Note:
You should also note that Windows 7 has an option available called XP-mode, commonly used for resolving application compatibility issues with older XP-based applications. As we have discussed the topic of virtualization earlier, when considering using XP-mode, you are installing Virtual PC on Windows 7 and running an instance of XP on Virtual PC. If you use XP-mode, make sure harden any VMs running on Virtual PC the same way you harden the base OS. This includes AV protection, policy lockdown and Service Pack and software updates to name a few. You can provide a level of security through virtualization, but not completely so you still need to take hardening steps, even if virtualization is used.
Summary
A Windows 7 system at home can be locked down and managed easily. You can even configure it securely to be accessed over the Internet from another remote location if left on and active. Windows 7 can be made bullet-proof if you really wanted to harden it to the point complete lockdown. It can still become subject to attack and likely will be if you use the computer on the Internet, as an example. We can plan for this possibility and harden Windows 7 accordingly.
When considering the use of Windows 7, in today’s atmosphere of hack attacks and exploits, security options and flexibility are a top priority when making that decision. Windows 7 is absolutely secure, but it’s not 100%. You have to apply knowledge, other tools and advanced configurations in order to secure all aspects of it and then update and monitor them often. Well worth it if you want to avoid attack. Windows 7 has many security enhancements and can be configured for quick recovery.
As well, basic security principles such as Defense in Depth must be applied in conjunction with other security guidelines and best practices so that not only are you applying security for protection, but multiple layers of it that cover the full architecture and the code that runs it.
We only scratched the surface here, there is so much more to know and learn, but hopefully this articles information shines a light. To learn more, read the material listed in the Reference Links that contain more detailed information as well as free tools, templates and guides. Keep on the lookout for Windows Security Primer parts 2 and 3 coming soon, stay tuned!
Reference Links
Via Windowsecurity
Comments[ 0 ]
Post a Comment