Updated: October 9, 2009
Some people say that securing a Windows installation is a complicated task, involving a large number of security programs running in real-time and numerous other tweaks, all intended at keeping the "bad guys" away. I do not share this opinion. Personally, I think securing ANY operating system for home use is a rather simple affair and it revolves mainly around the user - and not the specific subset of programs.
Windows 7 is going to be released, soon. Some people will use it, others won't. If you're one of the people mulling a transition over to Windows 7, whether because you desire better 64-bit support, you want to forget you ever used Vista, or you're a diehard Windows XP fan feeling the end coming near, the security concerns of a new, unfamiliar operating system may interest you.
In this tutorial, I will show you a few basic tips to configuring security in Windows 7. Call it staying safe without going overboard. Of course, you may not agree with my approach to security, but if you want a cool-headed opinion rather than a doomsday foretelling, you might want to read this article.
Windows 7, worth the bother?
The first step is to decide whether you want Windows 7 installed. I have tested Windows 7 several months ago, while still in the Beta stage, and found it to be a reasonable product. Its resource usage could be lower and the sickly pale blue default theme should definitely be changed, but overall it performed well. One of the strong sides was the Windows XP compatibility mode, which promises good support for old applications, including relics from Windows 98 era.
Windows 7, installation
If you do think you should install Windows 7, you may be wondering how to do that. Not to worry, I've written a detailed, step-by-step tutorial for that one, too.
Windows 7 security
OK, Windows is installed. Now what? Let us first consider the following: security is all about the user. Honestly. That's the whole magic. Security companies selling software for money will try to convince you otherwise. True, in some situations, their advice is useful and so are their products. But this does not mean that if you do not heed their advice or use their products, you run a risk of infection.
Believe it or not, most infections are triggered by users deliberately installing software. Users download software they ought not to download and they install software they ought not to. Very simple, very catastrophic and no software can protect against this.
Vulnerabilities in applications with web access are also exploited now and then, but these are relatively rare and can be mitigated by patching your software and using alternative programs to mainstream titles. For example, use Foxit Reader rather than Acrobat Reader. Use Firefox or Opera rather than Internet Explorer. Now, let's see what you need to know about security in Windows 7.
After your Windows 7 is installed, you may notice a little white flag in the system tray. This little icon tells you that the Action Center is not satisfied with your current security settings and is alerting you to change them.
The Action Center is complaining about no anti-virus found and no Windows updates set. These two items require our attention. Click on Open Action Center and see what you can do.
It's up to you to decide whether you want one installed or not. It really depends who you are and what you do with your machine. Personally, I do not think you need one. But most people feel better about using one, even if they do not understand what these programs do, even if they are misconfigured or badly out of date.
Free anti-virus programs you may want to consider are Antivir and AVG. Please note that I will not discuss these programs at great length here. I will mention them again in the soon-to-come new List of must-have Windows programs. For now, you can find more information about available programs in the older article.
Personally, I like to update my system manually, so I can review each update. I have found that Microsoft definition of critical updates is not always security related. For example, the Windows Genuine Notification has nothing to do with security, yet it is advertised as a critical update. Similarly, for users of older versions of Internet Explorer, version 8 is offered as a critical update.
Keeping the system up to date is smart. If you have the self-discipline to make a check for updates now and then, then you should probably opt for manual updates. If you don't want to be bothered, you can set the updates to an automatic schedule.
To change the routine, click on Change settings.
The Action Center will still pester you with warnings about your security. This is similar to what Windows XP used to do with the red shield icon that linked to its Security Center. You can disable the messages by clicking on Turn off messages ...
Like I said, I am in favor of keeping your system up to date, but you can manage this manually, every few days. Requires just a tiny bit of discipline.
Expand Control Panel
Control Panel in its default configuration hides some of its items from the user. To see them all and therefore be able to make the right changes, you need to change the default view.
You can either click on the Control Panel text in the address bar and then choose, or you can click on the Category item on the right side and select small/large icons.
Now we have all items visible:
The next item we want to check is Windows Defender, a Microsoft anti-spyware program configured to run in real time. Again, personally, I think this program is unnecessary. It will hog resources without providing any useful protection, since people who want to install programs on their machines will install them. As simple as that. Still, it's up to you. Use it, don't use it. The choice is yours.
However, if you want to disable (and later enable this item), you will have to do the following: Open the item category from the Control Panel and then click on the Tools icon. Then, select Options from the Tools and Settings menu below.
This will open a sub-menu with various options. You have several options here. For example, you may want to disable the real-time component only, but keep the on-demand scanner. Or you may want to disable the product altogether.
Of course, this will once again awaken the Action Center, as it may complain about missing security. If you don't want to be alerted about Windows Defender, turn the notifications off.
User Account Control
OK, so far, everything I've suggested seems to run counter to "healthy" logic of Windows fear and panic. You may think that I would suggest turning off all and every security component built-in into the system. The answer is no. Some components are quite useful, like User Account Control (UAC) and the powerful bi-directional firewall. We'll talk about the firewall later; now, let's focus on UAC.
In a nutshell, UAC is somewhat akin to sudo in Linux. It will ask you to confirm changes to the system. There is no need for a password, like in Linux, because UAC assumes you are allowed to make the changes, but if you deny potentially unwanted actions, you may help yourself keep the machine clean. You can find UAC in the Action Center:
Of course, if you allow all and every action, then UAC is completely useless. It's not a silver-bullet security mechanism. It's merely a tool that should help you administer the system more safely and prevent potentially undesired changes. It cannot protect from deliberate malice by the user.
Another example, changing the UAC settings via UAC itself:
Note: Windows XP users have had a similar tool for a while now, called SuRun, an excellent implementation of the sudo mechanism that combines the power of limited user with full system functionality, just like in Linux.
Disabling UAC will also affect Internet Explorer. In Windows 7, Internet Explorer 8 is configured to run in the protected mode, sort of a sandbox that prevents browser from exploiting the system. Unfortunately, the presence of ActiveX controls still remains the weakest link in Windows browser security, but you can somewhat mitigate it by using the Protected Mode. You can change the Protected Mode setting via Internet Security panel in Internet Explorer. If you turn off UAC, the Protected Mode will be gone too.
Here's an example of UAC working against an Adobe Flash installation (ActiveX) triggered by a website. Quite a useful feature, if you choose to run Internet Explorer.
One thing I always liked in Windows was the simple, useful firewall. It works and it does not choke the system when under heavy load. Many third-party Windows firewalls induce a serious slowdown in network performance due to a badly implemented network stack.
Many people do not know that Windows firewall has always been bi-directional, meaning it could be configured to monitor both inbound and outbound attempts. On Windows XP, the firewall management was somewhat difficult, though.
In Windows 7, the firewall is a little easier to manage, but the user interface may be overwhelming for new or less experienced users. If you're not familiar with how the networking works, I recommend you do not play with the firewall rules, as you may inadvertently disable your Internet connectivity.
The good stuff can be found under Advanced settings. The basic overview offers very little except turning the firewall on/off. I warmly recommend you keep the firewall on.
After getting used to the interface, Windows firewall is just like any other.
Data Execution Prevention (DEP)
Nothing new here, just a built-in feature that relies on extended chip features to prevent against buffer overflows. This can complement other security mechanism in the system. It will be even more reliable if you enable DEP for all programs, but be aware that due to bad coding practices and extremely heavy reliance of third-party vendors on Windows being loosely configured, some programs may not work if their administrative privileges are curtailed.
DEP can be found under: Control Panel > System Security > System > Advanced system Settings > Advanced tab > Performance > Data Execution Prevention. The path is horrible, luckily this service is enabled by default for Windows programs and services, but not all programs.
One horrible thing that Microsoft continue doing is hiding extensions for known file types. Which brings all sorts of inexperienced users double-clicking on files like image.jpg.exe, because they only see image.jpg and think this is a picture of some sort. I've elaborated on this fact in my Identifying file types and Safe web articles.
You are most encouraged to change the default setting, so you see the extensions types for your files in Windows 7. And never rely on icons to tell one file type from another. They can be misleading. Make sure to untick the box reading Hide extensions for known file types. You may also want to tick the button Show hidden files, folders, and drives.
Autoplay (also Autorun) is another feature that should never have been created in the first place - the ability to automatically run instructions written in a file called autorun.inf stored on any external device, like USB thumb drives or CD/DVDs.
Autorun can be dangerous, because it will execute arbitrary code that you may not have any control over. It's like having your car drive off the moment you sit down, without so much as turning the switch on. The best thing is, disable it altogether. If you really need to run some executable located on an external device, you can do that manually.
That's it, a very simple formula to sane security for users that are not inclined to ruin their computers. You have a powerful firewall working for you and you have the UAC + Protected Mode for Internet Explorer, in case you're using it for browsing. You really don't need more.
With a wise choice of programs you use, preferably open-source alternatives, and some discretion in what you download and what you execute, you should be fine.
This tutorial does NOT cover all aspects of security, but it gives you a very good, very sane starting point. Do not worry, we will revisit the Windows 7 security again! And soon! For now, enjoy the basic strategy laid out here. Once you get comfortable with it, we will dabble into security once again and try to polish some of the rougher edges and get more intimate with advanced aspects of safe desktop usage. We will also have a long, detailed article on how to handle Windows security alerts, popups and messages and make the right choices.
I hope you liked this article. See you around. In the next tutorial on Windows 7, we'll discuss some basic customizations of the desktop workspace. After that, we'll get back to security once more. Oh, if you want a crash course in security, then you may want to read my Safe web article. That should pretty much give you an answer to life, the Universe and everything.