Windows 7 Security Primer

(Must be online to view included graphics)
Windows 7 Security Primer
Part 1
<http://www.windowsecurity.com/articles/Windows-7-Security-Primer-Part1.html>

Introduction

Windows 7 is Microsoft’s latest desktop-based client operating system which builds on the strengths and weaknesses of its predecessors, Windows XP and Windows Vista. Every aspect of the base operating system as well as the services it runs and how it manages the applications loaded within it has been reviewed and made more secure if possible. All services have been enhanced and new security options making it more reliable. Aside from basic system enhancements and new services, Windows 7 delivers more security functionality, enhanced auditing and monitoring capabilities and the ability to encrypt remote connections and your data, Windows 7 also has newly developed internal protection enhancements to secure system internals such as Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels.

Windows 7 is designed to be used securely. For one, it was developed Microsoft‘s Security Development Lifecycle (SDL) framework and engineered to support Common Criteria requirements allowing it to achieve Evaluation Assurance Level (EAL) 4 certification which meets Federal Information Processing Standard (FIPS) #140-2.When used as a stand-alone system, Windows 7 can be secured for personal security. Windows 7 has many helpful security-based toolsets contained within, but it is only when Windows 7 is used with Windows Server 2008 (R2) and Active Directory, that it turns into a bullet-proof vest. By leveraging additional security from tools such as Group Policy, you can control every aspect of desktop security. If Windows 7 is used mainly for your home office or personal use, it can still be secured to prevent many current methods of hacking and attacking and can be restored quickly if disaster does in fact strike, so although beneficial, Windows 2008 is not completely necessary to apply a high level of security to Windows 7. You should also consider that Windows 7 is inherently secure, but it does not necessarily mean that you should rely on the default configuration without making any adjustments to extend your security coverage. You should also consider that you will eventually be subjected to some form of malware or Internet-based attack when the computer is being utilized on any public network. If a computer is used for any type of public Internet access, your system and the network on which it is connected, becomes opened up to possible attack.

In this article, we will cover the fundamentals you need to know to secure Windows 7 correctly, achieve a baseline level of security, review advanced security configurations and explore some of the lesser known security functionality Windows 7 provides in order to prevent or protect against a possible attack. We will also look at the many ways you can safeguard your data and get back up and running quickly if you do in fact suffer from some form of attack or catastrophic system malfunction you cannot recover from. This article introduces the concepts of security, how to harden Windows 7, how to install and provide security for your running applications, how to manage security on a Windows 7 system and how to prevent the problems caused by malware. This article also covers the process of safeguarding your data, the backup and recovery operating system features, how to restore your operating system to a previous state and ways to recover you data and system state if a disaster does occur. We also cover strategies to do it quickly. Topics are also covered on how to work safely while working online or over the Internet, how to configure biometric control for advanced access control and how Windows 7, and when used with Windows Server 2008 (and Active Directory), how you can securely integrated more options for control, management and monitoring. The goal of this article is to familiarize you with Windows 7 security features, enhancements and their application as well as to give you some insight on how to plan for and apply these security features correctly. The concepts we cover are divided up and organized in a building-block approach.

Note:
If working in a corporate or other professional environment, do not make adjustments to your company’s computer. Make sure you work within the published security plan (or policy), published best practices, principles and/or guidelines. If you are unfamiliar with security topics and Microsoft products, read the production documentation before applying any changes to your system.

Basic Security Considerations

Before we dig into the specifics of Windows 7, it is important that we first introduce the basic concepts of security and how to plan for the application of it. We will also need to know why monitoring is crucial to maintain security and how to correctly monitor security services for problems. It is also important to know how to monitor security and discover if you are open to a potential attack. Security is not something you haphazardly plan for and then quickly apply. It is a concept that must be applied to every technical aspect of your deployment, as well as a practice to live by. It is also something that must be thought out well before deployment and then monitored and managed after it is applied. Managing security requires analysis work to fine tune the current security architecture, as well as to uncover potential attacks. Most times, your security will be tested by an attacker or malicious program to find access and in this process; you can potentially protect yourself proactively if you can see the attempts and do something about it. Through logging and then auditing, you can find out information about what is querying your router login prompts, administrator account login attempts and more.

Logs and alerts are helpful so that when something does go wrong, you can react to it quickly and correctly via analyzing source IP addresses, or attempts at login caught by auditing. Responding to an attack with a detailed plan is called ‘incident response’. Being prepared is the key to incident response so having a proactive plan and reactive plan are critical to have in place before disaster strikes. A Disaster Recovery Plan [sometimes used in combination with a Business Continuity Plan (BCP)], will contain a strategy for recovering from incidents. Some IT teams also have IT professionals assigned to what is called an ‘Incident Response Team’, which when activated, is responsible for following the laid out plan in order to fix and resolve critical issues that results in major system downtime, or worse, data loss, network and systems attacks and more.

So, for home users and stand alone systems, you should follow this same strategy but at a simplified level. You still need to secure things, and react to disaster, so a good plan created in advance to the disaster will go a long way in getting you back on your feet quickly. A good example of a simple plan would be, if your system becomes infected with a malware (such as a Trojan), you may have to reinstall the operating system if all other restoration and repair attempts fail. If that is the case, then you need assigned team members, detailed steps (or a checklist) and procedures in place before the disaster so that you can react to it correctly and a testing process to ensure that everything is done correctly after recovery takes place. Having access to, or a copy of the installation files or any other programs and applications in place beforehand saves time and the plan, if set up correctly, can point you in the right direction towards all the tools you need when the clock starts counting down.

Note:
To help you plan and become more knowledgeable about security, you can find checklists and plans in the Reference Links section of this article.

You should also revisit your plans often, especially after a critical issue or outage, with action items added if needed. Once your plan is in place, you should consider building upon your foundation with more security functionality and services.

Tip:
Security should be considered and applied to any system or service in use so that you can mitigate the risks associated with attacks coming from any one of them while in use. And if security is applied in a way that you can proactively prevent (or recover from) an attack or disaster of any kind from occurring in the first place, you have less to react to and manage. Security, even at its most basic application level must be applied in order to keep your personal data secure so that if you do need to completely reinstall Windows from scratch, you can re-apply your data afterwards so that it can be accessed and utilized. Security cannot be ignored.

You should also consider deploying security both conceptually and technically using the Defense in Depth security concept. Security must be considered and applied to all systems, services, applications and network equipment, keeping your system up and running and also connected to the Internet for use. Posted policies and developed plans keep users of the systems productive, and aware of general use policies. Continued upkeep will keep your investment growing. To prevent holes in your security architecture, you must consider planning for and applying a security model that utilizes the concept of ‘Defense in Depth’. Figure 1 shows the application of defense in depth at a very simplistic level, you can (and should) of course add more layers depending on how your home or corporate network is set up.

Figure 1: Viewing how Defense in Depth is Conceptualized and Deployed

Defense in Depth as seen here can be customized to your needs. In this example, a security policy is needed to provide security-based direction and communication to the users of the systems and network. Also, hardening your systems, phones, desktops, services, applications, servers, routers, switches and PBX should all be considered to ensure that all points of entry are covered. It would also make sense to have some form of public Internet protection (such as a firewall) in place if in use, but always expand on that and add other items such as probes, filters and scanners for more granular support. You will also need a way to monitor and log all of this information for review if needed.

Windows 7 was also designed to be integrated and used in any environment that must comply with a high level of security, such as the U.S. Government and the U.S. Military. When considering basic Windows security principles, it’s important to remember that any enterprise level system must be certified with the C2 level of security from the Orange Book. Microsoft Windows also needs to comply with the Common Criteria Certification. For more information on these topics, you can find other articles and more information at the end of this article in the Reference Links section. Windows 7 is also extremely flexible, with many options to configure a system with complete functionality (minimal security), or one locked down to the point of basic operation, and only operations you configure for use (maximum security).With Windows 2008 and Windows 7, the security functionality is increased tenfold when used together correctly.

Note:
It is important to remember that denial of a problem (or potential problem) is not an option. Problems compound when left to be taken care of later, or ignored completely. Laziness will only buy you so much time. Security through obscurity is not security. Non-compliance only causes more problems later when compliance is needed. A thorough deployment of security on your home PC, or within an enterprise (both equally important), will prevent most infiltrations and attacks and provide multiple layers of protection to keep your security posture high but not prevent them all. You need to know the fundamentals of security and how to operate both proactively and reactively to attacks if you want to be secure.

So, now that you are familiar with basic security concepts, let us apply what we learned while configuring Windows 7 security settings. Considering that we attained the knowledge of why we want to apply security, when to apply it, as well as the reasons for managing, monitoring and updating it, all we need to do is further apply those security concepts while configuring a base Windows 7 system. This is done fairly easily if you know what you need to (and want to) do. If a new user of Windows or having a hard time getting acclimated to 7 (perhaps you skipped Vista) – then it is important to spend some time navigating these tools and attempting to research them on TechNet or Microsoft Support online to learn more. For example, many templates and checklists can be found online at Microsoft.com, which give you the ability to go step by step through applying and using security on your Windows systems. You can also find helpful tools in the Reference Links section of this article.

Templates are not always the answer and can sometimes cause adverse effects if not used correctly (or configured correctly), so always use with caution - even if downloaded directly from Microsoft.com. It’s important to always read the documentation that comes with the template so you can apply it correctly. It’s also safe to say that, without a background in the OS itself, or knowledge of the fundamental principles in which it operates, you will not be able to maintain a high level of security for long. An intimate understanding of the core OS and its services is needed if you want to be able to continue a high security posture even after you have configured security on your base system correctly. A good example of why this is important for anyone applying security to an OS is, one of the best ways to thwart attack is to know that you actively being scanned, or checked for exploitation. Event Viewer logging is extremely helpful, because you can configure auditing (as an example) and get detailed information on what is happening with and in within your systems. Most (if not all) logs are cryptic by nature and spell out the problem in the most basic of terms or with a handful of machine language (captured dump). You will need to go online and unravel the mystery which with some practice gets easier and easier as you continue to do so. You wind up reading a lot of things you didn’t know about and finding a lot of tools that you will want to add to your kit for future deployments once tested.

You also need a level of flexibility when applying security, a level that allows you to meet business goals and requirements (such as Internet access) without problem while still maintaining a high level of security as needed. A great example is the User Account Control (UAC) tool, which when adjusted, can provide a high level of security, or be turned off completely. You will have to reboot your system if you turn off the UAC.

Figure 2: Adjusting the Level of Security by Manipulating the UAC Settings

The UAC is used to prevent programs or applications from making changes to your computer operating system. It works by restricting access within the OS core, and then providing details to the user about the programs attempts to install itself, or further configure the OS. This is helpful in that it will give you a chance to verify what the program is doing, and be able to act on it if it is something you do not want it to do. The UAC was first incorporated with Windows Vista, but since it could not be turned off, was deemed ‘annoying’ at best. It was frustrating users who could not seem to get around it. Windows developers also had a lot of trouble coding because of UAC restrictions and needed workarounds. Now, with Windows 7, the UAC can be turned off completely removing that level of security to provide more flexibility and choice.

Caution!
To keep your system secure, it is recommended that you do not turn off the UAC completely or if you do for any reason, remember to turn it back on. .

Installing and Hardening Windows 7

Windows 7 is secure by design. When deploying it, it is always recommended that you do a fresh install of the operating system on newly purchase (or renovated), compliant hardware and then harden it. System hardening is the process of increasing the level of security on your freshly installed base operating system (OS) by configuring needed security settings, removing unneeded software and adjusting advanced policy settings.

Note:
You need to do a little planning when it comes to the hardware selection for Windows 7, because if you want to use virtualization, Windows Trusted Platform Module (TPM) Management and other features such as BitLocker, you will need to purchase the correct hardware for it to function.

Once your OS is installed correctly and basically configured, the process of hardening can take place. Does it always need to be a new installation of Windows, or can you harden a system already running and in use? Yes, you can technically harden any system that is already installed and being used, but before you do, you should first familiarize yourself with it, analyze it, examine it and of course, audit the current security levels configured and in use. It doesn’t make sense to harden something that was already compromised. You also may not know how the application of security will affect the production system whether at use in the home, or in a corporate environment. Sometimes duplicate systems are set up in order to test which takes time and resources but well worth it to find and avoid problems that may occur with your design and deployment. You may cause more harm than good if you do not know how security settings changes or the templates will affect services on a production system. For example, you may apply security to a system and through strict firewall filtering changes, remove functionality from a program that you have installed and use – it may use a specific port that is now closed off by the firewall which will cause the connectivity to fail. This may cause adverse effects if the application was something used for business and was needed for productivity and may take some time to discover and correct. This is why it’s simply easier to install Windows 7 fresh, and then harden it as it takes place extremely quickly and you can verify that security remains tight until you deploy it. You can also make the process quicker, especially if using a virtual machine (VM) or VHD file] which give you options to have multiple instances of your desktop running for virtual failover or quick restoration and recovery if the redundancy option is not used. Since virtualization simplifies the installation process when creating cloned images for backup purposes, you can restore your desktop easily and within a few minutes. We will cover virtualization again later in the article. If failover is enabled and configured, the desktop user may not even experience an outage at all if virtualized.

You can harden the system, and then access your secure data through shared storage, databases and repositories – and all at high speed, with failover and redundancy options which will not only keep it secure, but separate from the data in which you access. If you plan correctly, you can create an snapshot of a fully prepped, configured, secured and updated version of Windows and in the possibility of disaster, restore your systems image back to your hardware in 1/3 the time it takes to do it without imaging or virtualization cloning. Then, once you restore the base OS, you can reattach to the shared storage to access data.

So, once you install Windows, what are the actual steps taken to harden it? And, is there a specific order to choose from? If there were an organized set of installation and hardening steps, they would be in the basic order of installation, removing anything not used, updating the system, applying basic security to it and then getting it backed up for quick restoration when needed, as seen in the following list :

Step 1 - Installation of Base OS selecting any options during installation the increases security and not selecting unneeded services, options and programs.
Step 2 - Installation of any Administrator toolkits, security tools and needed programs.
Step 3 - Remove services, programs and unneeded software. Disable or remove unused user accounts or groups.
Step 4 - Service Pack update, hot fixes and service packs. Update all installed programs as well.
Step 5 - Run security audit (scanner, template, MBSA, etc) to assess current security level
Step 6 - Run System Restore and create a restore point. Backup and Restoration application for disaster recovery.
Step 7 - Backup the OS with a way to quickly restore it in the event of disaster.

This list is a simple guide. You can add more steps and extend this list further. This list is not definitive, but a good start in getting an idea of where to start when applying security to Windows 7 after a base installation. If completing a fresh install of Windows 7, then the next step is to remove any unwanted software, services, protocols and programs that you do not want or need running on it. This can be done easily in the Control Panel.

Next, you can go into the Control Panel and secure who is allowed to use the computer in the User Accounts applet. Here, you should remove any account that you do not need, or just disable it. Of course, be careful with the default users and groups, some of which are tied into your services that run, how your data is accessed and so on. You can always disable an account easily as well if concerned about removing it. Another technique used by most security professionals is to leave the local Administrator account in place and audit it for any attempts at using it, or the domain’s administrator account which is even more important to secure and audit. It is common practice to not use the default accounts when managing a large scale Microsoft network of systems and set up new administrator accounts that can be traced if need be. By auditing this default accounts and using a newly made account with administrator privileges associated with it, you increase security two-fold. One, you find out if someone is trying to get into your machine using the default accounts when nobody should be. If audited, you can see the attempts and when they occur. This application of security to an account is known as a honeypot and helpful in finding possible attempts by others trying access your system. Two, you take away half of the equation when someone is attempting to crack your account via basic credentials, such as a username and password combination. If you take away the easy to guess username credentials, then you are only left with a password which can be configured in a way to where it’s nearly impossible to crack. If you set up the default accounts as honeypot, you could create a nearly impossible to crack password and limit it to do next to nothing if compromised so that if it is compromised, there is little to nothing that can be done with it. You should change all the passwords for the default accounts from their currently configured defaults as well. Use password selection best practices when securing these accounts and audit them completely. You should also configure a policy that makes end users looking to change passwords go through a process where they will only be allowed to change it if they select a new password that is strong and not easily hacked. This is just one hardening tip that provides other benefits, such as the ability to find your attacks through logging and auditing.

Tip:
In Windows Server 2008, you can install ‘core’ functionality which is a hardening process applied to the system during actual installation. When installed, the server will only run with the minimal functionality you desire, thus reducing your risk of being subjected to security exploits. Windows 7 can be hardened but does not have an install option like 2008 that simply locks down the system upon installation. To harden Windows 7, you need to apply policies, templates or manually configure the security settings as needed.

So, that being said, how do you start to lock down and secure Windows 7? Well, the easiest way start the process of locking down the system is by using the Start menu to search for anything related to security stored within the system and indexed. To do this, simply click on the Start button to open the Start menu. Then, type the keyword ‘security’ in the Search Programs and Files field. Figure 3 shows the Start menu options based on the ‘Security’ keyword search.

Figure 3: Finding and then Viewing Security Options within the Start Menu

Here, you can see that Programs, Control Panel applets (or actions), Documents and Files are selected and organized for easy viewing and accessibility. In short, Local Security Policy (if selected) is a policy editor that allows you to view and configure the security policies of your system. The Local Security Policy editor can be seen in Figure 4. Here, you can make adjustments to any policy based setting on your operating system.

Figure 4: Viewing and Configuring Security with Local Security Policy

Tip – for full policy control, you should use Windows 7 with Windows Server products, such as Windows Server 2008 R2. If you do, then you can use Active Directory (AD) and Group Policy.

If you wanted to locally set up auditing of a specific event (such as system logon and off), then you can specify that action in the Local Security Policy console (Figure 4). In the Control Panel, you can go to the Administrative Tools applet to find the Local Security Policy editor, or simply search for it in the Start menu. When Windows 7 is used with Active Directory, you can use Group Policy which is a robust service that allows you to customize, manage and deploy settings and preferences as well as to deploy software with ease, but you will need to connect Windows 7 to an active domain and manage it correctly in order to benefit.

If you need to configure policy-based security, this is the easiest way. You can also find many of the tools you need for security configuration in the Control Panel and or in a custom MMC you design and deploy. The Microsoft Security Center (Windows Vista, XP) was used to centralize most security functions in the past. This has been replaced with the Action Center, and security actions are now easily found, viewed and acted upon with your permission. For example, as seen in the Start menu (Figure 3), the ‘Check security status’ action when selected produces a list of security configurations that Windows 7 recommends you act on, such as updating your system, or a program such as antivirus (AV). Once selected, you will be sent to the Action Center to take care of the open issues that need your attention.

Figure 5: Configure Security Actions and Control Panel Applet Options

Tip:
Figure 5 shows the security actions found within the Control Panel that you can act on. If you click the Start menu, type security and click on the Control Panel link, you will be given a list of actions and security configurations that you can customize immediately in one easy to find and access list.

Once in the Action Center (or if viewing lists of actions), you can simply go down the list and configure each one as you see fit. This is a brief overview of the security options that can be configured in the Action Center list:

Action Center – The Action Center replaces the Security Center. The Action Center is where you can specify actions that the OS can perform. With your permission, the actions can take place. Here you will be told if you are missing an Antivirus update as an example. You can access the center to perform security related operations as needed.
Internet Options – Web browsing of any kind opens the door to Internet-based risks. If you use a proxy server, utilize Web filtering (and monitoring) and keep your OS updated with the latest hot fixes, you may still wind up in a situation where your security is compromised. Within the Internet Options Control Panel applet, you can specify zones for safety, allow only specific URLs to be accessed, deploy advanced security settings in the Advanced tab and much more. The browser itself has a Phishing filter that will prevent Phishing attacks and other configurable options such as InPrivate Browsing, which when selected will prevent the storage of your personal information, particularly helpful when using a computer at a public Kiosk.
Windows Firewall – Like any other software or hardware-based firewall, Windows Firewall can deflect basic attacks by default, and be configured granularly for a high level of control over what can enter and exit your computer system when connected to a public or private network. By going to the Control Panel and selecting Windows Firewall, you will have access to most firewall configuration settings. You can click on the Advanced settings link in the dialog box to access the Firewall with Advanced Settings and configuration options. With Windows 7, you can also deploy multiple Firewall Policies simultaneously and use the new Domain designation for easier Windows-based firewall configuration and management.
Personalization – Personalization options are where you can alter the way Windows looks, but it’s also where you configure a screensaver password if desired. If running Windows 7 in the enterprise, users should be taught to lock their workstations whenever they leave their desk or issued a policy setting that does it automatically after a period of inactivity, however if forgotten about, a screensaver configured to require logging in again can prove helpful. At home, this may be your best line of defense if you walk away from your system and forget to lock it.
Windows Update – All software releases require some level of patching. You can prepare, test and attempt to develop perfect software but you can not account for everything. Also, new updates and releases also require updates to your operating system over the lifetime of the current OS version. Because there are advancements in the system, requirements needed for other developing technologies, new security vulnerabilities uncovered and driver updates for better performance and functionality required, there will always be a need for Windows Update. Windows (and Microsoft) Update, or enterprise versions of patch management (WSUS, etc.) are used for centralized control and deployment of updates. These tools are used to control, keep track of and monitor your current and future update needs. Configure to have it do it for you automatically, or get in the habit of doing it manually because it’s really important that you do. If you do not patch your OS as recommended (and sometimes required), you may be subject to attack.
Programs and Features – Other than checking for and seeing what Windows Updates are installed, you should check to see what you have installed on your system often, especially if you work on the Internet and/or download software from Internet-based Web servers. For example, by installing a simple Java update, if you did not read the screens carefully during install, you may have also installed a toolbar on your system which integrates into your Web browser. Now, there is tighter control over this, but regardless, you should still check from time to time to see what is currently installed on your system.
Windows Defender – Spyware is software that is used primarily for illicit marketing purposes, and does other things such as deliver a direct payload, redirects your browser or sends back information on your actions. Although Antivirus software picks up some of this, Windows Defender (or other Spyware-removal applications) can be counted on to clean up the rest. Cookies, although harmless by nature can sometimes be manipulated for the wrong reasons. Make sure Windows Defender is updated often with new definition files and its needed updates to ensure you are scanning for all of the latest Spyware currently known about. SpyNet is also a community that Microsoft watches over to learn about, talk about and prevent the spreading and damage produced by Spyware.
User Accounts – Managing user accounts is the core to securing access to your computer as well as everything that runs within it. For example, if you create a new user account and assign it to the Administrators group, you have full access to the computer system. If you configure the account as a standard user, then the permissions granted will be very restrictive and will only allow the user to do specific things. You can also configure a password which when created with a minimum password restriction or policy, enforces the user to create a difficult to crack credential set to thwart basic password cracking attempts. Once Windows Server 2008 and Active Directory is deployed, you can access a domain that when once joined, will allow you to configure granular NT File System (NTFS) permissions to folders and files as well as other shared resources like printers.
Power Options – The Power Options Control Panel applet is where you can configure the default behavior of the Operating System when unplugged, closed or goes to sleep. The security configuration to set is that a password be required when the computer awakes from a sleep state. Anytime you can enable the use of access control, you should consider it.

So, if you need to apply security to Windows 7, the Start menu can serve as a good way to get started in the basic hardening of your system and open the door to the available tools you can use. There are many options here you can use to harden your Windows 7 system, especially within the Control Panel. Using the Start menu is also an easy way to get a security baseline of your system after initial installation. A tip you can try is to set up a baseline after the initial installation and configuration of your system, which would require you to configure all security options, applications, as well as download hot fixes and updates, and then backup the entire system image with System Restore and/or a system imaging utility. Now you have a snapshot of your system in a fresh state in case you need to revert back to it later. You can make a restore point which could be used if the system is compromised, allowing you to again have a basically configured system with basic security applied. We will cover System Restore options in the Disaster Recovery section of this article.

Note:
The Start menu can also help provide information on security related documentation on your system. This is helpful when searching for a document such as a security policy, or a hardening checklist or template.

You can quickly harden Windows by downloading the tools and documentation directly from Microsoft and go down the list of recommendations provided. For example, if you wanted to configure a basic level of security for Windows 7, you could easily download the baseline security template for use, run it and have most of your security settings adjusted for you. Figure 6 shows the Windows 7 Security Baseline Settings template with tabbed spreadsheet (workbook) entries for user account auditing, BitLocker and more. Visit the Reference Links section at the end of the article to gain access to it.

Figure 6: Configuring Baseline Security from Microsoft Templates

Take note of the ‘Security Warning’ option on the top toolbar (ribbon) of Microsoft Office Excel 2007 which prevents you from using the template by disabling the Macro until you attend to Security Warning as seen in Figure 6. Here, Security Macros have been disabled and are required for the application of this template. This is a perfect example of security vs. flexibility. To have flexibility in this instance, you need to turn off or limit the level of security applied in order to achieve it. Manually selecting the option to run, or disabling the protection, run the Macro and then boost the level of security once more to keep security in place will get the template installed.

Now that your system is ready to go and you have basic security features configured, you should now consider how to manage it, as well as monitor for intrusion, malware and for other problems found within the logs.

Note:
You should also note that Windows 7 has an option available called XP-mode, commonly used for resolving application compatibility issues with older XP-based applications. As we have discussed the topic of virtualization earlier, when considering using XP-mode, you are installing Virtual PC on Windows 7 and running an instance of XP on Virtual PC. If you use XP-mode, make sure harden any VMs running on Virtual PC the same way you harden the base OS. This includes AV protection, policy lockdown and Service Pack and software updates to name a few. You can provide a level of security through virtualization, but not completely so you still need to take hardening steps, even if virtualization is used.

Summary

A Windows 7 system at home can be locked down and managed easily. You can even configure it securely to be accessed over the Internet from another remote location if left on and active. Windows 7 can be made bullet-proof if you really wanted to harden it to the point complete lockdown. It can still become subject to attack and likely will be if you use the computer on the Internet, as an example. We can plan for this possibility and harden Windows 7 accordingly.

When considering the use of Windows 7, in today’s atmosphere of hack attacks and exploits, security options and flexibility are a top priority when making that decision. Windows 7 is absolutely secure, but it’s not 100%. You have to apply knowledge, other tools and advanced configurations in order to secure all aspects of it and then update and monitor them often. Well worth it if you want to avoid attack. Windows 7 has many security enhancements and can be configured for quick recovery.

As well, basic security principles such as Defense in Depth must be applied in conjunction with other security guidelines and best practices so that not only are you applying security for protection, but multiple layers of it that cover the full architecture and the code that runs it.

We only scratched the surface here, there is so much more to know and learn, but hopefully this articles information shines a light. To learn more, read the material listed in the Reference Links that contain more detailed information as well as free tools, templates and guides. Keep on the lookout for Windows Security Primer parts 2 and 3 coming soon, stay tuned!

Windows 7 Security Primer
Part 2
<http://www.windowsecurity.com/articles/Windows-7-Security-Primer-Part2.html>

Introduction

Windows 7 is Microsoft’s newest desktop-based client operating system which builds on the strengths and weaknesses of its predecessors, Windows XP and Windows Vista. Every aspect of the base operating system as well as the services it runs and how it manages the applications loaded within it has been reviewed and made more secure if possible. All services have been enhanced and new security options making it more reliable. Aside from basic system enhancements and new services, Windows 7 delivers more security functionality, enhanced auditing and monitoring capabilities and the ability to encrypt remote connections and your data, Windows 7 also has newly developed internal protection enhancements to secure system internals such as Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels.

Windows 7 is designed to be used securely. For one, it was developed Microsoft‘s Security Development Lifecycle (SDL) framework and engineered to support Common Criteria requirements allowing it to achieve Evaluation Assurance Level (EAL) 4 certification which meets Federal Information Processing Standard (FIPS) #140-2.When used as a stand-alone system, Windows 7 can be secured for personal security. Windows 7 has many helpful security-based toolsets contained within, but it’s only when Windows 7 is used with Windows Server 2008 (R2) and Active Directory, that it turns into a bullet-proof vest. By leveraging additional security from tools such as Group Policy, you can control every aspect of desktop security. If Windows 7 is used mainly for your home office or personal use, it can still be secured to prevent many current methods of hacking and attacking and can be restored quickly if disaster does in fact strike, so although beneficial, Windows 2008 is not completely necessary to apply a high level of security to Windows 7. You should also consider that Windows 7 is inherently secure, but it doesn’t necessarily mean that you should rely on the default configuration without making any adjustments to extend your security coverage. You should also consider that you will eventually be subjected to some form of malware or Internet-based attack when the computer is being utilized on any public network. If a computer is used for any type of public Internet access, your system and the network on which it is connected, becomes opened up to possible attack.

In this article, we will cover the fundamentals you need to know to secure Windows 7 correctly, achieve a baseline level of security, review advanced security configurations and explore some of the lesser known security functionality Windows 7 provides in order to prevent or protect against a possible attack. We will also look at the many ways you can safeguard your data and get back up and running quickly if you do in fact suffer from some form of attack or catastrophic system malfunction you cannot recover from. This article introduces the concepts of security, how to harden Windows 7, how to install and provide security for your running applications, how to manage security on a Windows 7 system and how to prevent the problems caused by malware. This article also covers the process of safeguarding your data, the backup and recovery operating system features, how to restore your operating system to a previous state and to ways to recover you data and system state if a disaster does occur. We also cover strategies to do it quickly. Topics are also covered on how to work safely while working online or over the Internet, how to configure biometric control for advanced access control and how Windows 7, and when used with Windows Server 2008 (and Active Directory), how you can securely integrated more options for control, management and monitoring. The goal of this article is to familiarize you with Windows 7 security features, enhancements and their application as well as to give you some insight on how to plan for and apply these security features correctly. The concepts we cover are divided up and organized in a building-block approach.

Caution:
If working in a corporate or other professional environment, do not make adjustments to your company’s computer. Make sure you work within the published security plan (or policy), published best practices, principles and/or guidelines. If you are unfamiliar with security topics and Microsoft products, read the production documentation before applying any changes to your system.

Security Management and Monitoring

Windows 7 can be secured like a fortress. If using Windows 7 in the enterprise, you can use an Active Directory infrastructure and take advantage of many security enhancements provided when logging into a Domain, or using Group Policy to further enforce your security posture. Either way, centralized management of security tools, settings and logs is generally the most important consideration when trying to apply security – how will you manage it, monitor it and then update it once installed and configured? With Windows 7, many of the changes you will see are in the basic layout of tools and services apply to security. For example, the Start menu keyword ‘Security’ option we discussed earlier centralizes the management of security application for Windows 7.

A rule of thumb is that you want to make applying security (and then managing it) as easy as possible. Nobody enjoys sifting through the OS to find applications, services, logs and events or actions to configure or monitor. With Windows 7, arguably as a new user could get lost in a sea of paths, wizards, applets and consoles before even finding and configuring Windows Firewall, the most basic security feature provided. Even some of the more experienced techs have cursed yet another Windows OS that ‘moved things around on you so you can’t find it…again’. It is however the easiest of all the past Windows versions to manage since all information can be indexed and provided via the Start menu for quick searching.

Other than the Start menu, a handy way to manage many of the security functions in Windows 7 is to build a custom Microsoft Management Console (MMC) and add your toolsets into it. One of the things that will confuse many new users of Windows is that Microsoft enterprise solutions provide a clean way to centralize control and monitor everything on every system on your network (MOM is a perfect example), The client OS is a stand-alone unit that also must be secured locally, so for home users, a custom management console may be the answer to your centralized security management questions. Unfortunately, the Security Center will only get you so far when using XP and Vista and then in Windows 7, it’s further fragmented to Control Panel applets and MMC Snap-ins – so how can you quickly centralize access to key tools? To apply security to the Windows 7 OS, you must access many different areas of the system to customize your configuration in order to harden it, so if you took the applications and functions you needed and placed them in one area, you can now quickly and easily gain access back to them for security audits or log reviewing. This custom MMC may just do the trick.

To create a custom console, simply go to the Start menu and type ‘MMC /A’ and you will launch a new Microsoft Management Console (MMC). You can save it to any location on your system and name it whatever you want. To populate it, you need to go to the File menu and select Add/Remove Snap-in. Add all the tools you want or need. Figure 1 shows a custom console with most if not all of the available security options installed.

Figure 1: Creating a Custom Centralized Security Console with Microsoft Management Console Snap-Ins

You will find many useful tools within the snap-in options available. For example, TPM Management is a Microsoft Management Console (MMC) snap-in that allows administrators to interact with Trusted Platform Module (TPM) Services. TPM services are used to administer the TPM security hardware in your computer. This means you need specialized hardware, updated BIOS code and the correct CPU chip. Just like virtualization needs a specialized chip, so does TPM. TPM is a way to introduce a new level of hardware level security in to the equation so that you know you are getting a hardened system. You can manage it here if you are TPM compliant. TPM will use the hardware bus to transfer messages and can be used in conjunction with software features like BitLocker.

Once you have your consoles created and you know how to access the areas in which to apply security configurations within the OS, your next step is to monitor your system. There are many ways to do this. For example, you can keep it simple (home user) and just keep an eye on it from time to time on some sort of simple schedule. Like, every Sunday night after surfing, you check the console firewall logs and Event Viewer logs. If you dig into the configurable options, you will find out that you can schedule alerts and notifications, have logs filtered and saved automatically for review and so on. Make sure that you keep an eye on things. Just because you secured it well doesn’t mean it will remain secure.

So, in sum – the general areas where you will access and apply security to Windows 7 is by quickly accessing it within the Start menu. You can also work within the Control Panel (applets such as Administrative Tools, Windows Firewall and Windows Defender as examples) to gain access to security tools and settings. You can also create a custom MMC and configure it to gain access to hidden tools, as well as provide a centralized console for security administration. You can however browse the various areas of the OS and do the same thing, but hopefully this tip helps you apply security a little easier by giving you access to security tools provided with Windows 7. You can apply templates; create tasks and actions and even script advanced security configurations with advanced toolsets.

Tip:
You can also apply security management with tools like PowerShell and Netsh (such as the netsh advfirewall command), so there are easy ways to apply scripting functions and/or command line based options for applying security in Windows 7.You can also use ‘tasks’ to kick off jobs, scripts or batch files and services so that you can (as an example) keep a backup of Event Viewer logs for audits, review or simple safekeeping.

Next, you need to be able to access and further configure the base system after install to harden it for use and since Windows Updates are inevitable, you should create a plan to have them download and installed as soon as possible. Most times, updates come after the attacks, so it’s wise to get them tested and installed as soon as possible. There are reasons why they have been released. They are titled ‘Security Updates’ as seen in Figure 2. These updates are always numbered and can be researched online for more information.

Figure 2: Installing Windows Security Updates with Windows Update

You also need to keep Service Pack levels up to current releases and reapply them as necessary. Other running applications and services in your system need to be managed, monitored and updated often as well, sometimes too often as is the case with Antivirus and Spyware removal programs.

Once your system has been completely patched and configured for use, next is to install Microsoft Security Essentials (MSE), a third party Antivirus (AV) program, configure Windows Defender (spyware) for use and configure security for malicious software (malware) protection.

Note:
Microsoft recently released a new line of security software called Forefront. This line covers all aspects of deploying and managing enterprise security in the enterprise. They also made sure that the client OS is secured with new functionality as well, such as Microsoft Antivirus, found within the MSE pack.

Malware Prevention and Protection

Every system whether it be a Windows file server, Linux desktop or Apple OS X workstation are all prone to malware. Malware is the term used to define all types and designations of malicious software that can infiltrate, penetrate, hijack and ultimately destroy your computers operating system, applications or data beyond repair. Worse, malware targets not only your base operating system, but also your personal data, privacy and identity. Malware comes in many forms, such as viruses, worms, logic bombs and Trojans. To keep Windows 7 secure, you need to configure it to keep malicious software off your system. Malware comes in most commonly from accessing the public Internet and getting emails, (instant messaging) IM messages, using shared data on Web and FTP servers, or other public network connection-based software applications such as peer-to-peer (P2P) file sharing software. Once a single system (or email mailbox) gets infected, the malware can spread quickly and sometimes without your knowledge. Malware can also access your system from foreign or unprotected external drives, thumb drives and sometimes over the network itself. It’s almost guaranteed that either through receiving email or viewing content on servers on the public Internet, you will be subjected to some form of eventual attack.

To keep malware out, you must try not to introduce it. Malware prevention is different from malware protection; however both work together towards a mutual goal which is virus-free computing. Prevention focuses on the steps that must be taken to keep malware out and off your system so that you can try to prevent future attacks or issues from taking place. You can limit your exposure in many ways. Prevention is about having discipline and keeping aware and applying these security concepts consistently when configuring any vendor-based software platform. Protection comes in the form of installed applications such as Antivirus and Spyware software scanners. Protection is what you can apply in the form of scanning and filtering tools, auditing tools and protocols or encryption made for secure communications.

Note:
There are two types of security applications; proactive and reactive. Good brainstorming, design and consideration during the planning phase will get you on track, but for continued support, you need to consider how you will manage and support it. With malware, you need to stay on top of updating your AV program so that you are scanning for and stopping new threats and exploits. Proactively plan so that you can keep everything updated and secure, but always have a plan for the possibility of your defenses being breached.

To manage, monitor and secure the system against potential malware threats, it’s recommended that you install, configure and continually update Antivirus and Spyware removal software packages. You can install a third-party software application, or use some of Microsoft tools, such as Windows Defender seen in Figure 3.

Figure 3: Using Windows Defender

Windows Defender scans for and removes Spyware. An antivirus application will actively scan for and attempt to find and remove viruses, worms and Trojans. If both are used together, you proactively protect your system against most attacks. As with the OS itself, you also need to keep these applications updated with hot fixes and patches or they become subject to attack. As well, new definition files need to be downloaded and installed often to scan for new threats.

Windows Defender is helpful for scanning your system files (Quick or Full), and is updated often which is what is most important when selecting any spyware software. If definitions are not updated to match the updates in attacks worldwide, it’s practically useless at thwarting new attacks, unless it has some form of hysterical behavior with active scanning.

Some AV programs also intelligently scan your system for ‘things out of the ordinary’, or the ‘match a pattern from a similar attack’, which is called heuristics. Although helpful, it doesn’t catch everything so keep these tools updated. Windows Update will update Windows Defender when you run it. Third party applications (with the exception for key device drivers) are commonly not found through Microsoft. It’s also important to consider that running these tools in an active state, costs processing power, memory usage and overall taxes your system resources considerably. Therefore, it’s wise to consider planning for this deployment prior and make sure that your Windows systems can handle it. Once you have malware protection up and running, you should actively harden any other areas that need to be locked down such as Internet Explorer settings.

You can secure Windows 7 by using a new feature called Data Execution Prevention (DEP). This is a feature that monitors your programs and how they use your system memory. This adds a level of security to programs that stay resident and use memory as a way to launch attacks. You can turn it on for all programs, or just ones you select. To configure it for use, go to the Start menu and open the Control Panel. Click the System applet, and then select the Advanced Tab, Performance Options, Data Execution Prevention tab as seen in Figure 4.

Figure 4: Configuring Data Execution Prevention (DEP) in Windows 7

Viruses today are far more complex than the ones from the past. As each year passes, hacks become more difficult to prevent and malware becomes more and more advanced to keep itself hidden (stealth) and deliver a catastrophic payload. Also, it does this without the end user or administrator of the systems knowing about it. This is because as technology of the past became more complex, so did the attacks. For example, by going to a Web page and viewing it, you could install malware on your system without your knowledge through scripts taking advantage of exploits in the Web browser’s bugs. Also, because of flexibility, the browser is obviously made to function with all types of protocols, scripting languages, plug-ins and toolbars; it’s difficult to keep a high level of security without constantly updating the browser to lock it back down. It’s also cumbersome to visit sites to do business (or pleasure) and constantly be asked questions about adding sites to your safe zone before being granted access, or letting the Web browser quickly check to see if the Web site is legitimate. Yes it will keep you more secure, but you will have to deal with some of the headaches revolved around restricting or permitting access based on your wishes, and not that of a configuration file or default settings list.

Since surfing the Internet is likely to be done for either business or pleasure, Internet Explorer (IE) lockdown is required unless you want to expose yourself to malware and possible browser attacks by going online. Internet Explorer has been updated considerably so that you have many options in which to secure it, surf privately and be alerted to a potential risk so that you can decide whether or not to proceed. In previous versions of Windows, this was mitigated in many ways and with many tools but the core of the problem was how Explorer, IE and how it was closely tied into the base OS, was the real issue. The software was analyzed and completely re-written to include all aspects of security application and an integrated security toolset, such as the Phishing filter. As well, technology advancements when integrated into Microsoft products force advancement in the code and thus more application of security. Today, IE is as secure as any other Web browser available, and even more so when deployed with Group Policy.

Tip:
To keep the risk of attack low, simply show restraint in going to Web servers hosting content known to cause this problems to your system. This includes porn sites, download sites for free software, file sharing or Peer to Peer(P2P) software, public FTP servers, IRC chats and anything else that you do not need to do on your personal computer at home in which you do your banking, social network and/or legitimate online shopping. You can however create a virtual machine and use that for added security, but this solution is not totally securable either. If you limit exposure, you lower the possibility of a being the victim of an attack.

Surfing discipline is important. Aside from being careful, Internet Explorer can be configured in such as way that you cannot do anything without explicitly allowing it. In this article we have covered the balance between security and flexibility and this is one of the best examples to learn from. How do you use the public Internet safely without spending twice the amount of time you do accessing it? Find a happy medium and as mentioned earlier, have a plan to recover from a possible attack.

IE Lockdown steps (such as turning on and configuring the Phishing filter, using InPrivate Browsing, or other security features and functionality will keep you far safer than if you did not use it at all, so its recommended that you make the browser as secure as you can, and then turning off or relaxing security options as you see fit once you are acclimated to how everything works within your current surfing habits. When configuring the Internet Properties of IE, as seen in Figure 5, you can apply security configurations on the Security tab, as well as on just about every other tab shown.

Figure 5: Configuring Internet Properties Security Tab Options

Tip:
In the Internet Properties Security tab, you will find a checkbox within where you can enable Protected Mode. This provides a baseline level of security to your Web browser.

For example, if you select the General tab, you can change your homepage to blank so every time you open your browser, you select where you want to go, not the browser. If hijacked, the current default page could be changed to something else without your knowledge. You can also choose to delete your browsing history whenever you exit IE. You can configure safety zones, restriction lists, filtering, proxy services, advanced protocols and more. Make sure you spend the time learning how your Web browser can be secured, because it may be your first line of defense in a malware attack.

All these tools work together as well – IE can stay locked down, but if something gets through, then the UAC will flag it if its tries to install itself. That is if active memory scanning of the systems RAM didn’t find a TSR, or other malicious process.

Keeping malware off your system is done with many different features of your system aside from AV and Spyware software applications. For example, the UAC (covered earlier) is a prime example of why it’s important to have such a tool. If your visit a malicious Web server to view or download content, scripts in the home page itself can be configured to run applications that will install silently in the background while you use your computer. If anything tries to install itself on Windows 7, the UAC (if configured at its highest level), can protect you from this type of attack.

Other things you can to do prevent malware is to fine tune Windows Firewall and check its logging activity once in awhile and try to familiarize yourself with what is actually running on your system and how much of your systems resources is it using up (launching and staying resident in memory, disk space usage, etc). Using Task Manager is a great way to quickly find many of the items just mentioned. Figure 6 shows what is running on your system. If you look at the Processes tab, you can see what is running in memory and see if its legitimate or not, or if you do in fact want it running in memory, even after you have shut down the application after using it.

Figure 6: Using Task Manager

You should also check the Event Viewer logs to verify that virus definitions are downloaded, updated and installed as well as the services running as they should and no critical errors are being listed without being attended to. And with all that prevention and protection, you can still get malware on your system which can cause it harm or ruin it (and your data) entirely.

Since malware could still potentially ruin your system even after you completely secured it (as well as updated), you should consider backup. You should always backup your personal data regardless of install on Windows, Linux or Apple systems. You can do this in many ways, such as using the backup utility in Windows 7, using a third party tool, or simply copying your data over to an external hard drive or burned to a CD/DVD-ROM for safekeeping. Obviously, the simple solution is to ignore it and hope for the best. If you rely on your data and or find it important for any reason, you should back it up.

Once your data is backed up and protected, you should backup your system with System Restore as well as consider other disaster recovery methods of getting yourself functional again after an issue. If unfamiliar to you, then you may want to launch and run System Restore and start working with it. This tool is extremely helpful as it will take a snapshot of your current system configuration and back it up in for when needed later. Although it will take up some of your disk space, its well worth it when you consider how helpful it can be in getting you back up and running quickly.

Other malware access points are in Windows Office documents, and can be run as programs used for automation as an example with the intent to infiltrate your system. Macros are useful tools, but by default blocked entirely. The danger with allowing Macros (by default), is that if you receive an email with an Office document delivering a payload, you could accidently open it and inject the malware into your system. There are many infiltrators (and testers) of your security. So much thought goes into the application of security on the base OS, that sometimes little thought is put into the programs that run on it, or the network that the computer connects to. Malware is also injected over the network. Worms travel from Windows share to Windows share, scanners sweep your system in hopes to learn from it and if found, targeted. Trojans are installed to connect to remote servers and report detailed information about your system and much more. Network security – aside from system security, must not be overlooked. Network firewalls block access from attack, routers and switches can be hardened and advanced encryption configuration can be used to create secure connections to remote network safely. Even management over the network needs to be considered. For example, if you did not disable the Telnet service (found in Windows Features) and are actively using it instead of Secure Shell (SSH) as an example, you are using a TCP/IP protocol that can hacked easily. All of the security you created for your systems is now jeopardized because you didn’t catch the packet capture/sniffer application on your network that actively scanned for and captured your clear text/unencrypted password, which happened to also be the same password used for the Windows Administrator default service account. Since you are using the Administrator account and did not practice good password creation and management techniques, you gave away the ‘keys to the castle’. Always consider the network as a potential access point for malware and attacks because it’s often overlooked.

Microsoft Security Essentials (MSE) pack is software freely downloadable from Microsoft (figure 12) which when installed, adds AV scanning software to your system. Made for XP, Vista and Windows 7, the Security Essentials pack is only available from Microsoft if you have a legitimate copy of Windows 7. If you don’t, you can’t download and install it. If you can, install it. You will need to validate your copy of Windows 7 if you did not already do so during the installation process. Once validated, the installation program will check your system to see if other AV programs are running. You will be given a recommendation to only use one form of AV protection, because unfortunately, if you choose to run both you run the risk of them interfering, you have more to manage and monitor (as well as update) and the performance hit you will take because of the over utilization of processing power and memory will be quite high and drastically impact the performance of the system. Once installed, you can now update it as seen in Figure 7.

Figure 7: Running Microsoft Security Essentials Updates

Next (Figure 8), you can run a Quick, Full or Custom scan to check your systems for malware. Performing active scans and setting up real-time protection can be done quickly and easily. Simply run MSE and keep it updated for complete AV protection. Another benefit is that it can now be updated with Windows Update.

Figure 8: Scanning the System for Malware with Microsoft Security Essentials

Once you have malware protection installed and doing things to actively prevent it, you can continue to harden it, image it, set a restore point or move on to actually making it a production system and using it.

Using a computer on the Internet opens you up to possible attack. Install and use malware and spyware protection and keep it updated. Always consider that one you are protected, you need to keep yourself updated to remain protected and try to discipline your surfing habits.

Tip:
Consider not using items like Desktop Gadgets or any other ‘live’ content because as mentioned before, you open holes in your system by using these, even if they are signed. If you do not need something, or do not use it, a safe practice is to remove it. Not only do you save space and processing power, you lower your risk of attack by limiting the possibility of accidently installing a gadget (or other live content) that is unsigned and potentially dangerous. Anything unsigned, from an un-trusted source or questionable should not be installed.

Summary

Reference Links