Securing Your Migrated Windows 7 Desktop
When you decide to move to Windows 7, you will have a perfect opportunity to secure your desktops so you can reduce TOC, reduce helpdesk calls, increase productivity, etc. There are plenty of settings that Windows desktops, especially Windows 7, provide that will help you achieve your goals. The following is a list of settings, with pointers to where you can find full details for implementation that you will want to set to secure Windows 7.
User Account Control (UAC)
This feature was first introduced with Windows Vista and is still rock solid for Windows 7. There will be two factors that you will want to consider when setting up UAC. These include whether the user is an Admin or a standard user.
For admins, I highly suggest that you set up UAC such that it always prompts and when it does prompt, it prompts for credentials. This configuration is not highly desired by the user, but it provides an awesome security level. This creates a world where if the admin user leaves the computer unattended, a would-be attacker accessing the computer would still need the credentials of an administrator to hack into tools, the network, etc.
For standard users, I would suggest configuring UAC such that it does not allow elevation and denies access to applications, features, etc that require administrative privileges. If you need to allow users to run such applications, features, etc, you can look into other 3rd party products that support these options.
I describe the correct settings, options, and how UAC is so powerful in this article.
The version of IE that ships with Windows 7 provides some amazing security when you are browsing the Internet. The option of Protected Mode in IE 8 (also in IE 7 that ships with Windows Vista) can help protect you from malware, adware, viruses, etc when you are browsing the Internet. This is not only limited for your standard users, but also for administrators that want to logon with credentials that have administrator privileges, but still browse the Internet protected.
Protected Mode secures your system by leveraging the benefits of UAC, plus adding in integrity controls and isolation of IE from other running applications. In order to set up IE Protected Mode, you simply click a check box, shown in Figure 1.
Figure 1: IE Protected Mode for IE 7 and 8
You can read more about Protected Mode here.
There are other awesome security settings in IE, which are hard to reach unless you are in the IE Internet Options dialog box. The Security settings available under the Advanced tab are hard to reach, but with Group Policy Preferences, you can use centralized administration using AD and GP to set these. Here are those details.
One amazing feature of Windows 7 is the firewall. I know, it sounds odd, but the Windows Firewall is grown up and comes by default already set up and configured with rules. In order for you to centralize, customize, and define more rules for your Windows 7 desktops, you can use Group Policy. The following two articles will help you find and define Windows Firewall settings using Group Policy, even locally. You can find them here and here
Local Administrators Group
In order to lock down your Windows 7 desktops, you need to ensure that only approved users and domain groups have membership in the local Administrators group on each desktop. To control this, you can use Group Policy Preferences. Here are the steps and details to control the local Administrators group.
Most corporations will benefit from not having any local user accounts configured on desktops. Now that you are moving to Windows 7, you can ensure that there are no local user accounts. There are very few reasons to have local user accounts on a desktop, typically reserved for developers and admins, so removing/deleting the local user accounts for standard users is ideal. To perform this task, you simply don't add any local user accounts to the Windows 7 computer, which only has Administrator there by default.
Local Administrator Account
You will need to ensure that the local Administrator account is constantly secured. There are a few options for this, but mainly you will want to ensure that the password is reset frequently. This will reduce the risk of a password attack and also keep the password from getting stale and possibly compromised. Group Policy Preferences provide an easy, efficient, and granular method for resetting the password on every Windows 7 desktop when you feel the need to do so. Check out this link for more information.
You don't want users running just any ole' service on their Windows 7 computer. Therefore, you can establish a list of approved and denied services using Group Policy Preferences. You can categorize the different desktops, set up GPOs to control their services, and then just use the Services policy in Preferences to list what should run and what should not run. For more info, check out the following link.
AppLocker is nearly the same as Software Restriction Policy that is available in Windows XP and Vista. AppLocker does provide some new details, but all-in-all, it provides the same control as SRP. What AppLocker does is create a list of approved/allowed applications and a list of denied applications. Once on the list of applications, the administrator can now control what runs and what does not run on each Windows 7 desktop. For more info, check out the following link.
Installation of Removable Storage Devices
Many companies are moving towards controlling the use of external USB storage devices. These devices can be taken off the network, used at home, used on unprotected computers, then brought back into the company possibly infecting the network. Therefore, you might want to consider limiting the use of these products. Using Group Policy, you can create a list of allowed devices and a list of denied devices, therefore allowing approved USB storage devices for those users that can handle the responsibility. See more here.
BitLocker is a drive encryption technology that was released by Microsoft in Windows Vista. The technology is simple and easy to configure. The results are that the entire hard drive, including system files, is encrypted in case of the computer getting into the wrong hands. More info, here.
BitLocker To Go
Windows 7 takes the concept of encrypting the hard drive with BitLocker to removable devices. The new technology is called BitLocker To Go, and is just as easy to configure as BitLocker. You have some awesome features with BitLocker To Go, such as allowing downlevel clients to view the contents of the removable drive, even though the downlevel client does not support BitLocker To Go. More here.
Miscellaneous Registry Hacks
There are also a ton of awesome security features and settings that are under the Administrative Templates section of your Group Policy interface. These help you control many different aspects of your desktops. I encourage you to look at these options and set them up for the highest security possible that functions in your environment.
- Authentication protocols, whether you will allow LM and NTLM function
- Anonymous user access (this can restrict name to SID resolution, enumeration of the SAM, etc)
- Last logon name will remove the user name from the logon screen for the next user logging on
- Deny use of Registry editing tools
You can find references to all of these settings here.
Windows 7 is awesome, no doubt about it! There are some new and legacy security features and settings that you need to consider. Now that you are moving to Windows 7, you should consider establishing the security on your desktops that you have always wanted. This will go a long way in making sure your new Windows 7 desktops reduce TCO, improve employee production, and reduces helpdesk time troubleshooting misconfigured settings done by the user.