230 likes | 403 Views
Securing Windows 7. Presented by: Stacy Vaccaro Systems Administrator Capital Gazette Newspapers and James Long Windows System Administrator Morenet. Windows 7 Security Features. User Access Control (UAC) Windows Firewall Windows Defender Enhanced Auditing Applocker Bitlocker
E N D
Securing Windows 7 Presented by: Stacy Vaccaro Systems Administrator Capital Gazette Newspapers and James Long Windows System Administrator Morenet
Windows 7 Security Features • User Access Control (UAC) • Windows Firewall • Windows Defender • Enhanced Auditing • Applocker • Bitlocker • Data Execution Prevention • Security Templates
Windows 7 comes with four security features enabled by default: • Windows Firewall is turned on. • Windows Defender protects your computer against spyware in real time and by scanning your PC on a schedule. • User Account Control is turned on. • The Administrator account is disabled.
Is your User Account Control turned on? • Click Start, type UAC and hit the enter key. • User Account Control Settings will open • Move the slide bar to the appropriate setting. • Click OK
Is your Firewall Turned on? • Open Windows Firewall by clicking the Start button Control Panel Windows Firewall. • In the left pane, click Turn Windows Firewall on or off. • If you're prompted for an administrator password or confirmation, type the password or provide confirmation. • Click the “Turn Windows Firewall on or off” link in Windows Firewall • Click Turn on Windows Firewall under each network location that you want to help protect, and then click OK. • If you want the firewall to prevent all programs from communicating, including programs that you have previously allowed to communicate through the firewall, select the “Block all incoming connections, including those in the list of allowed programs” check box.
Is Windows Defender turned on? Follow these steps to ensure that not onlyWindows Defender is set up to automatically scan your system for spyware regularly, but that it's also actively monitoring your system for suspicious activity: • Click Start and type “windows defender” select from list • Click Tools Options Automatic Scanning • Activate the “Automatically Scan My Computer” check box. • Click “Real-Time Protection”. • Activate the “Use Real-Time Protection” check box. • Click OK.
Enhanced Auditing • Windows 7 provides enhanced audit capabilities to make it easier for an organization to meet its regulatory and business compliance requirements. • Audit enhancements start with a simplified management approach for audit configurations and end with greater visibility into what occurs in your organization. • For example, Windows 7 provides greater insight into understanding exactly why someone has received or been denied access to specific information, as well as visibility into the changes made by specific people or groups. *Note: There are over 50 Advanced Auditing Settings
AppLocker (Local) • AppLocker policies can be implemented using Local Group Policies • Help prevent malicious software (malware) and unsupported applications from affecting computers in your environment. • Prevent users from installing and using unauthorized applications. • Implement application control policy to satisfy security policy or compliance requirements in your organization. • Configure a machine with just the applications you want users to run, and AppLocker will automatically build a policy from that machine that you can deploy across your organization. • To access the AppLocker admin interface open the Local Group Policy Editor by running gpedit.msc file in the search box. • To create an executable rule, look for the Executable Rules under the Application Control Policies. Right click this item then choose “create new rule”. * You can find a tutorial here: http://helpdeskgeek.com/windows-7/windows-7-applocker-tutorial/
BitLocker • You can now right-click and encrypt any volume within Windows Explorer. • It allows removable media, both NTFS and FAT volumes, to be encrypted. • You can encrypt removable drives one at a time or require that all removable media be encrypted by default. • Encrypted removable media can be decrypted and re-encrypted on any Windows 7 computers -- not just the one it was originally encrypted on. • Encrypted FAT, exFAT, and FAT32 media can also be shared with Windows XP and Windows Vista clients, but the encrypted data is read-only and cannot be re-encrypted. *NOTE: BitLocker is good encryption and will scramble your data permanently if you cannot supply the recovery password!
Data Execution Prevention You can secure Windows 7 by using a new feature called Data Execution Prevention (DEP). This is a feature that monitors your programs and how they use your system memory. This adds a level of security to programs that stay resident and use memory as a way to launch attacks. You can turn it on for all programs, or just ones you select. To configure it for use, go to the Start menu and open the Control Panel. Click the System applet, and then select the Advanced Tab, Performance Options, Data Execution Prevention tab
Security Templates • Sets Local Group Policy Settings • Account Policies • Local Policies • Event Log • Restricted Groups • System Services • Registry • File System
Additional Security • Custom MMC • Microsoft Security Essentials • Hosts File • Disable Auto-logon • Lock your Desktop • Disable Administrator Account
Creating a custom MMC • To create a custom console, simply go to the Start menu and type ‘MMC /A’ and you will launch a new Microsoft Management Console (MMC). You can save it to any location on your system and name it whatever you want. To populate it, you need to go to the File menu and select Add/Remove Snap-in. Add all the tools you want or need.
What to add to your MMC • Computer Management • Event Viewer • Security Configuration and Analysis • Security Templates • Windows Firewall with Advanced Security • Group Policy Object Editor
MS Security Essentials Microsoft Security Essentials (MSE) pack is software freely downloadable from Microsoft which when installed, adds AV scanning software to your system. • Made for XP, Vista and Windows7 • You can run a Quick, Full or Custom scan to check your systems for malware. • Performing active scans and setting up real-time protection can be done quickly and easily. • Simply run MSE and keep it updated for complete AV protection. • Another benefit is that it can now be updated with Windows Update. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e1605e70-9649-4a87-8532-33d813687a7f
Hosts File • http://www.mvps.org/winhelp2002/hosts.htm • Block malware/spyware, Ads, viruses • Download hosts file • Disable DNS Client Service • If you have problems resolving names from the hosts file • Required in XP
Disable Auto-logon To require that users must press Ctrl+Alt+Delete before they can log on, follow these steps: • Press Windows Logo+R to display the Run dialog box. • Type control userpasswords2 then click OK. • The User Accounts dialog box appears. • Display the Advanced tab. • Activate the Require Users to Press Ctrl+Alt+Delete check box. • Click OK.
Lock your Desktop Windows 7 gives you three ways to lock your computer before heading off: • Select StartShut Down Lock. - If you lock your PC regularly, consider changing the Shut Down button to a Lock button. • Press Windows Logo+L. • Press Ctrl+Alt+Delete Click Lock This Computer. *Whichever method you use, you end up at the Windows logon screen
Disable Administrator Account Here's a method that works with all versions of Windows 7: • Select Start, type command, right-click Command Prompt, and then click Run as Administrator. • The User Account Control dialog box appears. • Enter your UAC credentials to continue. • At the command line, enter the following command: net user Administrator /active:no
*Note* • Although we have gone over a lot of ways to secure Windows 7, be sure to follow all of the security policies set forth by your organization. • Everything we’ve discussed today can be centrally managed by using group policy on your domain.
Links http://windows.microsoft.com/en-us/windows7/Security-checklist-for-Windows-7 http://technet.microsoft.com/en-us/library/dd571075(WS.10).aspx http://www.pcworld.com/businesscenter/article/171979/a_guide_to_windows_7_security.html http://support.microsoft.com/kb/885409 http://support.microsoft.com/ph/14019#tab0
Questions? Insert Questions Here
Thanks! Have a great day!