Software makers routinely sacrifice some security for the sake of usability, and Microsoft is no exception. I've built a career on teaching people how to harden Microsoft Windows over its default state. Several of my inch-and-a-half thick books instructed people what security templates to apply, what files to remove, and what registry edits to make to bring Windows into what I considered a safe but generally functional baseline.
Starting with Windows Vista, most of that old advice is no longer necessary. Microsoft now delivers a product that is significantly more secure out of the box. You don't have to download NSA security templates or modify the system in any way to be fairly secure from the start. Most of today's client-side threats come from users being tricked into running malicious Trojan horse executables and naively lowering the default defenses, such as by disabling UAC (User Account Control), turning off automatic patching, or deactivating the built-in Windows Firewall.
That's not to say there aren't things you can do to increase the security of Windows 7 beyond basic defaults. This article covers the recommendations for any administrator or home user who wants to crank out a bit more security while still operating a computer that will run most applications without causing too many problems. These tips won't result in applications that refuse to run or Web sites that refuse to load.
Step 1: Enable BitLocker
BitLocker Drive Encryption can be used to encrypt any volume on your hard drive, including boot, system, and even removable media, such as USB keys. The rough edges from Vista are gone. You can now right-click and encrypt any volume from within Windows Explorer. There are several protection methods, including combinations of the Trusted Platform Module (TPM) chip, PIN, password, and smart card.
I especially like the new feature that allows removable media, both NTFS and FAT volumes, to be encrypted. You can encrypt removable drives one at a time or require that all removable media be encrypted by default. Encrypted removable media can be decrypted and re-encrypted on any Windows 7 computers -- not just the one it was originally encrypted on. Encrypted FAT, exFAT, and FAT32 media can also be shared with Windows XP and Windows Vista clients, but the encrypted data is read-only and cannot be re-encrypted.
A word to the wise: Save your BitLocker recovery information somewhere safe and reliable off the computer. BitLocker is good encryption and will scramble your data for good if you cannot supply the recovery password. Most organizations should automatically back up users' recovery passwords to Active Directory. BitLocker recovery information is stored in the computer object as an attribute, so make sure to adjust users' access to those attributes to match your organization's security policy.
Step 2: Raise the UAC slider bar
User Account Control has been significantly improved to be both less intrusive and smarter at distinguishing between legitimate and potentially malicious activities in Windows 7. However, depending on whether you are logged on as administrator or a standard user, some installs of Windows 7 may have a default UAC security setting that's one level lower than some experts (including yours truly) recommend. Standard users have UAC security default to to the most secure setting, while administrator accounts reside a notch below the highest setting, which is potentially more risky.
Microsoft created an easy UAC slider bar to allow administrators and users to adjust their UAC security level. After installing all the initial software and configuring Windows 7 the way you want it, I recommend raising the UAC slider bar to "Always notify," the most secure setting. Even in "Always notify" mode, you'll encounter fewer UAC prompts than you did in Windows Vista.
Note: Although UAC provides a much-needed mechanism to prevent the misuse of administrator privileges, it can be bypassed. If you need high security, don't log on with an elevated user account until you need it.
Step 3: Patch everything
In Windows 7 default settings, the Windows Update service will be appropriately configured to download and install critical Windows operating system and Microsoft application files in a timely manner. Multiple studies have shown that Microsoft software is among the most patched software in the world. But Windows has nothing built in to help you keep up with all the non-Microsoft patches. Install software or enable processes to ensure that all programs are patched -- especially your browser plug-ins. Malicious hackers are quickly moving to less frequently patched third-party programs to silently exploit the end-user.
Step 4: Install anti-spam and anti-malware software
The biggest threat to client systems is the Trojan horse -- fake Outlook patch, fake anti-virus scanner, fake codec for that must-see Britney Spears video -- that dupes the end-user into downloading and executing malicious software. Long gone are the days when you could rely on bad grammar and misspellings to point out the bad stuff. Today, even the most knowledgeable security people can be fooled. Unless you (or the end-user you are administrating) can tell the difference between good and bad software with perfect accuracy, you should install and use up-to-date anti-spam and anti-malware software.
Step 5: Enable the SmartScreen Filter in Internet Explorer 8
When you first start IE8, one of the startup wizards asks if you want to enable the SmartScreen Filter, which checks a local database or a Microsoft site to see if surfed Web sites have been previously marked as legitimate or malicious. SmartScreen also checks for many predefined malicious behaviors such as cross-site scripting. SmartScreen results in a slight, just noticeable delay when enabled. The savviest security users may want to disable this setting, while most users should make sure it's enabled. If you're already running IE8, check by selecting SmartScreen Filter from the Safety menu.
Step 6: Take an inventory
Over time, most systems accumulate more and more -- often unnecessary -- programs that end up exacting a toll on memory resources. Without an active cleanup of your system, it will become slower, more prone to crashing, and stocked with additional attack vectors for bad stuff to exploit.
To fight software creep, periodically inventory the software and services running on your system, and remove what isn't needed. You can manually inspect your system or use a utility like Microsoft's Autoruns, a free download. Autoruns will list every program and service running on your system and allow you to disable what is not needed with a click of the mouse. My advice is to do your research before disabling anything you don't recognize, so you don't cause yourself unexplainable operational issues later on, after you've forgotten what you disabled.
Step 7: Back up your data
We've all been using computers for a long time now, and we know that stuff happens. It's good to have a multiyear computer warranty, but to minimize the damage when your computer crashes, make sure to back up your irreplaceable data. Windows 7 includes a reliable backup program that you can set up at Control Panel > System and Security > Backup and Restore. Or just search on the keyword "backup" in Help and Support to learn everything you need to know about Windows backups.
This article covered the items that should be done to make an already secure Windows 7 system more secure. If your OS and all applications stay fully patched and you don't get tricked into running Trojan horse executables, you will have significantly less risk than the average user. Don't fall into the trap of disabling the Windows 7 defaults (UAC, Internet Explorer's Protected Mode, Windows Firewall, and so on). Many well-meaning advisers don't have access to the cumulative customer experiences that Microsoft does.