Software makers routinely sacrifice some security for the sake of usability, and Microsoft is no exception. I've built a career on teaching people how to harden Microsoft Windows over its default state. Several of my inch-and-a-half thick books instructed people what security templates to apply, what files to remove, and what registry edits to make to bring Windows into what I considered a safe but generally functional baseline.
Starting with Windows Vista, most of that old advice is no longer necessary. Microsoft now delivers a product that is significantly more secure out of the box. You don't have to download NSA security templates or modify the system in any way to be fairly secure from the start. Most of today's client-side threats come from users being tricked into running malicious Trojan horse executables and naively lowering the default defenses, such as by disabling UAC (User Account Control), turning off automatic patching, or deactivating the built-in Windows Firewall.
That's not to say there aren't things you can do to increase the security of Windows 7 beyond basic defaults. This article covers the recommendations for any administrator or home user who wants to crank out a bit more security while still operating a computer that will run most applications without causing too many problems. These tips won't result in applications that refuse to run or Web sites that refuse to load.
Step 1: Enable BitLocker
BitLocker Drive Encryption can be used to encrypt any volume on your hard drive, including boot, system, and even removable media, such as USB keys. The rough edges from Vista are gone. You can now right-click and encrypt any volume from within Windows Explorer. There are several protection methods, including combinations of the Trusted Platform Module (TPM) chip, PIN, password, and smart card.