Updated: February 19, 2010
We have had one article on Windows 7 security already. In it, we discussed the most important aspects of making your desktop safe, without panicking or going overboard with security.
We discussed many things: how to respond to Action Center alerts, how to setup Windows updates, how to many additional categories in Control Panel visible, the configuration of Windows defender and the User Account Control (UAC), Protected Mode, firewall, Data Execution Prevention (DEP), folder options, and disabling Autoplay. For most people, this palette is truly all they will ever need, possibly even too much.
Today, I would like to talk about several more things you may want or need. Call it a fine-tuning if you will. We will learn some more tricks, in the spirit of the first article, with focus on productivity and moderation, making sure our security is transparent and that it works for us, not against us. So let's begin.
AppLocker is very similar to Software Restriction Policies (SRP). In fact, you may ask yourselves what the difference is. Well, AppLocker has a friendlier user interface, the ability to set restrictions based on application version number or publisher, and is easier to work with for less knowledgeable users.
Now, if you're still wondering what AppLocker is, it's a tool that allows you to restrict the execution of programs, installers and scripts on a machine with Windows 7 installed. Rather than using third-party security tools, Windows 7 has a built-in mechanism that allows tight, per-application execution control. The tool can be used to allow or deny certain programs or files to run, which can be used to make your system very secure against damage, accidents, misuse, or attacks.
Accessing AppLocker is not straightforward, which is why I've kept this software for the second article. You will need to invoke the Group Policy Editor, by running:
cmd > gpedit.msc
This is no different than Group Policies on Windows XP. In fact, I urge you to read my original beginner's guide to Group Policies, which also explains how to use Software Restriction Policies. AppLocker is a natural extension of this strategy, so if you've used the former, you'll be instantly very comfortable with the new feature in Windows 7.
AppLocker can be found in the Computer Configuration tree, under Security Settings, Application Control Policies.
You begin by reading the information in the right pane. Your first step would be to configure rule enforcement. You can either have the rules in place or just audit for changes in the system without actually preventing or allowing them.
Then, you should create rules. In the right pane, right-click anywhere. Beginners or less experienced users should start with auto-generated rules. Manual rules can be created later, if needed.
Creating rules is very simple. You just follow a wizard. You create rules based on software groups. For example, you can have a rule for Program Files, a rule for Windows directory, a rule for Users directories, etc.
You can decide how to catalog your files, by digital signature (publisher), hash or path. It is recommended not to use path rules for Users directories, because the location of files can easily change, circumventing your security.
Once your directories are scanned, you'll get the list of rules. You will be able to review the list and individually remove select items, if needed.
Once this is done, you will be asked to create a default set of rules. If you're not really sure how AppLocker works, you should do this, to prevent potentially crippling the functionality of your system.
And this is what the Group Policy Editor shows now:
As said before, you can also fine-tune your security and create manual rules. Again, right-click and choose Create New Rule. In my case, I will create some rules for downloaded installed files that sit in the Downloads folder. These will include benign items like CuteWriter, Foxit Reader and IrfanView, just for the sake of the demonstration.
And now the test:
Working with AppLocker is not easy, but it's definitely worth the investment. Combined with the proper use of the firewall and User Account Control (UAC), you can make your operating system well secured without bleeding the resources one bit.
BitLocker is an encryption software, which lets you encrypt your drive and your files, thus preventing the compromise of data integrity in case your computers get stolen. A similar feature did exist in Windows XP, but it is now easier to use and implement. You can find BitLocker in the Control Panel:
Now, I'm not going to show you how BitLocker works. I will merely inform you that this option exists and that you should explore it, if you like. That said, I do not recommend it, and here's why:
Encryption should never be closed-source. Always use open-source, proven, well tested solutions, like TrueCrypt, which offers the same capabilities, and then some, including cross-platform compatibility.
BitLocker has some rather curious requirements. One is that you have installed Windows 7 on a computer that supports Trusted Platform Module (TPM), which allows BitLocker to store its keys in a special microchip. Failing that, you will need an external USB key on to which you will store the encryption keys. Moreover, BitLocker requires that you have at least two partitions on the system, both formatted with NTFS.
Personally, I find the requirements to be too much, especially considering the fact free, open-source alternatives like PGP and TrueCrypt require no such thing. Furthermore, both these solutions are proven workhorses of the encryption world, whereas BitLocker is a closed-source tool that you cannot use with other operating systems.
While encryption can potentially add to your security, which is why it's listed as an item in this article, BitLocker itself does not have merits that warrant using. In this particular case, knowing which security features not to use is the part of the overall security scheme that I'm trying to teach.
If Windows Media Player (WMP) is your multimedia player of choice, you may want to expand the Options menu and take a look at the Privacy and Security tabs. Some of the default settings may interest you. A few of the checkboxes might need unchecking.
Under the Privacy tab, you can decide what kind of access your media player will have. For example, do you want WMP to try to retrieve media information from the Internet or update music files? Do you want it send a unique Player ID to content providers?
My recommendations are to disallow media player access to the Web, including media information, music files updates, usage rights, unique Player ID, and the Customer Experience Improvement Program. These definitely have nothing to do with your listening to some music and watching movies. And if you have problems with codecs, please read my Windows cool apps guide.
Under the security tab, you can decide what Media Player can do with the files it plays. If there are any embedded scripts, what should it do? Well, it's best to disallow any kind of scripting with media files.
I recommend you do not run script commands, including rich media streams and enhanced content. Media is meant to play and be enjoyed, not run scripts and tamper with the system.
I do not believe in Parental Control, at least not one where people control their kids; rather, I believe in controlling which people should have kids, but that's another matter. Furthermore, I do not believe in Parental Control, because I don't have kids and I find the idea of enforcing censorship on your kids to be the wrong way of education.
Nevertheless, for those interested, Windows 7 has an applet that lets you define what kind of programs your children may use, when and how. The use of Parental Control necessitates that you create a second, non-admin account.
Once the account is in place, you can restrict the usage in several ways: set time limits, choose which kind of games the kids can play, and allow or block access to specific programs on your machine.
And that's all I had for today.
I hope you liked this article. While it has fewer items than the first one, it definitely exposes you to additional elements of Windows 7 security, which may or may not interest you. The most powerful of these is definitely AppLocker, which makes the use of any third-party anti-virus and anti-malware programs obsolete. BitLocker should be avoided. And then, you can fine-tune your privacy and security settings.
If you have additional Windows 7 security suggestions, tips or tricks, feel free to contact me. There might yet be a third article. For now, you have two long, solid guides that should help you enjoy your new operating system without wasting resources, money or your nerves.