Best Practices for Windows 7

Torrance Computer Network Support

WIndows 7 Basic Adjustments effects and filters

Services are provided reliable, affordable and friendly computer repair and support. We can help with nearly any workstation problem, including hardware failures and upgrades and most software problems. We support all IBM-compatible computers and peripherals,

Best practices for Microsoft Windows 7

Step By Step whitepaper – February 2013
1
Seven for 7: Best Practices for Securing Windows 7
In February 2011, Microsoft released its first major update to Windows 7, Service Pack 1. And now that this operating system holds more than 20% of market share1, there’s no question that more enterprises will plan major migrations to Windows 7 in 2011. As businesses retire older versions of Windows, it’s the perfect opportunity to assess your security policies and take advantage of the new security features
of Windows 7.
If you’re planning to roll out Microsoft’s Windows 7, you’ll want to strategically review your endpoint and data protection practices. There are several best practices that any organization – regardless of size – should follow to protect Windows machines from the potentially disastrous consequences of being attacked by viruses, spyware and other forms of malware.


1. Stop the threats
An obvious but important step is to use anti-virus software. Anti-virus software will prevent, detect and remove all the different types of malware that can significantly damage your systems and your data.
One of the most common methods to detect viruses is to search for known patterns, or signatures, in executable code. However, as the number and complexity of unknown malware threats increase, a user can still get infected
with new malware that doesn’t yet have a signature.
To counter these “zero-day” threats, make sure you guard your platforms with an anti-virus solution that provides proactive protection to identify new viruses by studying their behavior and then prevents them from running.
Make sure your anti-virus solution does what you expect it to by keeping it up to date. Since new viruses can spread quickly, you should have an automatic infrastructure in place that can update all the computers in your organization seamlessly, frequently and on short notice
to stay ahead of the latest threats.
Another simple way to prevent threats from slowing you down is to stay informed. Subscribe to anti-virus vendor notifications – whether they be RSS feeds, forums, podcasts or mailing lists – and review security-oriented news sites for up-to-date information on virus threats, support, technical information and new product developments.
Seven for 7: Best Practices for Securing Windows 7


2

What we recommend
Windows 7 introduces an enhanced implementation of Data Execute Prevention (DEP) that prevents code from executing in areas of memory intended for data storage.
We recommend that you check your BIOS settings to
enable DEP support (NX enable) and to enable DEP
for all applications.
Address Space Layout Randomization (ASLR) randomizes the locations in your computer memory that Windows
will load essential system libraries. When used with
DEP, ASLR makes it more difficult for malware to take advantage of security vulnerabilities in your browser,
plug-ins and applications.
By deploying Sophos Endpoint Security and Data
Protection with Windows 7 you can benefit from even greater security. We have a run-time Host Intrusion Prevention System (HIPS) that watches the behavior of
your applications as they run. If you use HIPS in conjunction with Windows 7’s ASLR and DEP features, you’ll get the best proactive protection against zero-day malware and other evolving threats.
Our central management console, Sophos Enterprise Console, lets you monitor, update and take action from a single point. This helps you make sure your anti-virus software is operational, up to date and compliant with policy across your entire organization. With it, you can be confident that your Windows 7 computers are safe, and easily schedule scans to check for malware at times when your computers are not in use.


2. Ensure safe web browsing
For many businesses, the internet is a mission-critical tool. As a result, innocent websites are enticing targets for malware writers and hackers who want to infect visitors in order to steal their company’s confidential information, spread malicious code or even create botnets for distributing further malware or spam.
Thousands of systems are infected every day through users innocently browsing trusted sites that have been subject to SQL injection attacks, exploiting security vulnerabilities and inserting malicious code.
It’s a tough job balancing employee productivity by opening up the internet with ensuring protection against all the potential threats out there, but there are some simple steps you can take to get you on your way.
What we recommend
Windows 7 includes Internet Explorer (IE) 8 by default, which is protected by both DEP and ASLR. In addition, it introduces a new security feature to protect against surfing to malicious sites called SmartScreen. SmartScreen presents a warning for cross-site scripting, phishing, and other known malicious destinations. This combined with IE8’s protected mode makes for much safer surfing.
We enhance protection by providing a Browser Helper Object (BHO), which plugs into IE to analyze dynamic content on websites for malicious code and exploits. If we find dangerous web code, our BHO presents an alert to the user in addition to reporting the code back to Enterprise Console for centralized logging and reporting.
Additionally, we provide web filtering to prevent access to malicious websites with our Sophos Live URL Filtering.
By using cloud-based technology our software can filter web requests to prevent the exploitation of browsers, plugins and other web-based threats. When you combine Live URL Filtering with Windows 7’s security improvements you’ll get the most secure surfing possible.


3. Keep computers patched
More than ever before, rogue hackers focus on exploiting holes in third-party plugins and anything that retrieves content from the internet. Attackers continue to target the operating system, but increasingly look to applications that your browser loads to view media, documents, and other file types.
Regularly check the websites of your third-party application vendors to find out whether they have released updates. Many software vendors also issue security advisories.
For example, Microsoft runs a mailing list that warns of security loopholes and other problems found in Microsoft’s software, and offers patches to button them up. Check with your vendors and subscribe to their notification lists to be sure you are aware of new issues as they are discovered.
Seven for 7: Best Practices for Securing Windows 7
A Sophos whitepaper – February 2011 3
When someone finds a new security hole in an application or operating system and a patch is made available, organizations should be ready to act with an infrastructure for testing that the patch works properly and for rolling it out across their user base as quickly as possible.
What we recommend
Windows Update helps keep your computers safer –
and your software current – by gathering the latest security and feature updates from Microsoft via the internet.
In Windows 7 this is now part of Action Center, which
makes updating even easier.
To ensure that Windows Update is turned on when computers connect to your network, you can use the network access control features in Sophos Endpoint Security and Data Protection. It assesses managed and unmanaged computers and can also check that your other key security software is enabled and up to date.


4. Bolster your data loss prevention (DLP)
Malware threats used to be about the malware writers making as much noise as possible to gain notoriety. However, more recently it has become a criminal
enterprise that’s out to steal personal information.
That’s why you should consider the steps you can take
to protect your data from accidentally getting into the wrong hands. There are four components of data
protection that you need to consider:
Application control lets you to manage the applications
that you allow employees to use. This will make sure employees comply with your company’s security policy,
and that sensitive data can’t and won’t leave your organization via applications such as peer-to-peer file sharing or instant messaging.
Device control provides a way to define and apply a comprehensive policy across your organization that
controls what devices your employees can and cannot
use. Employees have the flexibility they need but don’t
put the business at risk.
Data control prevents users from accidentally transferring sensitive data to their devices and applications. Implementing a data loss prevention solution can be costly and complex, so look for a solution that delivers this functionality as an integrated part of the endpoint solution.
Encryption protects data on laptops and USB thumb
drives for all eventualities—because people lose things, after all. Implementing encryption isn’t always as
straight-forward as many people believe, so you have to consider several factors: You need to make sure that
the initial implementation is successful; that you can manage and change the encryption policies across your organization; and, above all, that the solution doesn’t
get in the way of your users’ daily tasks.
What we recommend
Windows 7 retains the data protection technologies available in Windows Vista like the Encrypting File System (EFS) and built-in Active Directory Rights Management Services technology. These technologies provide an excellent platform for protecting data at rest. For data in motion, we provide DLP integrated directly into our endpoint client software. By taking advantage of our product’s centralized management capabilities, you can manage all your security policies within a single console. In a single scan, Sophos Endpoint and Data Protection enforces
DLP rules at the same time that it looks for malware and other suspicious content.
Windows 7 provides for more granular USB port controls through the deployment of Group Policy Objects (GPOs) that can help you protect sensitive data. Windows 7 also provides improvements to its BitLocker technology by introducing BitLocker To Go, which enables encryption
to be deployed to FAT32-based removable disk drives like
USB memory sticks and portable hard disks.
Sophos Device Control builds upon Windows 7’s approach by enabling more granular controls, down to a per-device basis, while managing your policies using the groups already defined for other security functions.
Seven for 7: Best Practices for Securing Windows 7
A Sophos whitepaper – February 2011 4
Windows 7 adds to the application controls available
for Windows XP and Vista with the introduction of AppLocker. AppLocker enables administrators to take
an allow/block list approach to application management that eases the burden by not relying on hashes or signatures of applications. This provides an easier method of updating and deploying software without needing to approve every minor revision.
Our recommended approach also allows application updates without the need for GPOs. You can manage Sophos policies through Enterprise Console, meaning SophosLabs carries the burden of defining applications. Once you establish a policy, SophosLabs continuously updates the software definition list and can even detect applications that are already installed or require no installation. This style of application control not only detects applications during installation, but also at
run-time. Sophos policies can be enforced against
Windows XP, Vista and 7 installations, easing the
transition to newer operating environments.
Microsoft BitLocker is a full disk encryption feature
included in the Ultimate and Enterprise editions of Microsoft’s Windows Vista and Windows 7. With the release of Windows 7, BitLocker added a new feature to encrypt removable devices. We have a management framework
that lets organizations centrally manage both their Windows XP desktops and BitLocker encrypted drives
on Windows Vista and Windows 7.


5. Manage user privileges
Windows 7 provides more ways than ever to ensure a
safe secure computing environment. With the introduction of User Account Control (UAC), Microsoft gives more control for network administrators to ease users
into running with standard user accounts. When you
enable UAC, this feature prevents users from making system-level changes without an administrator’s approval. This better secures desktops from drive-by malware attacks taking advantage of users administrative rights, while also simplifying the process for administrators to authorize behaviors that they know are safe.
What we recommend
In addition to running users without administrative privilege, we recommend you make a few additional changes in your Windows 7 deployment to take full advantage of the enhanced security in Windows 7.
For example, Microsoft introduced a capability to better manage password rotation. In combination with settings that require you to change your password every X days
(90 is a good default) and not reuse up to X passwords
(5 is recommended) you can now set a GPO to not allow you to change your password until it expires. You should take advantage of this capability as it prevents your users from continuously rotating their password to subvert policies and return to their original passwords.


6. Prevent security loopholes
With more and more employees looking for increased mobility, it’s becoming harder for you to ensure that all computers – including roaming laptops – meet the levels of security that you need to protect your business, such as running an up-to-date anti-virus solution and having their firewalls enabled.
We recommend that you deploy comprehensive security policies to check that any computer accessing the network – even those not owned by the company – are in full compliance. Such policies ensure that only those that meet your required standards can access your corporate network. If they don’t meet your standards, you can keep them at bay.
What we recommend
Windows 7: Network Access Protection (NAP) was introduced in Windows Vista and remains a key component of Windows 7. NAP is designed to help administrators maintain the health of the computers on the network, which in turn helps maintain the overall integrity of the network.
It is not designed to secure a network from malicious users.
Elitebuyer integrates Network Access Control (NAC) into endpoint protection to help you to identify managed and unmanaged computers with potential security flaws enabling you to choose to either block non-compliant computers or ensure that security is improved to meet a required standard before allowing access.
Seven for 7 – Best Practices for Securing Windows 7


Long Beach, USA |
© Copyright 2011. elitebuyer.com. All rights reserved.
All trademarks are the property of their respective owners.
United States
North American Sales:
Toll Free: 1-562-366-4177
Email: info @elitebuyer.com


Long beach Computer can also assist organizations by ensuring only approved versions of applications are running. You can specify versions to allow to execute, such as Internet Explorer 8, and Firefox 3, but not older versions. This can help secure your environment against outdated or less secure programs.


7. Educate your users
A safe-computing policy should include rules that prohibit:
Downloading executables and documents 1. directly from the internet or via email
Running or opening unsolicited executables, 2. documents and spreadsheets
Playing computer games or using screensavers 3. that did not come with the operating system
Remember that a written policy is only as strong as the technology you use to protect your systems and to bar employees from risky behavior.
What we recommend
If you haven’t already, establish a policy for safe computing and distribute it to all employees. Make sure they read and understand the policy, as well as know who to contact, especially if their machines get attacked or infected.
When possible, you should block access to known malicious vectors that might try to enter your organization by email
or web downloads. Examples include .exe and .com files, .msi, .vbs and .bat. Technologies like our Sophos Email Appliance and Sophos Web Appliance can also determine a True File Type to prevent users from simply renaming dangerous files for transmission.
Conclusion
For enterprise deployments, our technologies build on the new Windows 7 security features and enhance overall security management across your business. This helps
you to get the most out of your investment in this new operating system.
By combining solutions from both Microsoft and Sophos, you can more easily meet compliance and regulatory requirements, improve security and provide the expertise necessary in today’s demanding technical environments.
Sophos is a Gold Certified Microsoft ISV, with competencies in Security, Mobility, Information Worker, ISV/Software and Networking Infrastructure. We are committed to Microsoft standards, and shipped Windows 7 certified products on the same day that Microsoft released Windows 7.
We also provide compatibility for legacy Microsoft platforms right back to Windows 98. This combination allows you to protect all your Windows machines with comprehensive and consistent security.
To learn more about Sophos and to evaluate
any of our products free for 30 days, please
visit us at www.sophos.com
1. Source: http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10

 

click on site map for more tips

Torrance Computer Service and support can help with all your network needs. We have been helping clients for over 15 years.

call us 562-366-4177 o log on to http://www.elitebuyer.com