The six best practices you need to implement to protect Windows 7 computers

The early reports are in, and it's clear that Microsoft's Windows 7 is off to a fast start' thanks in part to Microsoft's liberal Windows 7 beta program and the pent-up demand for a new OS from Vista and XP users. Windows 7's market share is already 4%, a figure that is being driven by users clamoring for tighter security, faster boot-up times, greater stability and enhanced ease of use, according to market researcher Net Applications.

1

The six best practices you need to implement to protect Windows computers

Introduction

The early reports are in, and it's clear that Microsoft's Windows 7 is off to a fast start' thanks in part to Microsoft's liberal Windows 7 beta program and the pent-up demand for a new OS from Vista and XP users. Windows 7's market share is already 4%, a figure that is being driven by users clamoring for tighter security, faster boot-up times, greater stability and enhanced ease of use, according to market researcher Net Applications.

Windows 7 is more secure than Vista and XP, but it's still vulnerable

Microsoft has made a number of enhancements in Windows 7, which are detailed in 'What's new in Windows 7' on page 4.

User Account Control (UAC) is one area that Microsoft addressed. Its purpose is to help prevent unauthorized changes to desktop and laptop systems. UAC does this by asking the user for permission or for an administrator password before performing actions that could potentially affect the computer's operation or change settings that affect other users.

By verifying these actions before they start, UAC can help prevent viruses, spyware and other malicious software from installing or making changes to computers without authorization.

However, UAC is far from bulletproof. In its tests, Sophos found UAC blocked only 1 out of 10 randomly selected viruses, proving again that protecting a PC from modern malware still requires anti-virus software and other safeguards.

Best Practices for Windows 7 security

If you're planning to roll out Microsoft's Windows 7, now is the time to strategically review your endpoint and data protection practices for all your Windows PCs, no matter which versions of the operating system you're running.

There are several best practices any organization' whether a small, medium or large enterprise' should follow to protect its Windows machines from the potentially disastrous consequences of being attacked by viruses, spyware and other forms of malware:

1. First, stop the threat. An obvious but important step is to use anti-virus software to prevent, detect and remove all the different types of malware that have the potential to cause considerable damage to your systems and your data.

One of the most common methods to detect viruses is to search for known patterns, or signatures, in executable code. However, with the increase in the number and complexity of unknown malware threats, it's possible for a user to be infected with new malware for which no signature yet exists. To counter such so-called 'zero-day' threats, you should guard your platforms with an anti-virus solution that provides proactive protection that identifies new viruses by studying their behavior and prevents them from executing.

To ensure that your anti-virus solution is doing what you expect it to, you need to keep it up to date. Because new viruses can spread quickly, it is important to have an automatic infrastructure in place that can update all the computers in your organization seamlessly, frequently and on short notice to stay ahead of the latest threats.

Another simple way to prevent threats from slowing you down is to stay informed. Subscribe to anti-virus vendor mailing lists for up-to-date information on virus threats, support, technical information and new product developments.

2. Stay up-to-date with software patches. While Microsoft continues to improve the security of its operating systems and applications, rogue hackers are focusing more on exploiting holes in third-party and internally developed applications.

Remind yourself to regularly check the Web sites of your third-party application vendors to find out whether they have released updates.

Many software vendors also issue security advisories. For example, Microsoft runs a mailing list that warns of security loopholes and other problems found in Microsoft's software, and offers patches to button them up.

When a new security hole is found in an application or operating system and a patch is available, organizations should be ready with an infrastructure for testing that the patch works properly and for rolling it out across their user base.

3. Bolster your data loss prevention (DLP). The malware threat used to be about the writers making as much noise as possible to gain notoriety. However, more recently it has become a criminal enterprise that's out to steal personal information. In light of this, you should also consider the steps you can take to protect your data from getting into the wrong hands.

There are four components of data protection that you need to consider:

»»Application control enables you to manage the applications you will allow employees to use. This ensures adherence to your security policy, and that sensitive data cannot leave your organization via applications such as peer-to-peer file sharing or instant messaging.

»»Device control provides a way to define and apply a comprehensive policy across your organization that controls what devices your employees can and cannot use. Employees have the flexibility they need but don't put the business at risk.

»»Data control ensures that users are not accidentally transferring sensitive data to their devices and applications. Implementing a data loss prevention solution can be costly and complex, so look for a solution that delivers this functionality as an integrated part of the endpoint solution.

»»Encryption ensures that the data on laptops and USB thumb drives is protected for all eventualities'because people lose things. Implementing encryption may not be as straight-forward as many people believe, so there are several factors to consider: You need to ensure that the initial implementation is successful; that you can manage and change the encryption policies across your organization; and, above all, that the solution doesn't get in the way of your users' daily tasks. 4. Limit access to external storage. Complete data protection should account for data not only on computers, but also on removable media. You should control the use of removable storage by authorizing specific devices, enforcing the use of encrypted devices or limiting users to read-only access. Ensure that policies are in place to help secure all file shares and regulate the use of removable media. Doing so will reduce your exposure to worms that exploit these kinds of devices. 5. Reduce the risk at the gateway. To protect your business from the threats of viruses, spam and spyware, reduce the risk at

Monitoring the traffic at both the web and email gateway provides an extra layer of protection against the external threats.

You also can:

»»Block file types that are often virus carriers such as EXE, COM, PIF, SCR, VBS, SHS, CHM and BAT. It's unlikely your organization will need to receive these file types via email from the outside.

»»Block any file with more than one file type extension. Some viruses attempt to disguise their true executable nature by using double extensions. Files such as LOVE-LETTER-FOR-YOU.TXT.VBS or ANNAKOURNIKOVA.JPG. VBS may appear to be ASCII text or a harmless graphic to the inexperienced.

»»Ensure all executable code sent to your organization is checked and approved by someone in IT. This serves two purposes: IT can confirm not only that the code is virus-free, but also that it is properly licensed, unlikely to conflict with existing software applications and is safe for work (in other words, non-pornographic).

6. Manage your policy by enforcing and educating. If you haven't done so already, establish a policy for safe computing and distribute it to all employees. Make sure they read and understand the policy, and know whom to contact with questions or in the event their machines have been attacked or infected.

A safe-computing policy should include rules that prohibit:

»»Downloading executables and documents directly from the Internet or via email

»»Running unsolicited executables, documents and spreadsheets

»»Playing computer games or using screensavers that did not come with the operating system

Keep in mind that a written policy is only as strong as the technology you use to protect your systems and prevent employees from engaging in risky behavior to begin with.