10 commandments of Windows security

What you need to install, configure and add to ensure security on Microsoft Windows (especially Windows 7) notebooks and PCs

By Daniel Dern

April 23, 2012CSOThe 10 commandments of Windows security

With the introduction of Windows 7, many PC and notebook users may feel more secure than they did using older versions of the Microsoft operating system. Newer OSs have more security features, offer better out-of-the-box security settings and have closed many of the historical security holes. Windows 7, for example, has changed the default User Account Control level so that it's harder for rogue programs to run without first explicitly gaining the user's permission.


[Also read 3 steps to protect your personal data]


However, feeling too secure can be dangerous. With that in mind, here are 10 tips—commandments, if you will—for ensuring your desktop or notebook computer can be used productively as well as safely. Many of the recommended tools are free, and all are affordable—and certainly less expensive than the potential problems of an unsecured computer. Similarly, many will take you only a minute or two to perform—again, far less time than you'd spend recovering from a security problem.

Yes, Windows 8 is on the way; it'll be many years before that version runs on a majority of the installed base. So these tips are focused at the computers you are actually using today—especially Windows 7 computers, though most of the advice also applies to Windows Vista or XP machines.


1st commandment: Start with new hardware

Today's new hardware—motherboards, BIOS, CPUs, hard drives, and the system as a whole—includes more security "baked in," even before the operating system is installed. Examples include Trusted Platform Modules (TPM), which embed cryptographic security directly into the hard drive or other component, Unified Extensible Hardware Interface (UEFI) firmware instead of the traditional BIOS, and Intel's vPro security and management technologies. For example, machines with UEFI and TPM will, as part of each boot-up, check the computer's firmware and boot-up binaries to confirm they have not been infected with malware.

If you are working with an existing machine, consider doing a fresh install of the operating system, after completing one (or several) full backup. Ideally, the operating system would be the newest version rather than what was previously installed. (Products like LapLink's PC-Mover can reduce the effort of saving and migrating settings and even application software—although applications should be freshly installed if possible, as well.)

Even if you're working with an existing machine, consider swapping in new hard drives that include built-in encryption. Drives that support the OPAL Storage Specification standard enable companies to manage encrypted drives from multiple vendors—and have also helped reduce the extra cost for an encrypted drive from $100 to nearly zero. After-market drives often include migration tools to speed and simplify a drive swap.

If a self-encrypted drive isn't an option, look at using full-disk encryption software, such as Windows' BitLocker (available only on Enterprise or Ultimate Windows Vista, 7 or 8) or a third-party tool.


2nd commandment: Use current OS versions and automatically get OS and application updates

If you aren't using the most current commercial version of the operating system, it's time to upgrade. Additionally, make sure you set the software to automatically apply updates (not just the OS, but all applications) and periodically turn off the computer, which is when many updates are auto-applied. An appalling number of security breaches occur because applications lack important security fixes that have been available for a year or more.

The computer vendor may also include helpful update tools. For example, Lenovo includes an update process that is designed to show all BIOS and driver updates available for that particular model. You can also manually start the update-check apps process. This may take several cycles, particularly for the first time around, if some updates require other updates.

RESOURCE CENTER