5 Tips to Improve Windows 7 PCs Security

by Joseph Moran

Following these five Windows 7 security tips will give you better control over who uses your Windows PCs and how your employees use them. Following these five Windows 7 security tips will give you better control over who uses your Windows PCs and how your employees use them.

Maintaining effective small business security is an ongoing effort, and keeping Windows 7 PCs secure isn’t easy. Employing a firewall and anti-virus software are good first steps, but to ensure better control over who uses your Windows 7 PCs -- and how they are used -- check out the following tips.

5 Windows 7 Small Business Security Tips

1. Make Sure Users Don’t Have Administrator Accounts

Depending on how you set up you computers and small business network were set up, employees may have user accounts with administrative rights to the computers they use. This is bad, because it rolls out the red carpet for malware; the potential for infection greatly increases when administrator access is available.

It also gives your employees the freedom to install -- intentionally or not -- all kinds of unnecessary software (e.g. various browser toolbars and other Internet-borne garbage), which can over time cause security, performance and reliability problems.

Windows 7 password security tips

Figure 1: With this setting you can require complex passwords that expire periodically and can’t be immediately reused.

To fix this problem: search for and run lusrmgr.msc (Local Users and Groups) from the Start menu. Double-click Local Users and Groups, then Users, then the user account in question. Finally, click the Member Of tab, and if Administrators is listed, highlight it and click Remove. (Note: If it turns out that the user owns a computer’s only administrator account, you’ll have to create a new administrator account before this will work.)

NOTE: Tips 2, 3 and 4 require Windows 7 Professional, Ultimate or Enterprise.

2. Enforce Password Rules

You’ve probably told your employees not to use easy-to-guess passwords and to change them regularly, but are they actually doing it? Probably not. If you’re serious about it, however, you can enforce a number of password rules, including their length, complexity, and how long before they must be changed.

To configure password rules, search for and run secpol.msc (Local Security Policy) from the Start menu, then double-click Account Policies and then Password policy. Double-click Password must meet complexity requirements, select Enabled then click Apply and OK. This will require that passwords not contain part of the username (Duh!), be at least six characters long and include characters from at least three of the following four categories:

  • Uppercase letters
  • Lowercase letters
  • Numbers (0-9)
  • Non-alphabetic characters (e.g. $,%,&)

After you turn on password complexity, you may want to consider doing the same for some of the other password settings shown. For example, setting Maximum password age will force users to change their passwords at the specified interval, and Enforce password history will limit users’ ability to reuse old passwords.

By the way, these rules will only take effect at the next password change, and in some cases your user accounts may automatically be set to have passwords that never expire. To check this (and correct it if necessary), search for and run lusrmgr.msc from the Start menu, then double-click Users, double-click a particular user, and make sure that Password never expires is not checked.

Windows 7 Small Business Security Tips (continued)

3. Set PCs to Lock After Inactivity

Employees often get called away from their desks several times during the course of the work day. Depending on the duration and frequency of these sojourns, they can leave a PC logged in but unattended for long periods, during which passers-by -- e.g. another employee or an office visitor --can obtain unauthorized access. (Then there’s the person who logs in on Monday morning and out on Friday afternoon, leaving the computer accessible after hours to cleaning personnel and the like. )

Password protect Windows 7 screens

Figure 2: By password protecting the screen saver and setting an idle time that triggers it, you can ensure that an unattended PC isn’t accessible to passers-by.

You can guard against this kind of unauthorized access by configuring computers to automatically lock after a specified amount of idle time, ensuring the user’s password will be required to regain access. Particularly when used in conjunction with the password complexity described above, requiring people to enter their passwords multiple times over the course of a day should help them remember them better.

Here's how to configure a system to lock:  search for and run gpedit.msc (Local Group Policy Editor) from the Start menu. Under User Configuration, Administrative Templates, double-click Control Panel, then Personalization. Now double-click Screen saver timeout, chose Enabled, and specify the idle time in seconds (you’ll have to do a bit of math here; the default setting of 900 is 15 minutes).

Then find the Password protect the screen saver setting (it should be just above). Enable this one as well -- there are no options to set -- and you’re all set. (Note that this will work whether or not the user actually has a screen saver configured.)

4. Preventing Writing Data to USB Storage, DVD and CD Discs

USB flash drives and hard drives (as well as writable DVD/CD drives) are a double-edged sword; they make it enormously convenient to store and transport large amounts of data, which in turn makes them an excellent way for an employee to take unauthorized personal copies of company files off-premises.

There can certainly be legitimate reasons to have USB storage devices in the workplace, but if your business doesn’t need them, you can lessen the odds of information theft by ensuring that your computers can’t write to USB devices. (You’ll still be able to read to them, though).

Small business security; prevent recording to USB devices

Figure 3: If your business can live without them, preventing a PC from writing to USB storage devices -- or burning DVD or CD discs, can foil unauthorized employees from making unauthorized copies of company data.

To prevent a computer from writing data to a USB storage device, open gpedit.msc (Local Group Policy Editor) from the Start menu, then double-click Computer Configuration, Administrative Templates, System, and finally, Removable Storage Access. Now find the setting labeled Removable Disks: Deny write access and set it to Enabled.

Similarly, to block the burning of DVD or CD discs, set CD and DVD: Deny write access to Enable as well. Note: Denying write access to DVD/CDs will only prevent the use of Windows’ built-in burning feature. It won’t stop someone from using third-party disc burning software, so be sure there are no such programs on the system already. (And by following step number one, you’ll prevent anyone from installing such software on the computer in the future.)

5. Keep Up with Operating System and Other Software Updates

Keeping the Windows operating system and other software current with the latest updates isn’t a priority for many small businesses, but it should be. For starters, all your Windows PCs should be set to automatically download and install important updates (those that address security vulnerabilities).

You can check this by searching for and running Windows Update from the Start menu and then clicking Change settings. If you really want to see the updates first and apply them manually, use the Download updates but let me choose whether to install them option, so that any updates you decide to install will at least be downloaded in advance.

In addition to Windows, it’s also important that you keep third-party software up-to-date as well, particularly Adobe Flash, Adobe Reader, and Java. These ubiquitous pieces of software are big targets, and new security flaws are always being identified and patched, so when any of these programs informs you of an available update, be sure to download and install it ASAP.   

Read Even More About Small Business Security

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Joseph Moran is a veteran technology writer and co-author of Getting StartED with Windows 7, from Friends of ED.

This article was originally published on Wednesday May 9th 2012
Mobile Site | Full Site