Problem solve Get help with specific problems with your technologies, process and projects.

Using Windows 7's built-in features to keep your desktops secure

There are a plethora of features in Windows 7 that can keep your desktops secure without breaking the bank.

A tight budget may be preventing you from purchasing all the third-party security management tools you need. However, if you're running Windows 7 in your enterprise, you're in luck because Microsoft's latest desktop operating system offers a plethora of free built-in security options. And when you combine these features with the complementary server-level tools in Windows Server 2008 R2 and third-party commercial products, you can do almost anything to support the security lifecycle shown in Figure 1.

Figure 1: The basic process for keeping your desktop security in check
Graphic on the process for keeping your desktop security in check

Here are the key areas of Windows 7 security management to lean on in these lean times:

Desktop firewall: It may sound trite and repetitive, but I often encounter desktops without a host-based firewall. Windows Firewall with Advanced Security allows for unbelievable granularity over inbound/outbound traffic on Windows 7 systems.

It provides a central interface for creating, managing and monitoring rules as well as importing, exporting and diagnosing problems with your Windows Firewall configurations. When you combine Windows Firewall with Group Policy Objects, you can truly lock down your environment from intruders and -- in many cases -- malware.

Patch management: Is there really anything more that needs to be said about applying patches in a timely fashion? Windows Update lets you do almost everything; however, determining how to patch third-party software on your systems can be a challenge. In this respect, you still need to run Windows Server Update Services (WSUS) with some third-party patch managers -- or just third-party patch managers themselves -- to ensure that all the important updates are being applied. In addition, DirectAccess can help facilitate the patch management process for remote users.

Mobile drive encryption: While I'm not a big advocate of BitLocker because the deployment and management problems, from what I see, many businesses don't rely solely on laptops for workstations. The traditional desktop is here to stay, and if you have a relatively small number of laptops in need of encryption, then BitLocker may be a good option for you. Regardless of the administrative headaches, it's still better than no encryption.

Data backups: Windows 7's Backup and Restore may seem "old school," but it can keep your users safe when a drive fails or the system is lost or stolen. This brings me to another point: Why are workstations not being backed up in the enterprise? The common justifications of "We tell people not to store anything locally" and "We don't have bandwidth or storage space" are no longer relevant -- and downright dangerous. Many users -- especially remote users -- have lost critical files because of the assumption that everything was getting backed up.

Nondefault features: There are also several nondefault Windows desktop features that can help with ongoing desktop security management, like Internet Information Services, Telnet and Trivial File Transfer Protocol. In addition, Microsoft Baseline Security Analyzer 2.2 supports Windows 7 and can find basic flaws before they are exploited.

This list barely scratches the surface of what can be done -- and automated -- using Windows PowerShell and Sysinternals.

Depending on the size of your network and your resources for managing enterprise desktops, these security management tools may or may not be viable long-term solutions. But being creative and working with what you've got is part of keeping an IT shop running. So if your budget is tight -- or non-existent -- you might as well put these things to use. At least you'll have some semblance of control for the immediate future.

Kevin Beaver is an information security consultant, expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. In the industry for over two decades and having worked for himself the past eight years, Beaver specializes in performing independent security assessments in support of compliance and managing business risks. He has also authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Beaver can be reached at

Dig Deeper on Endpoint security management tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.