Securing Windows 7 Home and Starter Editions for College and Standalone Use

• 1. Windows 7 Home Security
  • 1.1 Securing Your PC using the Computing Service's VirusScan and Security DVD
    • 1.1.1 A suitable anti-virus product (only one)
    • 1.1.2 At least two anti-spyware products
    • 1.1.3 A Personal Firewall
    • 1.1.4 A strong login password for all accounts
  • 1.2 Securing Your PC without using the DVD
    • 1.2.1 A suitable anti-virus product (only one)
    • 1.2.2 At least two anti-spyware products
    • 1.2.3 A Personal Firewall
    • 1.2.4 A strong login password for all accounts
  • 1.3 Setting Up Sensible Security Defaults
  • 1.4 Home Network Security - HomeGroups
  • 1.5 Other Devices and Computer Security
  • 1.6 Configuring Windows Update to update your machine automatically
  • 1.7 Remote Access to your machine
  • 1.8 Dealing with Other Vulnerabilities
  • 1.9 Maintaining your Secure Windows 7 Installation

1. Windows 7 Home (Basic/Premium) Security

Windows 7 Home cannot authenticate to a Windows domain and therefore is unsuitable for use in any context requiring a domain login. It is not inherently any more insecure than most operating systems. However the original configuration needs to be changed to take advantage of the security features it already possesses.

If you find that you need to join a domain, or require features which aren't there in your version of Windows 7 then you can upgrade your version using the Windows Anytime Upgrade which can be found in the Control Panel (switch from the Category view to the Small icons view to see it).
Caution: Netbooks with Windows 7 Starter Edition and one gigabyte of RAM may not perform very well on a more sophisticated version of Windows 7.

Colleges all have their own procedures for allowing members to connect to the Internet, so this subject is not covered here.

Assuming that the machine has already been connected to the Internet in a college, then the following steps should be taken to secure it. Remember that if your machine is compromised, you may not be the only person who suffers.

The basics of modern computer security are:

1. A suitable anti-virus product (only one)
2. At least two anti-spyware products
3. A Personal Firewall
4. A strong login password for all accounts

1.1 Securing Your PC using the Computing Service's VirusScan and Security DVD

The easiest way to achieve basic security is to use the Computing Service's Windows VirusScan and Security DVD. This may already have been supplied to you by your local IT Support. If this isn't the case then you can burn a copy of it from the ISO image available from the Windows-Support Download page.

Detailed notes on it can also be found here. If you don't have access to a DVD drive or can't burn a DVD then please proceed to 1.2 Securing Your PC without using the DVD.

When you start the DVD, you should see the following menu:

If you don't see the menu, then open the DVD and click on menu.exe.

1.1.1 A suitable anti-virus product (only one)

Check whether you have a pre-existing anti-virus product, often supplied when the PC was originally configured. Such software is often supplied with either a trial 30-day license or possibly a one year license. If you are staying with the University for any length of time (eg longer than a year) then you are probably better off uninstalling the presupplied anti-virus software. Chose the Remove Anti-Virus Software button.

Then choose the Click to install VirusScan button. When that completes, finish the installation by choosing Install Anti-Virus Definitions (this should update the McAfee VirusScan anti-virus product).

Caution: In general Windows-Support do not recommend installing VirusScan on netbooks with Windows 7 Starter Edition and one gigabyte of RAM (or older machines with limited memory). Try installing MSE as described below, which combines aspects of both anti-virus and anti-sypware technology.

1.1.2 At least Two Anti-Spyware Products

Unlike anti-virus software, it is better to install more than one anti-spyware product. Given the 'blended threats' now common, very few of these products remove every piece of malware. Spybot S & D is available on the DVD. This can be installed by choosing the Anti-Spyware Software button. The second product we advise you to install is called Microsoft Defender if it isn't installed already. Windows Defender is available for download from Microsoft. Further details on it can be found on Windows-Support's Defender page.
Note: Do not install Windows Defender in addition to MSE if you have a netbook; this is unnecessary.

1.1.3 A Personal Firewall

The Windows Firewall icon can be found can be found under the System and Security heading of the Control Panel. Click on Check firewall status.

You should turn the Windows Firewall on unless your local computer support advises you to the contrary. When the Windows Firewall is on, it will be shown as a green icon. You will see more than one type of connection listed: the Home or Work (Private) networks or Public network. If you are uncertain of the security of the network you are connecting to (for example a hotel or public wifi setup: the network may be listed as Unidentified) then the connection should be defined as Public, which makes the firewall settings more restrictive.

To change the type of network profile, find the Network and Internet icon and select View network status and tasks.

Click on the blue network link just below the Home/Work/Public icon, and you will see the three types of network listed, which you can change to Public. If your machine is a portable which you plug in whenever you can you are advised to check the box at the bottom saying Treat all future networks I connect to as public, and don't ask me again.

Turning on Ping

The Computing Service runs regular security checks on machines connected to the CUDN (the Cambridge University Data Network), which means that all users on the CUDN should allow inbound ping connections. You can do this by clicking on the Enable Ping button.

1.1.4 A Strong login password for all accounts: Passwording Your User Accounts

Windows 7 default settings presents every user as a small icon with their name beside it. Clicking on the icon enables users to login without entering a password, and is very insecure. You should change this.

In the text box entitled Search programs and files enter cmd. Do not hit Return. An icon for cmd should appear under Programs. Right-click on this and choose Run as administrator.

You will probably be prompted by UAC (User Account Control), to say Yes or No. Click on Yes. When the command-line screen appears enter the phrase control userpasswords2.

You should now see a list of users (and the groups they belong to).

Tick the box labelled Users must enter a user name and password to use this computer. You now need to change (or in this case supply) a password for every account listed here. Highlight the account you wish to supply a password for the click the Reset Password button.

You should now enter an new password (not less than eight letters for security, and not a dictionary word or your userid, which is easy to guess), and then confirm it by entering it a second time on the line below. You should now have successfully passworded your account.

You need to repeat this for every user in the list. There is a also a hidden administrator account which should be disabled by default. To ensure that it is, return to the command-line screen you have previously opened and enter the phrase net user administrator /active:no. You should be told that the command completed successfully.

1.2 Securing Your PC without using the DVD

1.2.1 A suitable anti-virus product (only one)

Check whether you have a pre-existing anti-virus product, often supplied when the PC was originally configured. Such software is often supplied with either a trial 30-day license or possibly a one year license. If you are staying with the University for any length of time (eg longer than a year) then you are probably better off uninstalling the presupplied anti-virus software.

When you are sure you either don't have or have uninstalled any existing anti-virus software you need to download VirusScan Enterprise from the PC Download page, and install it. (This can be done by double-clicking on the downloaded executable.) You should also be prompted to right-click on the McAfee shield icon and select 'Update now' to ensure you have the latest virus definitions.

You should also install any additional patches listed on the PC Download page, if there are any, preferably after rebooting your machine following the original installation.

1.2.2 At least two anti-spyware products

Unlike anti-virus software, it is better to install more than one anti-spyware product. Given the 'blended threats' now common, very few of these products remove every piece of malware. Windows 7 machines generally come with Windows Defender pre-installed. This has now been superceded by Microsoft Security Essentials (MSE) which can be downloaded available from Microsoft. Further details on it can be found on Windows-Support's MSE. MSE should update itself automatically.

Other good anti-spyware products are Spybot S & D (Search and Destroy) which can be found at: http://www.safer-networking.org/index2.html, and the Ad-Aware free edition from Lavasoft, currently called Ad-Aware Free, which can be found at: http://www.lavasoft.com/products/ad_aware_free.php. Both products need to be kept updated to be effective, and should be run on a weekly basis.

1.2.3 A Personal Firewall

Please refer to 1.1.3 A Personal Firewall.

Turning on Ping

The Computing Service runs regular security checks on machines connected to the CUDN (the Cambridge University Data Network), which means that all users on the CUDN should allow inbound ping connections.

To do this, in the text box entitled Search programs and files enter cmd. Do not hit Return. An icon for cmd should appear underPrograms. Right-click on this and choose Run as administrator.

You will probably be prompted by UAC (User Account Control), to say Yes or No. Click on Yes. When the command-line screen appears enter the phrase netsh advfirewall firewall add rule name="AllICMPV4" protocol=icmpv4:any,any dir=in action=allow. (Cut-and-paste it from this document if you are worried about getting this wrong.)

You should be told OK.

1.2.4 A strong login password for all accounts

Please refer to 1.1.4 A strong login password for all accounts.

1.3 Setting Up Sensible Security Defaults

There are other settings you need to configure sensibly. Go the the Control Panel and click on View network status and tasks under the Network and Internet icon. Choose Change advanced sharing settings.

You may of course want to alter these settings depending on where and what kind of network you are on: the ones suggested here are conservative, and assume a relatively unprotected environment.

Network Discovery (including Universal Plug and Play (UPnP)) is designed for the era when your fridge sends you email telling you that you are running out of milk. UPnP is a set of communications protocol standards which allow networked TCP/IP devices to announce their presence to all other devices on the network and to then inter-operate in a flexible and pre-defined fashion.

There is nothing wrong with the idea, but devices utilizing such technology are only now becoming widespread, and security was not really a consideration intheir development. UPnP is even more of a consideration when a PC running Network Discovery is attached to a router with uUPnP and IGP enabled as it will probably be, for example, if you run a home network which includes an Xbox. So it's best just to turn it off on a portable if you don't need it.

Note: If you are using a Public network profile, this will automatically be disabled.

File and Printer Sharing should also be disabled. It is easy to enable it when you are on a protected network. For the same reason Public folder should also be disabled. Note that as the screenshot says, if you are using a HomeGroup setup then you can still see these folders from another PC in the same HomeGroup. Further details on understanding what Public folder can be found here.

If you scroll down the shared settings windows you will find another three settings. password-protected sharing should always be turned on, since it is the more secure way of sharing files and folders. Similarly 128-bit encryption is always to be preferred to 48/56-bit encryption where possible. If you click on the choose media-streaming options link you will be warned sternly that you should turn media streaming only on networks that you trust, such as home or work networks. It is turned off by default.

1.4 Home Network Security - HomeGroups

If you use more than one computer running Windows 7 or you are in a shared household with other people who use Windows 7, then you can use a new feature in Windows 7 called HomeGroup. This allows people to share files, music and printers freely whilst setting a random secure password, which applies to all machines which join the network. To set up a HomeGroup start by changing your network profile to Home rather than Public.

You can start by sharing a printer, and can then add types of media as needed. You then need to find the Network and Internet icon in the Control Panel and then choose homegroup and sharing options. You will seem a screen similar to the previous one, with the additional media streaming option.

Note that under the media streaming option there is the reminder that Shared media is not secure. It is worth noting than changing from a Public to a Home network profile lowers security so that even if sharing with friends you need to consider carefully what you want to share. Further details on setting up a HomeGroup can be found on Microsoft's page Networking the easy way in Windows 7.

Routers can also require updating and some come with a default Admin password, which will also need changing, as they are usually very simple passwords. Check with your ISP (Internet Service Provider) about keeping your router up-to-date and help with changing the Admin password.

HomeGroup Limitations:Windows 7 Starter edition can join but not create a HomeGroup. Windows 7 Professional and Ultimate (often domain-based) can also join a Homegroup but their files cannot be shared.

1.5 Other Devices and Computer Security

Many people use USB drives (also called "flash" or "pen" drives) to carry data and music around from day to day. These can easily be infected and infect other machines, one of the main methods being the Autorun facility. Details on this can be found in our page on USB Memory Sticks and Worms. The same vulnerability can also be exploited via software on CD/DVDs and network shares. For maximum security you should disable Autorun on both your machine and any USB devices you own. If you find the instructions on doing this hard to follow you could try the Panda USB and AutoRun Vaccine.
Caution: Although this product has proved useful to many people, it isn't intended for use with specialised USB products like an ipod or external backup disks using proprietary software. It should be used with ordinary blank USB sticks only.

1.6 Configuring Windows Update to update your machine automatically

Microsoft constantly issue patches for newly-discovered software vulnerabilities, so you need to keep your machine updated. The most painless way to do this if you have a permanent connection to the Internet and you tend to leave your machine on is to allow the machine to update itself and reboot if necessary overnight. To do this, right-click on Computer, choose Properties and select Windows Update link under See also entry. Select Change settings. In this particular example, the machine is set to check Microsoft's website every day (recommended) for updates and install them at 3:00AM in the morning.

What you will choose depends on your circumstances. If you don't leave your machine on and permanently connected, then you should choose Download the updates automatically and notify me when they are ready to be installed. If you don't like this being done automatically, then choose the second option instead (Downloads updates but let me choose whether to install them). You should ensure that Give me updates for Microsoft products and check for new optional Microsoft products when I update Windows is ticked. (This means that Windows Update will also update other Microsoft products like Office when your system is updated.) If people other than you also use this computer it is also probably safer to ensure that Allow all users to install updates on this computer is ticked.

1.7 Remote Access to your machine

Recently many people have decided that they would like to access their machine(s) remotely ie when not physically present. This is a security minefield, and could potentially lead to your machine and others within the institution or house being compromised. Microsoft provide two technologies to enable such access, known respectively as Remote Access(aimed at the business market) and Remote Assistance (aimed at the home market). Although these are sensible tools for appropriate use, you should check that unless you have good reason to use them, access via these routes is turned off. Select Computer, right-click and choose Properties. Now click on Remote Settings.

Make sure that Don't allow connections to the computer under Remote Desktop is unticked.

There are other non-Microsoft products available which perform a similar function, but are much less secure than either, often because they offer no form of encryption (but are often not secure because they pass nework traffic "in clear", which means that it can easily be read...) amongst other things. Various types of VNC software are common, but are often not encrypted. (Most but not all versions of VNC which offer full encryption cost money). It is best to ask your local computer support or the UCS Service Desk for advice in this area before attempting remote access of any kind.

1.8 Dealing With Other Vulnerabilities

Recently there have been a selection of driveby or injection attacks, which can involve the downloading of scripts from webpages or hostile software scanners which exploit the vulnerability in out-of-date plugins for web browsers. These sorts of vulnerabilities are very difficult to spot. However there are several on-line scanners which will try to check your machine for these types of vulnerabilities, amongst the most reputable being Secunia's Software Inspector, which can be found at: http://secunia.com/software_inspector/. When giving the Inspector permission to scan, it is probably best to tick 'Enable thorough system inspection'. This will scan for (amongst other things) vulnerable versions of Java and Flash, which are two of the most-commonly installed plugins. A more advanced form of this application (which will keep itself updated) called the Personal Software Inspector can be downloaded (for personal use only) from here. The screenshot below shows it in action.

Unfortunately not all of these vulnerabilities can be remedied by easy-to-use tools. Some of these vulnerabilities require you to use the Control Panel>Programs option to remove old versions of programs or, if necessary, to delete files by hand. Once you believe that you have fixed any existing vulnerabilities it is a good idea to restart the machine and rerun the software inspector to check that everything has indeed been fixed.

1.9 Maintaining your Secure Windows 7 Installation

There is little point in setting up a secure PC if its security is not maintained. Windows 7 has the Action Center which is intended to help maintain security. This can be found by opening the Control Panel, choosing Review your computer's status under the System and Security icon. Then choose Security.

You will see a series of items which should all either OK or on. Generally the Action Center should notify you if they are not. (You can check that the Action Center is set to do this by clicking on the Change Action Center settings.)

You should also (however annoying they are) not ignore the balloon reminders about software such as Java and Adobe products being out-of-date - allow the products to update themselves (unless you have a specific reason for not doing so).

There are currently a lot of websites running hidden scripts which can casually infect your machine if you visit them. These infections are difficult to protect against, but there are some steps you can take to protect yourself. If you use Firefox to browse the web you can download and install the plugin called NoScript. NoScript will alert you when a website tries to run a script: you can choose to allow the script to run (if you trust the site) or block it. If you are using Internet Explorer you can turn the Microsoft Phishing Filter in IE7 on or the SmartScreen Filter in IE8.

Microsoft Windows 7 Home Edition is a registered trademark of Microsoft Corporation® and screenshots are reprinted by their permission.

Last updated: April 2011 Last reviewed: October 2011