Consider renaming the administrator account so that it's not obvious to an intruder. Since this account can't be "locked out," password attacks can be performed indefinitely; changing the name makes the account less of a target.
5th commandment: Set passwords
Set the main Windows password, as well as the Power/Time to lock the system, with a screen saver, and require a password to resume activity.
Also, depending on the sensitivity of information on your system (did someone say "online banking"?), consider password alternatives, such as:
- Fingerprint reader
- Smartcard reader (contact or contactless)
- Biometric facial recognition
- RSA software and external token
- Password "gesture" (e.g., Android tablets)
Another option is two-factor authentication, such as requiring both a fingerprint and a password.
6th commandment: Add/activate anti-theft tools
Invest in, install and activate anti-theft tools that can either lock the system; conduct an IP trace; report, take and send pictures; and even wipe the computer when a lost or stolen computer reconnects to the Internet. An example is Absolute Software's Lojack for Laptops.
Vendors like Lenovo are embedding Absolute's CompuTrace Agent into the BIOS, so even if somebody erases or replaces the hard drive, the agent is automatically re-installed.
Computers that include Intel Anti-Theft technology in their hardware let you add additional security services, such as automatically locking the main board until it receives the "unlock" password, lock or wipe if a machine goes too long without connecting to the Internet or if a user fails the login process too many times. Intel Anti-Theft is typically part of third-party security products like CompuTrace, adding perhaps $3/year, and as the anti-theft option on WinMagic's full disk encryption product.
7th commandment: Turn off sharing and other unneeded services
Windows allows you to share resources that are on your computer, like file-sharing (Shared Folders) and print sharing. Your computer's Internet connection management utility (Windows includes one, but many systems have their own) lets you define each network as either Public, Home or Work. If you mis-set a connection, your Shared Folders will be visible to other computers on the network.
Suggested Desktop Security Reading
- Windows 7: Explore New and Improved Security Features (Microsoft)
- Security checklist for Windows 7 (Microsoft)
- "Enhancing Endpoint Security for Windows Desktops," Derek Melber, President and CTO of BrainCore.Net
- Best Practices: Windows Desktop, IT Security for the University of Missouri
If you are behind a firewall, when your computer's Internet connection manager tool asks you what kind of location/connect it is, you can call it either a Home or Work network, Bott says. But specify Public network if you are connecting directly to the Internet (e.g., at home or in the office), if you don't have a hardware router but instead are directly connected to the cable modem, or if you are connecting to a public network like a Wi-Fi hotspot or a hotel or conference Ethernet. This will ensure that no local sharing is allowed.
Sign up for Computerworld eNewsletters.