How Windows 7 stands between you and the bad guys (but not you and the good stuff) when you’re a laptop user – from antispyware muscle to flexible firewalls to virtual lockers for your most precious files.
Your laptop is part of your daily rounds, whether it’s singeing the tops of your thighs, causing consternation at airport security, or inciting envy among your co-workers. So, to resurrect a catchphrase, where does your laptop want to go today? And what do you need to know about Windows 7 to keep the machine from doing something security-inappropriate?
It’s staying home.
Laptops that merely travel from kitchen table to den have the advantage of residing in a facility to which you (and maybe one or two other people) control access. Barring home break-in, odds are your machine is safe while you step to the restroom. Securing your machine at home primarily involves protecting it from Internet-borne malware.
The most significant weapons in Windows 7′s security-at-home arsenal are Windows Defender, the OS’s antimalware package, and Windows Firewall. Both packages were introduced with Windows Vista, but Windows 7 upped their game.
Windows Firewall is a set-it-and-forget-it proposition; if you do it right, odds are you’ll only have to do it once. The applications-level firewall, which is “on” by default, can be set to block either specific kinds of connections to your machine or all incoming connections to your machine. You can maintain one set of rules for home use, where you’re not so likely to have someone sitting two chairs over trying to break into your computer, and a stricter no-access set for use on the road, on which more anon.
In any case, the Windows firewall watches for trusted or untrusted applications, which means that ordinary Web, e-mail, and other programs should behave normally as long as the firewall is aware of them. Other firewalls, in contrast, examine the individual packets that make up Net traffic. Such packet-filter firewalls are a fine option if you have one in place on your home network; if so, you can disable Windows Firewall with no worries.
Windows Defender, meanwhile, is an antispyware package. It both conducts schedule scans of your computer to look for dormant spyware, and actively kneecaps any spyware that’s attempting to install itself or run on your machine. If you’ve run antispyware software before such as Spybot-SD, this should sound familiar.
So, you ask, am I done with the McAfees and AVGs and Nortons of the world? No. Microsoft still works with the providers of a decent number of popular antivirus packages — including the no-cost Microsoft Security Essentials, if you want to keep it all in the family — and recommends that you pick one and keep it running at all times. If you choose a compatible third-party antivirus package, you can keep track of its status in the Windows 7 Action Center (nee Windows Security Center, and accessible under System and Security in Control Panel), where Windows 7 gathers information on Defender, Firewall, and other security programs.
Into the office.
Your security picture changes once your machine heads to headquarters. Once again, the physical security of your machine in that space is relatively high. In addition, it’s likely that you have trained IT professionals tending to your anti-virus and anti-spyware needs, making those secondary issues for you. In the office, your primary security concern is to ensure that the data under your direct control is correctly protected.
Most tech options for keeping your laptop safe are frankly, up to your IT folk. They might for instance choose to set up AppLocker, a Windows 7 feature that restricts which programs you can run or install. AppLocker may, depending on your workplace policies, block access to certain non-essential programs (*cough*games*cough*) and to programs yet unfamiliar to your IT folk. If you need a loosening of standards, that’s a conversation you’ll have to initiate.
Talk to your IT folk also about BitLocker, a utility that despite its name similarity to AppLocker does something rather different. BitLocker encrypts information on your laptop — and even, in Windows 7, files and folders on external drives. It’s available in the Ultimate version of the operating system.
Encryption’s been around for a long time and over the years has acquired something of a reputation for slowing performance. That era is passing, but your IT folk — who have options for making the BitLocker authentication process more complex or more transparent, depending on how substantial their support resources are and (frankly) how much they trust you not to mess it up — should be alerted if you see a performance problem. There’s also a good chance that if you’re running BitLocker they’ll ask to you eschew certain behaviors, like leaving your machine in “sleep” mode (which can allow very sophisticated attackers to dance right around the barricades) and to step up the quality of your passwords. If they’re really worried, you may have to carry a startup USB key, or memorize a PIN, or both; they might even configure your USB ports to recognize only certain devices.
And by the way — now that your USB keys are potentially as securely encrypted as your hard drive, do I have to tell you how important it is to back important files up to an external drive? It couldn’t be simpler and if the worst happens — more on that anon, too — you’ve at least got some portion of your data. I’ll caution you that BitLocker-encrypted thumb drives are read-only devices on machines not running Windows 7, but if you’re in dire straits, better to have a hoop to jump through than no circus at all. Just saying.
At the coffeeshop.
You’ve escaped! Whether you’re kicking back at the Lair of the Twitchy Green Mermaid or sipping a beverage near your departure gate, your laptop is now operating in its highest-mobility, highest-risk environment. The precautions you’ve taken against Net-borne invaders come into play here, but we’ve got to add network trustworthiness and physical security to your list of concerns. (The price one pays for decent caffeine….)
You may not have escaped your office IT people, by the way. If you’re logging into a work resource from outside the office, they might require that you use Windows 7 DirectAccess, which allows you to connect to corporate through a VPN (virtual private network)-style system. It’s powerful stuff, but since it requires no user interaction, we’ll leave that conversation for a more nerdful time. (Be advised, though, that as Lisa Vaas tells us, the subject of DirectAccess can set off a range of lively reactions among IT folk. Best to tread lightly.)
When in doubt, it’s reasonable to assume that the Wi-fi hookup at the coffee shop is as safe and wholesome as a pleasure cruise off the coast of Somalia. It’s best to be cautious with e-mail and other password-sensitive pursuits, and better still to type in sensitive information only over secure connections. Gmail users, for instance, should always use that service’s HTTPS option for logging in over networks not their own. As for mission-critical stuff — online banking, for instance — please ask yourself if it really can’t wait until you’re on a better-known network.
In addition, a feature called location-aware printing jumps from helpful to security-smart in the coffeeshop context. The feature lets you choose a default printer for each network on which you find yourself and includes an option to automatically change your printer setup when you change networks. (Lynn Greiner has the details.) If you’re in the habit of working on sensitive documents while away from your home or office, setting your default print option while on the connection at your hangout to Microsoft XPS Document Writer (or, if you prefer and you’ve paid for it, PDF) is wise. Location-aware printing is available in the Professional, Ultimate, and Enterprise versions of Windows 7.
Speaking of location awareness, not much use has yet been made of Windows 7′s geolocation capability in the cause of tracking down stolen laptops. The Windows Sensor and Location Platform in Windows 7 is switched off by default, and Microsoft’s not currently in the track-your-great business, but third-party apps such as Prey, Laptop Cop, and Lojack for Laptops have long provided services designed to pinpoint the location of machines that have gone missing. Microsoft has taken heat over the years for building features with the potential for privacy invasion, so at the moment they’re not offering anything special in Windows 7 to help track missing gear. But it’s worth asking your IT folk how they’re addressing theft issues and if they use or recommend a particular third-party geotracking package.
Hell if I know.
Yikes! Your machine just walked, or fell on the ground and flew apart, or got run over by the beer truck – in any case, bye-bye laptop. First, calm down; no one likes to see a grown manager cry. Second, notify the office: your assistant, your IT folk, your boss, anyone who can set in motion whatever protective systems they’ve put in place, including any third-party tracking wares you’re using. And if you’ve got your external backup and sensitive data in an encrypted volume, breathe a sigh of relief and remember that no matter how attached you may be to that box of silicon, it’s what you do with it, or did, that counts.
Want more like this? Sign up for the weekly IT Expert Voice newsletter so you don’t miss a thing!