Software makers routinely sacrifice some security for the sake of usability, and Microsoft is no exception. I've built a career on teaching people how to harden Microsoft Windows over its default state. Several of my inch-and-a-half thick books instructed people what security templates to apply, what files to remove, and what registry edits to make to bring Windows into what I considered a safe but generally functional baseline.
Starting with Windows Vista, most of that old advice is no longer necessary. Microsoft now delivers a product that is significantly more secure out of the box. You don't have to download NSA security templates or modify the system in any way to be fairly secure from the start. Most of today's client-side threats come from users being tricked into running malicious Trojan horse executables and naively lowering the default defenses, such as by disabling UAC (User Account Control), turning off automatic patching, or deactivating the built-in Windows Firewall.
That's not to say there aren't things you can do to increase the security of Windows 7 beyond basic defaults. This article covers the recommendations for any administrator or home user who wants to crank out a bit more security while still operating a computer that will run most applications without causing too many problems. These tips won't result in applications that refuse to run or Web sites that refuse to load.
Step 1: Enable BitLocker
BitLocker Drive Encryption can be used to encrypt any volume on your hard drive, including boot, system, and even removable media, such as USB keys. The rough edges from Vista are gone. You can now right-click and encrypt any volume from within Windows Explorer. There are several protection methods, including combinations of the Trusted Platform Module (TPM) chip, PIN, password, and smart card.
I especially like the new feature that allows removable media, both NTFS and FAT volumes, to be encrypted. You can encrypt removable drives one at a time or require that all removable media be encrypted by default. Encrypted removable media can be decrypted and re-encrypted on any Windows 7 computers -- not just the one it was originally encrypted on. Encrypted FAT, exFAT, and FAT32 media can also be shared with Windows XP and Windows Vista clients, but the encrypted data is read-only and cannot be re-encrypted.
A word to the wise: Save your BitLocker recovery information somewhere safe and reliable off the computer. BitLocker is good encryption and will scramble your data for good if you cannot supply the recovery password. Most organizations should automatically back up users' recovery passwords to Active Directory. BitLocker recovery information is stored in the computer object as an attribute, so make sure to adjust users' access to those attributes to match your organization's security policy.
Step 2: Raise the UAC slider bar
User Account Control has been significantly improved to be both less intrusive and smarter at distinguishing between legitimate and potentially malicious activities in Windows 7. However, depending on whether you are logged on as administrator or a standard user, some installs of Windows 7 may have a default UAC security setting that's one level lower than some experts (including yours truly) recommend. Standard users have UAC security default to to the most secure setting, while administrator accounts reside a notch below the highest setting, which is potentially more risky.
Microsoft created an easy UAC slider bar (click image to enlarge) to allow administrators and users to adjust their UAC security level. After installing all the initial software and configuring Windows 7 the way you want it, I recommend raising the UAC slider bar to "Always notify," the most secure setting. Even in "Always notify" mode, you'll encounter fewer UAC prompts than you did in Windows Vista.
Note: Although UAC provides a much-needed mechanism to prevent the misuse of administrator privileges, it can be bypassed. If you need high security, don't log on with an elevated user account until you need it.