Using Windows Defender CHAPTER 24 1153 n High Similar to the severe rating, but slightly less damaging. You should always remove this software. n Medium Assigned to potentially unwanted software that might compromise your privacy, affect your computer’s performance, or display advertising. In some cases, software classified at a Medium alert level might have legitimate uses. Evaluate the software before allowing it to be installed. n Low Assigned to potentially unwanted software that might collect information about you or your computer or change how your computer works but operates in agree- ment with licensing terms displayed when you installed the software. This software is typically benign, but it might be installed without the user’s knowledge. For example, remote control software might be classified as a Low alert level because it could be used legitimately, or it might be used by an attacker to control a computer without the owner’s knowledge. n Not yet classified Programs that haven’t yet been analyzed. Understanding Microsoft SpyNet Microsoft’s goal is to create definitions for all qualifying software. However, thousands of new applications are created and distributed every day, some of which have behaviors unwanted by some people. Because of the rapid pace of newly released software, people can possibly encounter potentially unwanted software that Microsoft has not yet classified. In these cases, Windows Defender should still warn the user if the software takes a potentially undesirable action such as configuring itself to start automatically each time the computer is restarted. To help users determine whether to allow application changes (detected by real-time protection) when prompted, Windows Defender contacts Microsoft SpyNet to determine how other users have responded when prompted about the same software. If the change is part of a desired software installation, most users will have approved the change, and Windows Defender can use the feedback from SpyNet when informing the user about the change. If the change is unexpected (as it would be for most unwanted software), most users will not approve the change. Two levels of SpyNet participation are available: n Basic Windows Defender sends only basic information to Microsoft, including where the software came from, such as the specific URL, and whether the user or Windows Defender allowed or blocked the item. With basic membership, Windows Defender does not alert users if it detects software or changes made by software that has not yet been analyzed for risks. Although personal information might possibly be sent to Microsoft with either basic or advanced SpyNet membership, Microsoft will not use this information to identify or contact the user. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 24 Managing Client Protection 1154 note For more information about what information might be transferred and how Microsoft might use it, view the Windows Defender privacy statement online at http://go.microsoft.com/fwlink/?linkid=55418 . n Advanced Advanced SpyNet membership is intended for users who have an understanding of the inner workings of the operating system and might be able to evaluate whether the changes an application is making are malicious. The key difference between basic and advanced membership is that with advanced membership, Windows Defender will alert users when it detects software or changes that have not yet been analyzed for risks. Also, advanced membership sends additional information to SpyNet, including the location of the software on the local computer, filenames, how the soft- ware operates, and how it has affected the computer. You can configure your SpyNet level by clicking Microsoft SpyNet on the Windows Defender Tools page. In addition to providing feedback to users about unknown software, SpyNet is also a valu- able resource to Microsoft when identifying new malware. Microsoft analyzes information in SpyNet to create new definitions. In turn, this helps slow the spread of potentially unwanted software. Configuring Windows Defender Group Policy You can configure some aspects of Windows Defender Group Policy settings. Windows De- fender Group Policy settings are located in Computer Configuration\Administrative Templates \Windows Components\Windows Defender. From that node, you can configure the following settings: n Turn On Definition Updates Through Both WSUS And Windows Update Enabled by default, this setting configures Windows Defender to check Windows Update when a WSUS server is not available locally. This can help ensure that mobile clients, who might not regularly connect to your local network, can receive all new signature updates. If you disable this setting, Windows Defender checks for updates using only the setting defined for the Automatic Updates client—either an internal WSUS server or Windows Update. For more information about WSUS and distributing updates, read Chapter 23, “Managing Software Updates.” Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Using Windows Defender CHAPTER 24 1155 diReCt FRoM tHe SoURCe Analysis of Potentially Unwanted Software Sterling Reasor, Program Manager Windows Defender K eeping up to date with the current malware definitions can help protect your computer from harmful or potentially unwanted software. Microsoft has taken several steps to create definition updates, including gathering new samples of suspicious files, observing and testing the samples, and performing a deep analy- sis. If we determine that the sample does not follow our criteria, its alert level is determined and the software is added to the software definitions and released to customers. For more information, visit http://www.microsoft.com/athome/security/spyware /software/msft/analysis.mspx. n Turn On Definition Updates Through Both WSUS And The Microsoft Malware Protection Center Provides similar functionality to the previous Group Policy set- ting, but clients download updates from a different site. You should set these two policies to the same value unless the computer has no access to the Internet and relies only on an internal WSUS server. n Check For New Signatures Before Scheduled Scans Disabled by default, you can enable this setting to cause Windows Defender to always check for updates prior to a scan. This helps ensure that Windows Defender has the most up-to-date signatures. When you disable this setting, Windows Defender still downloads updates on a regular basis but will not necessarily check immediately prior to a scan. n Turn Off Windows Defender Enable this setting to turn off Windows Defender real-time protection and to remove any scheduled scans. You should enable this setting only if you are using different anti-malware software. If Windows Defender is turned off, users can still run the tool manually to scan for potentially unwanted software. n Turn Off Real-Time Monitoring If you enable this policy setting, Windows Defender does not prompt users to allow or block unknown activity. If you disable or do not con- figure this policy setting, by default Windows Defender prompts users to allow or block unknown activity on their computers. n Turn Off Routinely Taking Action By default, Windows Defender will take action on all detected threats automatically after about ten minutes. Enable this policy to configure Windows Defender to prompt the user to choose how to respond to a threat. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 24 Managing Client Protection 1156 n Configure Microsoft SpyNet Reporting SpyNet is the online community that helps users choose how to respond to potential spyware threats that Microsoft has not yet classified by showing users how other members have responded to an alert. When enabled and set to Basic or Advanced, Windows Defender will display information about how other users responded to a potential threat. When enabled and set to Basic, Windows Defender will also submit a small amount of information about the poten- tially malicious files on the user’s computer. When set to Advanced, Windows Defender will send more detailed information. If you enable this setting and set it to No Member- ship, SpyNet will not be used, and the user will not be able to change the setting. If you leave this setting Disabled (the default), SpyNet will not be used unless the user changes the setting on his local computer. The Microsoft Malware Protection Center recommends that this setting be set to Advanced to provide their analysts with more complete infor- mation on potentially unwanted software. Windows Defender Group Policy settings are defined in WindowsDefender.admx, which is included with Windows 7. For more information about using Group Policy administrative templates, read Chapter 14, “Managing the Desktop Environment.” Configuring Windows Defender on a Single Computer Besides the settings that you can configure by using Group Policy, Windows Defender in- cludes many settings that you can configure only by using the Windows Defender Options page on a local computer. To open the Options page, start Windows Defender by searching the Start menu, selecting Tools, and then selecting Options. Some of the settings you can configure from this page include: n Frequency and time of automatic scans n The security agents that are scanned automatically n Specific files and folders to be excluded from scans n Whether non-administrators can run Windows Defender Because you cannot easily configure these settings with Group Policy settings, Windows Defender might not be the right choice for enterprise spyware control. How to Determine Whether a Computer Is Infected with Spyware Several signs indicate whether a computer is infected with spyware. You should train users in your environment to notice these changes and call your Support Center if they suspect a malware infection: n A new, unexpected application appears. n Unexpected icons appear in the system tray. n Unexpected notifications appear near the system tray. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Using Windows Defender CHAPTER 24 1157 n The Web browser home page, default search engine, or favorites change. n The mouse pointer changes. n New toolbars appear, especially in Web browsers. n The Web browser displays additional advertisements when visiting a Web page, or pop-up advertisements appear when the user is not using the Web. n When the user attempts to visit a Web page, she is redirected to a completely different Web page. n The computer runs more slowly than usual. This can be caused by many different problems, but spyware is one of the most common causes. Some spyware might not have any noticeable symptoms, but it still might compromise private information. For best results, run Windows Defender real-time protection with daily quick scans. Best Practices for Using Windows Defender To receive the security benefits of Windows Defender while minimizing the costs, follow these best practices: n Teach users how malware works and the problems that malware can cause. In particular, focus on teaching users to avoid being tricked into installing malware by social engi- neering attacks. n Before deploying Windows 7, test all applications with Windows Defender enabled to ensure that Windows Defender does not alert users to normal changes the application might make. If a legitimate application does cause warnings, add the application to the Windows Defender allowed list. n Change the scheduled scan time to meet the needs of your business. By default, Windows Defender scans at 2 A.M. If third-shift staff uses computers overnight, you might want to find a better time to perform the scan. If users turn off their computers when they are not in the office, you should schedule the scan to occur during the day. Although the automatic quick scan can slow computer performance, it typically takes fewer than 10 minutes, and users can continue working. Any performance cost typically is outweighed by the security benefits. n Use WSUS to manage and distribute signature updates. n Use antivirus software with Windows Defender. Alternatively, you might disable Windows Defender completely and use client security software that provides both antispyware and antivirus functionality. n Do not deploy Windows Defender in enterprises. Instead, use Microsoft Forefront or a third-party client security suite that can be managed more easily in enterprise environments. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 24 Managing Client Protection 1158 How to Troubleshoot Problems with Unwanted Software A spyware infection is rarely a single application; most successful malware infections automat- ically install several, even dozens, of additional applications. Some of those applications might be straightforward to remove. However, if even a single malicious application remains, that remaining malware application might continue to install other malware applications. If you detect a problem related to spyware and other potentially unwanted software, follow these steps to troubleshoot it: 1. Perform a quick scan and remove any potentially unwanted applications. Then, imme- diately perform a full scan and remove any additional potentially malicious software. The full scan can take many hours to run. Windows Defender will probably need to restart Windows. 2. If the software has made changes to Internet Explorer, such as adding unwanted add- ons or changing the home page, refer to Chapter 20 for troubleshooting information. 3. Run antivirus scans on your computer, such as that available from http://safety.live.com. Often, spyware might install software that is classified as a virus, or the vulnerability exploited by spyware might also be exploited by a virus. Windows Defender does not detect or remove viruses. Remove any viruses installed on the computer. 4. If you still see signs of malware, install an additional antispyware and antivirus applica- tion from a known and trusted vendor. With complicated infections, a single anti- malware tool might not be able to remove the infection completely. Your chances of removing all traces of malware increase by using multiple applications, but you should not configure multiple applications to provide real-time protection. 5. If problems persist, shut down the computer and use the Startup Repair tool to per- form a System Restore. Restore the computer to a date prior to the malware infection. System Restore will typically remove any startup settings that cause malware applica- tions to run, but it will not remove the executable files themselves. Use this only as a last resort: Although System Restore will not remove a user’s personal files, it can cause problems with recently installed or configured applications. For more information, see Chapter 29, “Configuring Startup and Troubleshooting Startup Issues.” These steps will resolve the vast majority of malware problems. However, when malware has run on a computer, you can never be certain that the software is removed completely. In particular, malware known as rootkits can install themselves in such a way that they are dif- ficult to detect on a computer. In these circumstances, if you cannot find a way to confidently remove the rootkit, you might be forced to reformat the hard disk, reinstall Windows, and then restore user files using a backup created prior to the infection. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Network Access Protection CHAPTER 24 1159 Network Access Protection Many organizations have been affected by viruses or worms that entered their private net- works through a mobile PC and quickly infected computers throughout the organization. Windows Vista, when connecting to a Windows Server 2008 infrastructure, supports Network Access Protection (NAP) to reduce the risks of connecting unhealthy computers to private networks directly or across a VPN. If a NAP client computer lacks current security updates or virus signatures—or otherwise fails to meet your requirements for computer health—NAP blocks the computer from having unlimited access to your private network. If a computer fails to meet the health requirements, it will be connected to a restricted network to download and install the updates, antivirus signatures, or configuration settings that are required to comply with current health requirements. Within minutes, a potentially vulnerable computer can be updated, have its new health state validated, and then be granted unlimited access to your network. NAP is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network, which in turn helps maintain the network’s overall integrity. For example, if a computer has all the software and configuration settings that the health requirement policy requires, the computer is consid- ered compliant, and it will be granted unlimited access to the network. NAP does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior. NAP has three important and distinct aspects: n Network policy validation When a user attempts to connect to the network, the computer’s health state is validated against the network access policies as defined by the administrator. Administrators can then choose what to do if a computer is not compliant. In a monitoring-only environment, all authorized computers are granted access to the network even if some do not comply with health requirement policies, but the compliance state of each computer is logged. In an isolation environment, computers that comply with the health requirement policies are allowed unlimited access to the network, but computers that do not comply with health requirement policies or are not compatible with NAP are placed on a restricted network. In both environments, administrators can define exceptions to the validation process. NAP also includes migration tools to make it easier for administrators to define exceptions that best suit their network needs. n Health requirement policy compliance Administrators can help ensure compli- ance with health requirement policies by choosing to automatically update noncom- pliant computers with the required updates through management software, such as Microsoft System Center Configuration Manager. In a monitoring-only environment, computers will have access to the network even before they are updated with required software or configuration changes. In an isolation environment, computers that do not comply with health requirement policies have limited access until the software and Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 24 Managing Client Protection 1160 configuration updates are completed. Again, in both environments, the administrator can define policy exceptions. n Limited access for noncompliant computers Administrators can protect network assets by limiting the access of computers that do not comply with health require- ment policies. Computers that do not comply will have their network access limited as defined by the administrator. That access can be limited to a restricted network, to a single resource, or to no internal resources at all. If an administrator does not configure health update resources, the limited access will last for the duration of the connection. If an administrator configures health update resources, the limited access will last only until the computer is brought into compliance. NAP is an extensible platform that provides an infrastructure and an application program- ming interface (API) set for adding features that verify and remediate a computer’s health to comply with health requirement policies. By itself, NAP does not provide features to verify or correct a computer’s health. Other features, known as system health agents (SHAs) and system health validators (SHVs), provide automated system health reporting, validation, and remediation. Windows Vista, Windows Server 2008, and Windows 7 include an SHA and an SHV that allow the network administrator to specify health requirements for the services monitored by the Windows Security Center. When troubleshooting client-side problems related to NAP, open Event Viewer and browse the Applications And Services Logs\Microsoft\Windows\Network Access Protection Event Log. For more information about configuring a NAP infrastructure with Windows Server 2008, read Chapters 14 through 19 of Windows Server 2008 Networking and Network Access Protec- tion by Joseph Davies and Tony Northrup (Microsoft Press, 2008). Forefront Forefront is enterprise security software that provides protection from malware in addition to many other threats. Whereas Windows Defender is designed for consumers and small businesses, Forefront is designed to be deployed and managed efficiently throughout large networks. Forefront products are designed to provide defense-in-depth by protecting desktops, laptops, and server operating systems. Forefront currently consists of the following products: n Microsoft Forefront Client Security (FCS) n Microsoft Forefront Security for Exchange Server (formerly called Microsoft Antigen for Exchange) n Microsoft Forefront Security for SharePoint (formerly called Antigen for SharePoint) n Microsoft Forefront Security for Office Communications Server (formerly called Antigen for Instant Messaging) n Microsoft Intelligent Application Gateway (IAG) n Microsoft Forefront Threat Management Gateway (TMG) Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Forefront CHAPTER 24 1161 Of these products, only FCS would be deployed to client computers. The other products typically would be deployed on servers to protect applications, networks, and infrastructure. Enterprise management of anti-malware software is useful for: n Centralized policy management. n Alerting and reporting on malware threats in your environment. n Comprehensive insight into the security state of your environment, including security update status and up-to-date signatures. Forefront provides a simple user interface for creating policies that you can distribute automatically to organizational units and security groups by using GPOs. Clients also centrally report their status so that administrators can view the overall status of client security in the enterprise. With Forefront, administrators can view statistics ranging from domain-wide to specific groups of computers or individual computers to understand the impact of specific threats. In other words, if malware does infect computers in your organization, you can easily discover the infection, isolate the affected computers, and then take steps to resolve the problems. Forefront also provides a client-side user interface. Similar to Windows Defender, Forefront can warn users if an application attempts to make potentially malicious changes, or if it detects known malware attempting to run. The key differences between Defender and Forefront are: n Forefront is managed centrally Forefront is designed for use in medium-sized and large networks. Administrators can use the central management console to view a summary of current threats and vulnerabilities, computers that need to be updated, and computers that are currently having security problems. Windows Defender is designed for home computers and small offices only, and threats must be managed on local computers. n Forefront is highly configurable You can configure automated responses to alerts, and, for example, prevent users from running known malware instead of giving them the opportunity to override a warning as they can do with Windows Defender. n Forefront protects against all types of malware Windows Defender is designed to protect against spyware. Forefront protects against spyware, viruses, rootkits, worms, and Trojan horses. If you use Windows Defender, you need another application to protect against the additional threats. n Forefront can protect a wider variety of Windows platforms Forefront is de- signed to protect computers running Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7, and Windows Server 2008. Windows Defender can protect only computers running Windows XP, Windows Vista, and Windows 7. Like Windows Defender, Forefront supports using Microsoft Update and WSUS to distribute updated signatures to client computers, but Forefront also supports using third-party software distribution systems. For more information about Forefront, visit http://www.microsoft.com/forefront/. Also, explore the Microsoft TechNet Virtual Labs at http://technet.microsoft.com/bb499665.aspx. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 24 Managing Client Protection 1162 note Microsoft offers a third client security solution: Windows Live OneCare. Windows Live OneCare is designed to help protect home computers and small businesses with antivirus protection, antispyware protection, improved firewall software, performance monitoring, and backup and restore assistance. For more information, visit http://onecare.live.com/. Summary Windows 7 is designed to be secure by default, but default settings don’t meet everyone’s needs. Additionally, the highly secure default settings can cause compatibility problems with applications not written specifically for Windows 7. For these reasons, it’s important that you understand the client-security technologies built into Windows 7 and how to configure them. One of the most significant security features is UAC. By default, both users and administra- tors are limited to standard user privileges, which reduces the damage that malware could do if it were to start a process successfully in the user context. If an application needs elevated privileges, UAC prompts the user to confirm the request or to provide administrator creden- tials. Because UAC changes the default privileges for applications, it can cause problems with applications that require administrative rights. To minimize these problems, UAC provides file and registry virtualization that redirects requests for protected resources to user-specific locations that won’t impact the entire system. AppLocker provides similar functionality to Software Restriction Policies available in earlier versions of Windows. However, AppLocker’s publisher rules provide more flexible control and enable administrators to create a single rule that allows both current and future versions of an application without the risks of a path rule. Additionally, AppLocker includes auditing to en- able administrators to identify applications that require rules and to test rules before enforc- ing them. Microsoft also provides Windows Defender for additional protection from spyware and other potentially unwanted software. Windows Defender uses signature-based and heuristic antispyware detection. If it finds malware on a computer, it gives the user the opportunity to prevent it from installing or to remove it if it is already installed. Windows Defender isn’t de- signed for enterprise use, however. For improved manageability and protection against other forms of malware (including viruses and rootkits), use Forefront or another similar enterprise client-security solution. Additional Resources These resources contain additional information and tools related to this chapter. n Chapter 2, “Security in Windows 7,” includes an overview of malware. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... Network Discovery is preferred, Windows Vista and Windows 7 continue to use the Computer Browser service and NetBIOS broadcasts to find earlier versions of Windows computers on the network In addition, Windows Vista and Windows 7 use the Function Discovery Provider Host service and Web Services Dynamic Discovery (WS-Discovery) to find other Windows Vista and Windows 7 computers and use Universal Plug... aware of the resource To communicate with versions of Windows prior to Windows Vista, the Server service notifies the Computer Browser service when new shares are created or deleted, and the Computer Browser service sends the announcements over NetBIOS To announce resources to other computers running Windows Vista and Windows 7 using WS-Discovery, Windows 7 uses the Function Discovery Resource Publication... programming interfaces (APIs) provided by Microsoft Windows 2000, Windows XP, and Windows Server 2003 Therefore, existing applications that use QoS will work with Windows Vista and Windows 7 For more information about these APIs, see “The MS QoS Components” at http://technet.microsoft.com/en-us/library /bb742 475 .aspx 1 176 Chapter 25  Configuring Windows Networking Please purchase PDF Split-Merge on... problems Note  Windows Vista and Windows 7 support Quality Windows Audio Video Experience (qWAVE), which provides QoS support for streaming audio and video across home networks Because this resource kit focuses on enterprise networking, qWave is not discussed in detail Instead, all references to QoS refer to enterprise QoS, also known as eQoS Policy-based QoS in Windows Vista and Windows 7 enables domain-wide... send requests to find new resources, newly published resources announce themselves on the network, as described in the next section WS-Discovery uses Simple Object Access Protocol (SOAP) over UDP port 370 2 The multicast address is 239.255.255.250 for IPv4 and FF2::C for IPv6 How Windows Publishes Network Resources When you share a network resource, such as a folder or printer, Windows communicates using... Additional Resources  Chapter 24 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 1163 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Part V Networking Chapter 25 Configuring Windows Networking  11 67 Chapter 26 Configuring Windows Firewall and IPsec  12 27 Chapter 27 Connecting Remote Users and Networks  1293 Chapter 28 Deploying IPv6  1 371 Please... watermark n Sends a HELLO message whenever a new resource is registered Responds to network probes for resources matching one of the registered resources by type n Resolves network requests for resources matching one of the registered resources by name n Sends a BYE message whenever a resource is unregistered n Sends a BYE message for each registered resource on service shutdown The HELLO message includes... Configuring Windows Networking n Usability Improvements  11 67 n Manageability Improvements  1 174 n Core Networking Improvements  1184 n Improved APIs  1205 n How to Configure Wireless Settings  1210 n How to Configure TCP/IP  1216 n How to Connect to AD DS Domains  1223 n Summary  1224 n Additional Resources  1225 T he Windows 7 operating system builds on the networking features introduced previously in Windows. .. Software” at http://www.microsoft.com/downloads/details.aspx?FamilyID=e0f 272 60-58da-40db 878 5-689cf6a05c73 includes information about social engineering attacks n Windows 7 Security Compliance Management Toolkit” at http://go.microsoft.com /fwlink/?LinkId=156033 provides detailed information about how to best configure Windows 7 security for your organization n “Microsoft Security Intelligence Report”... Chapter 25  Configuring Windows Networking Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark The sections that follow describe changes to the core networking functionality in Windows 7 Although many of these improvements are carried over from Windows Vista, BranchCache, DNS security (DNSsec) support, and GreenIT support are new to Windows 7 Chapter 27 describes DirectAccess . Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7, and Windows Server 2008. Windows Defender can protect only computers running Windows. NetBIOS. To announce resources to other computers running Windows Vista and Windows 7 using WS-Discovery, Windows 7 uses the Function Discovery Resource Publication