Enhancing Computer Security in Vista

Security settings are critically important for maintaining the integrity of Windows Vista computers. Computers with weak or improperly configured security are open to a wide variety of attacks whenever they connect to a network. To make it easy to manage and determine the status of various security features, Windows Vista includes Windows Security Center. This central security management console provides an overview of the current security configuration and provides quick access to security features including Windows Firewall, Windows Update, and Windows Defender.

Using Windows Security Center

Windows Security Center, shown in Figure 1, is meant to be a central location for checking the most important aspects of system security. Through Security Center, you can quickly determine the status of any of these important security features and get recommendations for how these features should be configured. If the computer might be at risk due to poor security configuration, you can access Windows Security Center by clicking the Windows Security Center icon (the red shield with an x) in the notification area of the system tray. Otherwise, you can access Windows Security Center by clicking Start and then clicking Control Panel. In Control Panel, click Security and then click Security Center.

Figure 1: Windows Security Center provides a quick overview of the status of essential areas of security.

In Windows Security Center, the core set of security tools available is the same for both workgroups and domains. However, the default way in which Windows Security Center works changes depending on whether the computer is a member of a workgroup or a domain. In a workgroup, individual users can manage the security settings, and Windows Security Center reports the current status of security features. In a domain setting, the core functionality of Windows Security Center itself is turned off by default. As a result, Windows Security Center doesn't report the current status of security features and can only be used to access the core security tools, by using the links provided on the left panel. In a workgroup where individual users can manage the security settings, Windows Security Center reports the current status of security features by default and also enables users to manage these features.

Tip

In a domain, you can allow users to manage and view the current status of security features by enabling the Turn On Security Center policy under Computer Configuration\Administrative Templates\Windows Components\Security Center. This policy is disabled by default. If you enable this policy and it was previously disabled, you will be able to access Windows Security Center only after you restart the computer. The Turn On Security Center policy does not apply to computers in work-groups. Windows Security Center cannot be turned off for computers in workgroups.

Windows Security Center options help you manage and track the status of the following security features:

• Firewall Shows the status of the computer's firewall. A firewall helps protect the computer against network-based attacks and other security threats from remote systems. Both Windows Firewall and Advanced Windows Firewall are installed with the operating system and turned on for all connections by default.
  

  • q If the Windows Firewall is turned off and you want to turn it on, expand the Firewall entry by clicking the button to the right of the Off designator and then click Turn On Now. When initially enabled, Windows Firewall uses the default state, in which inbound connections that do not have an exception are blocked automatically.

  • q If you've installed a firewall that Windows Vista doesn't detect, you can tell Security Center that you'll monitor the firewall status yourself. Expand the Firewall entry by clicking the button to the right of the Off designator and then clicking Show Me Other Available Options. In the Recommendation dialog box, select I Have A Firewall Solution That I'll Monitor Myself. The status of Firewall will change to Not Monitored.

  • q If multiple firewalls are enabled and Windows Vista detects this, you'll see a warning prompt specifying that to ensure programs operate properly, only one firewall should be configured. In this case, you should disable all but one of the firewalls.

• Automatic Updating Shows the status of automatic updating. If automatic updating is off and you want to turn it on, expand the Automatic Updating entry by clicking the button to the right of the Off designator and then clicking Turn On Now. This turns on Windows Update and uses the default (recommended) mode, in which updates for the operating system are downloaded and installed automatically.
  

• Malware Protection Malware protection software helps safeguard a computer from viruses, spyware, and other similar types of malicious programs. The two most commonly used types of malware protection software are antivirus software and anti-spyware software.

  • q Windows Vista does not include antivirus software. You'll need to use a third party solution. If antivirus software is not found or is in an unknown state, you'll see a Check Settings warning. When you expand the Malware Protection entry using the button provided, you'll be able to find antivirus software to install over the Internet by clicking Find A Program. If you don't want Windows Vista to monitor the status of antivirus software, click Show Me Other Available Options and then select the I Have An Antivirus Program That I'll Monitor Myself.

  • q Windows Vista includes Windows Defender to provide anti-spyware protection. If Windows Defender is turned off and you want to turn it on, expand the Malware Protection entry by clicking the button to the right of the Check Settings warning and then clicking Turn On Now. This uses the default configuration . If you've installed anti-spyware software that you want to use instead of Windows Defender, you can tell Security Center that you'll monitor the anti-spyware software status yourself. Click Show Me Other Available Options. In the Recommendation dialog box, select I Have An Antispyware Program That I'll Monitor Myself. The status of Antispyware will change to Not Monitored.

  Tip

  By default, Windows Security Center is configured to alert the currently logged on user if the firewall, malware protection, or Automatic Updates settings are not properly configured. The alerts are displayed in a balloon message box stating Your Computer Might Be At Risk. To view or configure the alerts, access the Windows Security Center and click Change The Way Security Center Alerts Me in the left pane. You can then use the dialog box provided to change the way notification works.

• Other Security Settings Shows the overall status of Internet security settings and User Account Control (UAC). You'll see a warning if Internet security settings are set below their recommended levels or if user accounts are configured in a way that increases risk. The recommendations offered depend on the settings that put the computer at risk.

In the left panel of Windows Security Center, you'll find several helpful links, including:

• Windows Update Opens the Windows Update utility in Control Panel.

• Window Defender Opens Windows Defender if this feature is turned on. If Windows Defender is turned off, you'll be prompted to turn on Windows Defender. Click Turn On And Open Windows Defender and then Windows Vista will open Windows Defender.

• Windows Firewall Opens Windows Firewall.

• Internet Options Opens the Internet Properties dialog box with the Security tab selected.

Managing Windows Firewalls

Windows Firewall is installed and enabled by default on all computers running Windows Vista. Two versions of this Firewall Settings are included:

• Windows Firewall The basic version of Windows Firewall protects the computer by preventing unauthorized users from gaining access. It does this by blocking inbound access to Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports on the computer and disallowing most types of Internet Control Message Protocol (ICMP) requests.

• Windows Firewall With Advanced Security The advanced version of Windows Firewall protects the computer from unauthorized access and unauthorized use, and it also provides secure authentication. It does this by blocking both inbound and outbound connections, disallowing most types of ICMP requests, and ensuring connections can be authenticated using standard security protocols.

Both firewalls are used together. On a computer that uses Windows Firewall, Windows Firewall provides the protection baseline, and Windows Firewall With Advanced Security extends and enhances this basic protection baseline. Additionally, under Windows Vista, each network category has a different firewall profile. This means there is a domain profile, a private profile, and a public profile. When working with Windows Firewall, the profile for the current network category (based on the current connection) is the only one you can view and configure. When working with Windows Firewall With Advanced Security, you can view and manage each firewall profile separately.

Configuring Windows Firewall

Windows Firewall is automatically enabled for all network connections on a computer. This means all modem, network cable, wireless network, and IEEE 1394 (FireWire) connections are automatically protected by the firewall. The sections that follow discuss techniques for configuring Windows Firewall, including:

• Enabling and disabling Windows Firewall

• Configuring exceptions for programs

• Configuring exceptions for TCP and UDP ports as well as services

• Restoring the original Windows Firewall configuration

Real World

For computers that are part of a domain, you'll find several important policies for configuring Windows Firewall under Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall. If Windows Firewall: Allow Authenticated IPSec Bypass is enabled, any authenticated Internet Protocol Security (IPSec) connection to a computer completely bypasses the Windows Firewall, and you can set specific exemptions (exclusions) for computers, users, and groups. Use the policies under Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile to configure the way Windows Firewall is used when a computer is connected to a Microsoft Active Directory directory service domain. Use the policies under Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile to configure the way Windows Firewall is used when a computer is disconnected from an Active Directory domain, such as when a laptop user takes his computer home.

Enabling and Disabling Windows Firewall You can enable or disable Windows Firewall in one of two ways: either completely or on a per-connection basis. To enable or disable the firewall completely, click Windows Firewall in Windows Security Center and then click Change Settings. This displays the Windows Firewall Settings dialog box, shown in Figure 2. You can now:

• Select On to enable Windows Firewall and set it to block all outside connections to the computer, with the exception of the exclusions lists on the Exceptions tab and any inbound ICMP requests allowed on the Advanced tab. In this configuration, Windows Firewall uses Security Alerts to notify you of any programs it is blocking, and you can determine whether to keep blocking the program, unblock the program, or have it prompt you later.

• Select On and choose Block All Incoming Connections to enable Windows Firewall, set it to block all outside connections to the computer, and specify that no exceptions from the Exceptions tab should apply. This configuration is best for laptop computers when they are off the corporate network. In this configuration, Windows Firewall will not alert the user when it is blocking programs. Further, it should be noted that any inbound ICMP requests allowed on the Advanced tab are still allowed and are not blocked.

• Select Off to completely disable Windows Firewall. In this configuration, Windows Firewall is disabled for all connections and the computer is more vulnerable to attack.

Figure 2: Use the General tab to completely enable or disable Windows Firewall.

To enable or disable Windows Firewall on a per-connection basis, follow these steps:

1. Click Windows Firewall in Windows Security Center. Note the network category you are configuring and then click Change Settings. In the Windows Firewall dialog box, ensure that On is selected on the General tab and then select the Advanced tab.

2. Each network connection configured on the computer is listed in the Network Connection Settings panel. Clear the check box for a connection to disable Windows Firewall for that connection. Select the check box for a connection to enable Windows Firewall for that connection.

3. Click OK when you are finished.

Configuring Firewall Exceptions for Programs In a domain, Core Networking is the only allowed exception on a computer by default. If you've allowed network discovery, configured sharing, or other features, these features may be configured as allowed exceptions as well. You can make exceptions for other programs and services as well using the Exceptions tab of the Windows Firewall dialog box.

As Figure 3 shows, standard exceptions can be easily allowed or disallowed. To allow an exception, select the related check box. To disallow an exception, clear the related check box. If you have a question about the purpose of an exception, click it and then click Properties to see a detailed description of the service or feature.

Figure 3: Use the Exceptions tab to allow some types of remote connections.

You can add programs as exceptions if other computers need to remotely communicate with a program or connect to the computer over a specific port. To configure programs as exceptions, complete the following steps:

1. Click Windows Firewall in Windows Security Center. Note the network category you are configuring and then click Change Settings. This displays the Windows Firewall dialog box.

2. In the Windows Firewall dialog box, select the Exceptions tab and then click Add Program.

3. In the Add A Program dialog box, select the program in the Programs list or click Browse to use the Browse dialog box to find the program.

4. By default, any computer, including those on the Internet, can access this program remotely. To restrict access further, click Change Scope. You can then select:

   • q Any Computer (Including Those On The Internet) to allow any computer to remotely communicate with this program

   • q My Network (Subnet) Only to allow only computers on the same subnet as this computer to remotely communicate with this program

   • q Custom List to enter a comma-separated list of Internet Protocol (IP) addresses that can remotely communicate with this program

5. Click OK three times to close all open dialog boxes.

Configuring Firewall Exceptions for TCP and UDP Ports TCP and UDP ports can be opened for remote access to a computer by configuring the appropriate port as an exception. If you know which port you want to open, complete the following steps to designate it as an exception:

1. Click Windows Firewall in Windows Security Center. Note which network category you are configuring and then click Change Settings. This displays the Windows Firewall dialog box.

2. In the Windows Firewall dialog box, select the Exceptions tab and then click Add Port.

3. In the Name field of the Add A Port dialog box, type a descriptive name for the port and then type a port number, such as 80, in the Port Number field.

4. Select whether you are making an exception for a TCP or UDP port by choosing the appropriate radio button.

5. By default, any computer, including those on the Internet, can access this program remotely. To restrict access further, click Change Scope, make a different selection, and then click OK.

6. Click OK two times to close all open dialog boxes.

Restoring the Original Windows Firewall Configuration If you are unsure of the state of Windows Firewall and its configuration, it is sometimes better to restore the original Windows Firewall configuration and then modify the configuration as necessary afterward. In this way, you start with a known secure configuration of the firewall and then make changes as necessary for the computer. You can restore the Windows Firewall settings by completing the following steps:

1. Click Windows Firewall in Windows Security Center. Note which network category you are configuring and then click Change Settings. This displays the Windows Firewall dialog box.

2. In the Windows Firewall dialog box, select the Advanced tab.

3. Click the Restore Defaults button. When prompted to confirm the action, click Yes.

4. Once the configuration is restored, click OK.

Configuring Windows Firewall With Advanced Security

Windows Firewall With Advanced Security extends the features found in Windows Firewall. These extensions allow you to perform the following tasks:

• Create and manage separate firewall profiles for domain networks, private networks, and public networks.

• Configure both inbound and outbound exceptions.

• Use both firewall filtering and IPSec.

The sections that follow discuss how to manage a computer's firewall configuration using Windows Firewall With Advanced Security.

Using Windows Firewall With Advanced Security You can work with Windows Firewall With Advanced Security, shown in Figure 4, in several different ways. You can use:

• Group Policy For Group Policy–based configurations, you can use the policy settings under Computer Configuration/Windows Settings/Security Settings/Windows Firewall With Advanced Security. Computers running Windows XP with Service Pack 2 (SP2) or Windows Server 2003 with Service Pack 1 (SP1) will ignore the Group Policy settings for Windows Firewall With Advanced Security. The advantage of using Group Policy is that the configuration applies to all computers that process the related Group Policy Object (GPO).

• A preconfigured management console The preconfigured tool can be found on the Administrative Tools menu. Click Start, All Programs, Administrative Tools, and then Windows Firewall With Advanced Security. If the Administrative Tools menu isn't accessible, you can access the preconfigured tool by clicking Start and then clicking Control Panel. In Control Panel, click System And Maintenance, Administrative Tools. Then scroll down and click Windows Firewall With Advanced Security. The disadvantage of using the preconfigured tool is that you can only manage firewall settings for the local computer.

• An MMC snap-in You can add the snap-in to any updateable Microsoft Management Console (MMC) by following these steps:

  1. In an updateable MMC, click File, select Add/Remove Snap-In, and then double-click Windows Firewall With Advanced Security.

  2. When you are prompted to select a computer to work with, select either Local Computer or Another Computer. If you select Another Computer, type the name or IP address of the computer with which you want to work.

  3. Click Finish and then click OK.

  The advantage of using the snap-in is that you can use it to configure firewall settings on remote computers without having to use a remote desktop connection.

• Command-line For command-line configuration, you can use the commands in the netsh advfirewall context to configure all basic and advanced firewall settings. This context is not available for computers running Windows XP with SP2 or Windows Server 2003 with SP1.

Figure 4: Use Windows Firewall With Advanced Security to configure advanced firewall settings.

With Windows Vista, each network category has a different firewall profile. When you select the Windows Firewall With Advanced Security node in the console tree, you'll see an overview of the current state of the firewall for each profile. You'll also find links to information for working with this tool under Getting Started and Resources. The other nodes in the console tree are as follows:

• Inbound Rules Lists the rules for incoming traffic and provides a summary overview of how those rules are configured. Inbound rules either explicitly allow or explicitly block incoming traffic that matches the rule criteria.

• Outbound Rules Lists the rules for outgoing traffic and provides a summary overview of how those rules are configured. Outbound rules either explicitly allow or explicitly block outgoing traffic that matches the rule criteria.

• Connection Security Rules Lists the rules for protected traffic and provides a summary overview of how those rules are configured.

• Monitoring Provides a summary of each firewall profile. By default, the panel for the active (current) profile is expanded and the profile name is modified to include the text "is Active."

Configuring Windows Firewall With Advanced Security requires much more fore-thought and planning than configuring the basic firewall. When you configure Windows Firewall With Advanced Security, you'll need to set firewall profile properties, specify any necessary inbound or outbound exceptions, and define any necessary connection security rules. Each of these tasks is discussed in the sections that follow.

Configuring Firewall Profile Properties When working with Windows Firewall With Advanced Security, you can view and manage each firewall profile separately. The Domain Profile is used when the firewall is enabled and the computer is connected to a network with a domain. The Private Profile is used when the firewall is enabled and the computer is connected to a private network. The Public Profile is used when the firewall is enabled and the computer is connected to a public network.

Each profile has separate settings for the firewall state, blocking or allowing of connections, notification and response behavior, and logging. You can configure profile settings by following these steps:

1. In Windows Firewall With Advanced Security, select the Windows Firewall With Advanced Security node.

2. Scroll down in the main pane and then click Windows Firewall Properties.

3. In the Windows Firewall With Advanced Security On … dialog box, select the profile with which you want to work. (See Figure 5.)

   
   Figure 5: Manage the settings for each profile separately.

4. To enable the firewall for the profile, select On (Recommended) and then configure the global default setting for inbound and outbound connections. For inbound connections, select Block, Block All, or Allow as appropriate. For outbound connections, select Block or Allow as appropriate.

   Note

   The difference between Block and Block All is important. Use Block to block all programs not specifically listed as allow exceptions. Use Block All to block all programs, including those specifically listed as allow exceptions.

5. Behavior settings determine notification on blocking, response types, and rule merging. To configure profile behavior, click Customize on the Settings panel and then use the options provided to configure the desired behavior. If you are working with Group Policy, you'll be able to specify whether local computer rules should be merged with rules set in Group Policy.

6. Logging settings determine whether logging is used, such as might be necessary for troubleshooting firewall issues. To enable logging, click Customize on the Logging panel and then set Log Dropped Packets to Yes and Log Successful Connections to Yes. The default path for the log file is %SystemRoot%\System32 \Logfiles\Firewall\Pfirewall.log. Click OK.

7. IP Security (IPSec) settings determine how secure connections are established. The same settings are used for all profiles. To configure IPSec settings, click Customize on the Internet Protocol Security (IPSec) panel; use the options provided to manage integrity, privacy, and authentication settings for IPSec; and then click OK.

Creating and Managing Inbound Rules The default configuration for all firewall profiles is to block all inbound connections to a computer unless there are specific inbound rules that allow incoming connections. You can view currently defined inbound rules by selecting the Inbound Rules node in Windows Firewall With Advanced Security.

Although many inbound rules are defined by default, only a few are enabled. You can quickly determine which by clicking the Enabled column twice so that the Enabled-Yes rules are listed first. You can create and enable a new inbound rule by following these steps:

1. In Windows Firewall With Advanced Security, select the Inbound Rules node.

2. Under Actions, click New Rule to start the New Inbound Rule Wizard.

3. Follow the prompts to define the inbound rule. Click Finish to close the wizard.

4. If you want the inbound rule to be enabled, right-click it and then select Enable Rule.

You can modify and enable an existing inbound rule by following these steps:

1. In Windows Firewall With Advanced Security, select the Inbound Rules node.

2. Double-click the inbound rule you want to configure.

3. Change settings as necessary using the tabs and options provided.

4. If you want the inbound rule to be enabled, right-click it and then select Enable Rule.

Creating and Managing Outbound Rules

The default configuration for all firewall profiles is to allow all outbound connections from a computer unless there are specific outbound rules that block outgoing connections. You can view currently defined outbound rules by selecting the Outbound Rules node in Windows Firewall With Advanced Security.

By default, many outbound rules are defined. However, only a few outbound rules are enabled. You can quickly determine which by clicking the Enabled column twice so that the Enabled-Yes rules are listed first. To create and enable a new outbound rule, follow these steps:

1. In Windows Firewall With Advanced Security, select the Outbound Rules node.

2. Under Actions, click New Rule to start the New Outbound Rule Wizard.

3. Follow the prompts to define the outbound rule. Click Finish to close the wizard.

4. If you want the outbound rule to be enabled, right-click it and then select Enable Rule.

You can modify and enable an existing outbound rule by following these steps:

1. In Windows Firewall With Advanced Security, select the Outbound Rules node.

2. Double-click the outbound rule you want to configure.

3. Change settings as necessary using the tabs and options provided.

4. If you want the outbound rule to be enabled, right-click it and then select Enable Rule.

Creating and Managing Connection Security Rules IPSec provides rules for securing IP traffic. Windows Firewall With Advanced Security uses connection security rules to define IPSec policies. No connection security rules are defined by default. You can create a new connection security rule by following these steps:

1. In Windows Firewall With Advanced Security, select and then right-click the Connection Security Rules node in the console tree and then click New Rule. This starts the New Connection Security Rule Wizard.

2. On the Rule Type page, shown in Figure 6, you can specify the type of connection security rule to create and then click Next. The types of rules that can be created are as follows:

   • q Isolation Isolates the computer by restricting connections based on domain membership or health status. With this type of rule, you must specify whether authentication should occur for incoming or outgoing traffic, whether you want to require or only request secure connections, the authentication method for protected traffic, and a name for the rule. Isolating computers based on their health status uses Network Access Protection (NAP) policy.

   Real World

   NAP is designed to help safeguard the enterprise network from client computers in potentially unhealthy states. NAP uses protection policies configured by enterprise administrators to determine whether a particular local or remote client can connect to the enterprise network. If a client computer running Windows Vista or later isn't deemed "healthy" as defined in the enterprise protection policy, the client computer is either prevented from accessing the network, provided with instructions on how to get updates, or granted limited access to the network. Administrators can define NAP policy using the NAP Server Configuration tool and then can use the NAP Client Configuration tool to enforce policy. NAP can be applied to both locally connected and remotely connected computers. The health of a computer is determined by the service packs, updates, and other security configurations currently in place.

   • q Authentication Exemption Defines an authentication exemption for computers that do not have to authenticate themselves or secure their traffic. With this type of rule, you must specify a name for the rule and the computers to exempt according to their IP addresses.

   • q Server To Server Designates how authentication should be used for communications between specific computers, typically servers. With this type of rule, you must specify the endpoint IP addresses, when authentication should occur, the authentication method for protected traffic, and a name for the rule.

   • q Tunnel Creates a secure, tunneled connection between computers. Typically, you'll use this type of rule between two secure gateway computers that send packets over the Internet. You must specify the tunnel endpoints by IP address, the authentication method, and a name for the rule.

   • q Custom Creates a rule with a custom authentication behavior. Use this option when you want to manually configure a rule. You must specify a name for the rule.

   
   Figure 6: Specify the type of connection security rule to create.

3. Once you've configured the rule, click Finish to create and enable the rule.

You can modify the settings of a rule by right-clicking the name of the rule, clicking Properties, and then using the properties dialog box provided to modify the rule settings as necessary. If you want to disable a rule, right-click the rule and then select Disable Rule.

Managing Windows Defender

Windows Defender is the anti-spyware program included with Windows Vista. It protects a computer from harmful and unwanted software in real time by stopping malicious programs from installing themselves and by detecting and blocking the activities of any malicious programs that might have slipped by its defenses. Windows Defender detects spyware programs according to:

• How they try to install themselves

• How they try to manipulate a computer's files and settings

• The types of data they create, record, or send

Collectively, these characteristics are referred to as a spyware program's signature. Like antivirus software, Windows Defender maintains definition files with information on spyware signatures. To protect the computer from an ever-evolving array of spyware, Windows Defender must be updated periodically to the newest definition files regarding spyware signatures. Windows Defender includes an automatic update feature that checks for updates periodically. You can manually check for updates as well. Windows Defender uses Software Explorer to help detect the activities of malicious programs.

Working with Windows Defender

You can open Windows Defender by clicking the Windows Defender link in Windows Security Center. If Windows Defender is turned off, you'll need to turn it on, when prompted, by clicking Enable Now To Turn On Windows Defender and then clicking OK. As shown in Figure 6, the Windows Defender home page provides an overview of the current status. You'll see a normal status if Windows Defender's definitions are up-to-date and no known unwanted or harmful software is installed on the computer. You'll see a warning status if Windows Defender's definitions are out of date or known unwanted or harmful software is installed on the computer. You can then retrieve updates over the Internet from the Microsoft Web site and install them automatically by clicking the Check Now button provided as part of the warning.

Figure 6: Use Windows Defender to protect a computer from spyware.

When working with Windows Defender, you can use the Status area in the lower portion of the home page to determine the general status according to the following information:

• Last Scan The date and time of the last scan as well as the type of scan that was performed

• Scan Schedule The schedule for automatic scans, such as Daily at 2:00 A.M

• Real-Time Protection The status of real-time protection, as either On or Off

• Spyware Signatures The version, time, and date of the most recent definitions file

The general settings of Windows Defender enable you to choose how you want the program to run. You can configure general settings by following these steps:

1. In Windows Defender, click Tools and then click Options.

2. On the Options page, the following options panels are provided to configure the way Windows Defender works:

   • q Automatic Scanning Used to set automatic scanning and automatic updating options. For automatic scanning, select Automatically Scan My Computer (Recommended) and then set the scan frequency, time of day, and type of scan. To have Windows Defender check for updates before scanning, select Check For Updated Definitions Before Scanning. To apply default actions to detected or suspected spyware programs, select Apply Default Actions To Items Detected During A Scan.

   • q Default Actions Used to set the default action to take based on the alert level of a detected or suspected spyware program. Spyware with a high alert level are considered to be the most dangerous and have the highest probability of doing damage to a computer. The default action is to apply the recommended action according to the current definition file, which is either to ignore the program or to remove it. If you don't want to use Definition Recommended Action, you can specifically designate that programs should be ignored or removed.

   • q Real-Time Protection Used to turn on and configure real-time protection. Real-time protection uses individual security agents to determine which areas of the operating system and which components receive real-time protection. Each of these security agents can be enabled or disabled using the check boxes provided. If you want to receive alerts related to real-time protection, you can enable the notification options provided.

   • q Advanced Options Used to configure advanced techniques for detecting spyware. These options allow you to scan inside archives and use rule-based (heuristic) detection. Enabling these options is particularly important for detecting new spyware, hidden spyware, and software performing possibly malicious actions.

   • q Administrator Options Used to specify whether Windows Defender is turned on or off, and to specify whether normal users can perform scans and choose actions to apply to potentially unwanted software. If you want to enable Windows Defender, Use Windows Defender must be selected. By default, users who do not have administrator rights can perform scans and specify actions to apply to potentially unwanted software. This is the recommended configuration.

3. Click Save to save any changes you've made to the configuration.

Scanning the Computer for Spyware

To enhance a computer's security, Windows Defender can and should be used in both real-time protection mode and automatic scan mode. If the computer isn't on when the automated scan should have run, or you suspect spyware installed itself on the computer, you can scan the computer manually using a quick scan, a full scan, or a custom scan:

• With a quick scan, Windows Defender checks areas of memory, the registry, and the file system known to be used by spyware programs, but doesn't perform a comprehensive search for spyware. To start a quick scan, click the Scan button on the Windows Defender toolbar.

• With a full scan, Windows Defender performs a thorough check of all areas of the memory, the registry, and the file system for spyware. To start a full scan, click the Scan Options button (located to the right of the Scan button on the tool-bar) and then select Full Scan.

• With a custom scan, Windows Defender performs a thorough check of all areas of the memory and the registry, but only checks the areas of the file system that you specify. To start a custom scan, click the Scan Options button (located to the right of the Scan button on the toolbar) and then select Custom Scan. Next, click Select and specify the drives or folders to scan. Finally, click Scan Now.

Checking for Updates

Windows Defender can't do its job of protecting a computer if the spyware definitions are out of date. By default, Windows Defender automatically checks for updated spyware definitions prior to performing an automatic scan. If the computer has access to the Internet or an update server, Windows Defenders is then able to update the spyware definitions. If the computer doesn't have access to the Internet or an update server, Windows Defender is not able to update the spyware definitions and you'll need to manually update the spyware definitions by following these steps:

1. Click Start and then click Control Panel.

2. In Control Panel, click Security and then click Check For New Definitions under Windows Defender.

If Windows Defender is open, you can also check for updates by following these steps:

1. Click the Windows Defender Help Options button. This is the button to the right of the Help button.

2. Select About Windows Defender.

3. Click Check For Updates.

Quarantining and Allowing Programs

Windows Defender is configured by default to automatically remove dangerous malicious programs. Other programs that are malicious but not necessarily dangerous may be quarantined. A user may also receive notification about a malicious program and elect to either allow it to run or to quarantine it. Windows Defender tracks details regarding both allowed items and quarantined items.

Quarantined items are disabled and moved to a protected location on the computer, where they can't cause problems. You view and manage quarantined items by clicking Tools and then clicking Quarantined Items. On the Quarantined Items page, quarantined items are listed by name with an alert level and a time stamp. You can manage quarantined items as follows:

• Permanently remove all quarantined programs by clicking Remove All.

• Permanently remove a specific program by clicking it and then clicking Remove.

• Restore a specific a program by clicking it and then clicking Restore.

Allowed items are those that are identified and tracked by Windows Defender but allowed to run on the computer. You can view or manage currently allowed items by clicking Tools and then clicking Allowed Items. On the Allowed Items page, allowed items are listed by name with an alert level and a recommendation for how each program should be handled. If you want Windows Defender to start monitoring the activities of an allowed program again, click the item and then select Remove From List. Windows Defender will then notify the user of any possible malicious activity related to this program.

Managing Automatic Updates

The standard automatic updating feature in Windows Vista is called Windows Update. Windows Update is an enhanced version of the standard automatic update feature included in previous releases of Windows. Not only is Windows Update used to update the operating system, it is also used to update programs that ship with the operating system, such as Microsoft Windows Internet Explorer 7 in Windows Vista, and hardware device drivers. The sections that follow discuss how Windows Update works and how it can be used to help keep a computer up-to-date.

An Overview of Windows Update

Windows Update is a client component that connects periodically to a designated server and checks for updates. Once it determines that updates are available, it can be configured to download and install the updates automatically or to notify users and administrators that updates are available. The server component to which Windows Update connects is either the Windows Update Web site hosted by Microsoft or a designated Windows Update Services server hosted by your organization.

Unlike previous versions' automatic updating features, which only distribute and install critical updates, Windows Update supports distribution and installation of the following:

• Critical updates Updates that are determined to be critical for the stability and safeguarding of a computer

• Security updates Updates that are designed to make the system more secure

• Update roll-ups Updates that include other updates

• Service packs Provide a comprehensive update to the operating system and its components, which typically include critical updates, security updates, and update roll-ups

A key part of the extended functionality allows Windows Update to prioritize downloads so that updates can be applied in order of criticality. This allows the most critical updates to be downloaded and installed before less critical updates. You can also control how a computer checks for new updates and how it installs them. The default polling interval used to check for new updates is 22 hours. Through Group Policy, you can change this interval. By default, every day at 3:00 A.M. local time, computers install updates they've downloaded. You can modify the installation to require notification or change the install times if desired.

Windows Vista reduces the number of restarts required after updates by allowing a new version of an updated file to be installed even if the old file is currently in use by an application or system component. To do this, Windows Vista marks the in-use file for update and then automatically replaces the file the next time the application is started. With some applications and components, Windows Vista can save the application's data, close the application, update the file, and then restart the application. As a result, the update process has less impact on users.

Real World

Automatic updating uses the Background Intelligent Transfer Service (BITS) to transfer files. BITS is a service that performs background transfers of files and allows interrupted transfers to be restarted. BITS Version 2.0, which is included with Windows Vista, improves the transfer mechanism so that bandwidth is used more efficiently, which in turn means less data is transferred and the transfer is faster. Through Group Policy, BITS can be configured to download updates only during specific times and to limit the amount of bandwidth used. You configure both settings using the Maximum Network Bandwidth That BITS Uses setting under Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service in Group Policy. Additionally, using BITS 2.0, Windows Vista can obtain updates from trusted peers across a local area network (LAN) as well as from an update server or from Microsoft directly. Once a peer has a copy of an update, other computers on the local network can automatically detect this and download the update directly from the peer, meaning a required update may only need to be transferred across the wide area network (WAN) once rather than dozens or hundreds of times.

You can use automatic updating in several different ways. You can configure systems to do the following:

• Install updates automatically With this option, the operating system retrieves all updates at a configurable interval (22 hours by default) and then installs the updates at a scheduled time, which by default is every day at 3:00 A.M. This represents a change in behavior because users are not required to accept updates before they are installed. Updates are instead downloaded automatically and then installed according to a specific schedule, which can be once a day at a particular time or once a week on a particular day and time.

• Download updates but let me choose whether to install them With this option (the default), the operating system retrieves all updates as they become available and then prompts the user when they are ready to be installed. The user can then accept or reject each update. Accepted updates are installed. Rejected updates are not installed, but they remain on the system so that they can be installed later.

• Check for updates but let me choose whether to download and install them With this option, the operating system notifies the user before retrieving any updates. If the user elects to download the update, she still has the opportunity to accept or reject it. Accepted updates are installed. Rejected updates are not installed, but they remain on the system so that they can be installed later.

• Never check for updates When automatic updates are disabled, users are not notified about updates. You can, however, download updates manually from the Windows Update Web site (http://www.windowsupdate.microsoft.com/).

When Windows Update is configured for automatic update and install, users are not notified of update availability or installation. In a workgroup environment, a Windows Update icon is placed in the notification area to provide an initial notification. This icon is a yellow shield with an exclamation point. Clicking this icon allows you to configure the initial update and installation schedule. Whenever there are notifications, the icon is displayed as well. In an Active Directory domain environment, a Windows Update icon is not placed in the notification area. It is assumed that in a domain, administrators will configure Windows Update for users. Notifications are only displayed for users if you change the default configuration to require user interaction.

Configuring Automatic Updating

Windows Vista organizes updates into two broad categories:

• Security and recommended updates Includes critical updates, security updates, update roll-ups, and service packs for the operating system and programs that ship with the operating system

• Drivers and other optional updates Includes updates to drivers that are provided with the operating system and recommended optional updates

By default, Windows Vista is configured to automatically install security and recommended updates only. New updates are installed daily at 3:00 A.M. You can configure automatic updates on a per-computer basis by completing the following steps:

1. Click Start and then click Control Panel. In Control Panel, click System And Maintenance.

2. On the System And Maintenance page, click Windows Update. This displays the Windows Update page.

3. In the left panel, click Change Settings. This displays the Change Settings page.

4. Specify whether and how updates should occur. By default, Install Updates Automatically is selected.

5. If you've enabled updates and want to also install drivers and optional updates, select the Include Recommended Updates… check box.

6. Click OK.

In an Active Directory domain, you can centrally configure and manage automatic updating using the policy settings under Computer Configuration\Administrative Templates\Windows Components\Windows Update and under User Configuration\Administrative Templates\Windows Components\Windows Update. Table 1 summarizes the key policies.

Table 1: Policies for Managing Automatic Updating

Policy Setting	Description
Enabling Windows Update Power Management	When enabled and the computer is configured for automated, scheduled installation of updates, Windows Update will use the computer's power management features to wake the computer from hibernation at the scheduled update time and then install updates.
Allow Automatic Updates Immediate Installation	When enabled, this setting allows Automatic Updates to immediately install updates that do not interrupt Windows services or require the computer to be restarted. These updates are installed immediately after they are downloaded and are ready to install.
Allow Non-Administrators To Receive Update Notifications	When enabled, this setting allows any user logged on to a computer to receive update notifications as appropriate for the Automatic Updates configuration. If disabled or not configured, only administrators receive update notifications.
Automatic Updates Detection Frequency	When enabled, this setting sets the interval to be used when checking for updates. By default, computers check approximately every 22 hours for updates. If you enable this policy and set a new interval, that interval will be used with a wildcard offset of up to 20 percent of the interval specified. This means that if you set an interval of 48 hours, the actual polling interval would be dependent on the computer and be between 38 and 48 hours.
Configure Automatic Updates	When you enable this setting, you can configure how Automatic Updates works using similar options to those described later in this chapter. You can also schedule the installation.
Delay Restart For Scheduled Installations	By default, when a restart is required after an automatic update, the computer is restarted after a five-minute delay. To use a different delay, enable this policy and then set the delay time.
Turn On Recommended Updates Via Automatic Updates	When enabled, recommended updates, including those from drivers and other optional updates, are installed along with other updates.
Enable Client-Side Targeting	When enabled, this setting allows an administrator to define a target group for the current Group Policy Object. Client-side targeting allows administrators to control which updates are installed on specified groups of computers. Before an update is deployed, it must be authorized for a particular target group.
No Auto-Restart For Scheduled Automatic Updates Installations	When enabled, this setting specifies that the computer will not automatically restart after installing updates that require a restart if a user is currently logged on. Instead, Automatic Updates will notify the user that a restart is needed and wait until the computer is restarted. Restarting the computer enforces the updates.
Re-Prompt For Restart With Scheduled Installations	When enabled and when Automatic Updates is configured for scheduled installation of updates, this setting ensures the logged-on user is prompted again after a set interval if a restart was previously postponed. If the setting is disabled or not configured, the default reprompt interval of 10 minutes is used.
Remove Access To Use All Windows Update Features	When you enable this setting, all Windows Update features are removed. Users are blocked from accessing Windows Update, and automatic updating is completely disabled.
Reschedule Automatic Updates Scheduled Installations	When enabled, this setting specifies the amount of time for Automatic Updates to wait after system startup before proceeding with a scheduled installation that was previously missed.
Specify Intranet Microsoft Update Service Location	When enabled, this setting allows you to designate the fully qualified domain name of the Microsoft Update Services server hosted by your organization and of the related statistics server. Both services can be performed by one server.

Checking for Updates

The main Windows Update page provides details on the last time the computer or a user checked for updates, the last time updates were installed, and the current automatic update configuration. You can determine Windows Update usage or manually check for updates by following these steps:

1. Click Start and then click Control Panel. In Control Panel, click System And Maintenance.

2. On the System And Maintenance page, click Windows Update. Statistics are provided regarding the most recent check for updates, the last time updates were installed, and the current update configuration.

3. If you want to manually check for updates, click Check For Updates.

Viewing Update History and Installed Updates

The Windows Update download manager tracks both successful and failed updates using an update history log. You can access this log by following these steps:

1. Click Start and then click Control Panel. In Control Panel, click System And Maintenance.

2. On the System And Maintenance page, click Windows Update.

3. In the left panel, click View Update History. This displays the History page.

On the History page, updates listed with a Successful status were downloaded and installed. Updates listed with an Unsuccessful status were downloaded but failed to install. To remove an update while accessing the History page, click Installed Updates. Then on the Installed Updates page, right-click the update that you do not want and select Remove.

Modifying or Removing Automatic Updates to Recover from Problems

If an automatic update causes a problem on a system, don't worry. You can remove an automatic update in the same way that you uninstall any other program. Simply follow these steps:

1. Click Start and then click Control Panel. In Control Panel, click System And Maintenance.

2. On the System And Maintenance page, click Windows Update.

3. Click View Update History and then click Installed Updates.

4. To modify an update, select it in the list provided and then click Change.

5. To remove an update, select it in the list provided and then click Remove.

Restoring Declined Updates

If a user declines an update that you want to install, you can restore the update so that it can be installed. To do this, complete the following steps:

1. Click Start and then click Control Panel. In Control Panel, click System And Maintenance.

2. On the System And Maintenance page, click Windows Update.

3. Click Restore Hidden Updates.

4. On the Restore Hidden Updates page, select an update you want to install and then click Restore.

5. Windows Vista will unhide the declined update so that it can be reselected and installed through the normal notification and installation process.