8.2. Internet Security
The greatest danger to your PC comes from when you connect to the Internet, and because of that Windows Vista includes a substantial amount of online and network protection. For more details about online security, such as how to use Internet Explorer's phishing filter and how to handle online privacy, see Chapter 5. For details about fighting spam, see Chapter 6. For information about how to use encryption on wireless networks, see Chapter 7.
Internet Explorer Protected Mode
Protects a PC by isolating Internet Explorer from the rest of the operating system; it only allows certain changes to be made if it first asks permission.
By default, Protected Mode is turned on.
To turn it off, in Internet Explorer choose Tools Internet Options Security, and uncheck the box next to Enable Protected Mode.
Protected Mode, one of Internet Explorer's new security features, is also tied to Windows Vista's new UAC. It is designed to stop spyware and other malware from being installed without your knowledgefor example, via drive-by downloads, which are downloads initiated by web sites or pop-up ads of which you might not be aware. It does more than that, though. Under Protected Mode, a user cannot install software and modify Internet Explorer files without first going through UAC warnings, shown in Figure 8-11. Under Protected Mode, Internet Explorer can write data only to the Temporary Internet Files folder, and if it wants to write elsewhere, it must first ask for permission.
Figure 8-11. The warning that Internet Explorer's Protected Mode issues when a web site tries to install software on your PC
By default, Protected Mode is turned on, and you're told that it's turned on via a notification at the bottom right of Internet Explorer (Figure 8-12). You can turn it off by double-clicking the notification and unchecking the box next to Enable Protected Mode. You can also turn it off by choosing Tools Internet Options Security, and unchecking the box next to Enable Protected Mode. You can do this on a per-zone basis so that you can turn it on for some zones and off for others.
Figure 8-12. Protected Mode turned on
See "Phishing Filter," in Chapter 5.
See "Pop-Up Blocker," in Chapter 5.
Virtual Private Network Connection
Make a secure, encrypted connection over the Internet to your workplace.
Control Panel [Network and Internet] [Network and Sharing Center] Set up a connection or network
More and more people need to connect to their corporate networks when they are away from the office. The least expensive and safest way to do this is via a Virtual Private Network (VPN), which in essence creates a secure tunnel through the public Internet. On each end of the tunnelat your PC and at your corporate networkdata is encrypted and put inside a normal Internet packet. Because the data inside the packet is encrypted, no one can see it, but because it is also wrapped in a normal Internet packet, it can use the public Internet rather than requiring an expensive, private connection.
A network administrator needs to set up a VPN server at the workplace. When he does, he then gives you the IP address or name of the server, and your username and password. Armed with that, you can create a VPN connection so that you can securely connect to the network from home, a wireless hotspot, a hotel room, or any other place where you can get Internet access.
Set up a VPN connection as you do other new network connections. (See Chapter 7 for details.) When you choose "Set up a connection or network" from the Network Center, choose "Connect to a Workplace." When prompted, choose the VPN connection option, and you'll be asked for more information (Figure 8-13). Enter the address or name of the VPN server, give it a name, click Next, and fill out the username, password, and domain information.
Figure 8-13. Setting up a VPN
When you're done, click Connect, and you'll make the connection. From now on, to connect to the VPN, make the connection from the Network Center by clicking "Connect to" and selecting the VPN connection you created.
VPNs can also protect you when you're at a public hotspot. For-pay VPN services will encrypt all of your data when you're at the hotspot so that the information cannot be snooped upon. An example of such a service is HotSpotVPN (http://www.hotspotvpn.com), which charges $8.88 per month for access. Set up a VPN connection to this kind of service in the same way you would create a VPN connection to your workplace. The service will give you the server, username, and password information that you need to set up the connection.
Windows Defender: \Program Files\Windows Defender\MSASCui.exe
Protect your PC against spyware, home-page hijackers, and other threats.
Start Control Panel Security Windows Defender
Double-click the Windows Defender icon in the System Tray
Command Prompt \Program Files\Windows Defender\MSASCui.exe
Windows Defender is the antispyware software included with Windows Vista (see Figure 8-14). It protects against spyware, home-page hijackers, and similar threats, but it won't protect against viruses. For that, you'll need to buy a subscription to a security service such as Windows OneCare Live, or antivirus software such as Norton AntiVirus (http://www.symantec.com), PC-Cillin (http://www.trendmicro.com), or avast! antivirus (http://www.avast.com), which is free for personal use. Before installing an antivirus program, make sure that it's the Windows Vista version.
Figure 8-14. Windows Defender, which protects your PC against spyware but not viruses
Windows Defender offers you automatic protection against spyware. It runs in the background as you use your computer, and it is designed to stop spyware before it infects your computer. When a piece of spyware attempts to install itself, hijack your home page, or do other damage, Windows Defender deletes the software and puts it into a quarantine area, where you can examine it later on. Should you decide that Windows Defender deleted the software in error, you can restore it.
In instances where there has been a threat to your PC but there's no software to quarantinefor example, in an instance where a web site tried to hijack your home page by resetting itWindows Defender stops the action.
In addition to providing this kind of real-time protection, Windows Defender also comes preconfigured to scan your computer once a day for spyware, in the same way that antivirus software scans PCs for viruses. When Windows Defender finds a piece of malware, it deletes it and quarantines it. You can go to the quarantine area and restore the software if you believe that Windows Defender deleted the file in error.
New spyware is constantly being released, so Windows Defender regularly downloads definition updates to help protect your PC against the newest threats. Different pieces of spyware exhibit different patterns of unique behavior, called definitions. By constantly updating its definitions, Windows Defender can protect you against emerging threats.
Doing a scan
Windows Defender, by default, scans your system for spyware once a day, but anytime you want it to scan, just click Scan at the top of the Windows Defender screen. That performs a full scanthat is, it scans all your files and folders. If you want to perform a more abbreviated scan, click the down arrow to the right of the Scan icon and choose Quick Scan. That will perform a scan of only the areas of your PC that are most liable to be infectedspecifically, the Windows folder and subfolders, the Program Files folder and subfolders, and the Registry. To customize which files and folders to scan, click the down arrow to the right of the Scan icon, select Custom Scan, click "Scan selected drives and folders," and then select the drives and folders you want to scan and click Scan Now.
Viewing your history
Click History at the top of the screen and you'll view the history of all actions that Windows Defender has taken, including issuing alerts, putting files into quarantine, and so on.
Customizing the settings
Although Windows Defender comes preconfigured to protect you, you can also customize it in numerous ways. From the Windows Defender main screen, click Tools, and you'll be able to change these settings:
Here's where you set your scan schedule, the default actions Windows Defender takes when it comes across spyware, and your real-time protection options. (This is pictured in Figure 8-15.) In the "Automatic scanning" section, select the scan frequency (either daily, or choose a day of the week), the time you want the scan to be performed, and the type of scan (Quick scan, Full scan, or Custom scan). Also choose whether to automatically download the newest definitions before scanning and whether to scan inside archives, such as .zip archives.
Figure 8-15. The Options screen, which lets you customize most aspects of Windows Defender
You also choose the action that Windows Defender should take when it comes across a piece of spyware, in the "Default actions" section. You can choose to remove it, ignore it, or follow the "Default action." In that case, the definition itself will determine whether to remove or ignore the software. For example, a dangerous piece of spyware would be removed, but a piece of adware might be ignored.
The "Real-time protection options" section determines which kind of real-time shields the program should put up against spyware. The details of all of them are too lengthy to go into here, but by default, they're all selectedand you should leave them that way. This section also lets you determine when Windows Defender should notify you when a piece of software wants to make a system change. You then have the option of allowing or disallowing the change. By default, you're notified only when software that Windows Defender has not yet classified as safe tries to make a change. If you want to be notified when even "allowed" software makes a changein other words, software that is known to be safecheck the box next to "When changes are detected from allowed software."
The Administrator section lets you determine whether only administrators, or anyone who uses the system, can start a scan and remove spyware. By default, anyone can. To change the option, uncheck the box.
This is one of the ways that Windows Defender determines what is spyware and what isn't. When you click Microsoft SpyNet, you're brought to a screen that lets you join it. When you join, every time you delete a program using Windows Defender because you believe it's spyware, that information is sent to Microsoft. Information from everyone is collated, and this helps Windows Defender decide what is spyware. You can become a basic or advanced member of SpyNet, or not join at all. With a basic membership, only information about your actions is sent to SpyNet. With an advanced membership, information about your actions, plus additional information, is sent, possibly including personal information. Note that you don't have to join in order to use Windows Defender, so choosing not to join won't affect how the program works.
Click on this icon, and you're brought to a screen that displays all of the items that Windows Defender has deleted and put into quarantine. For each item, you'll see the name of the file or program, the alert level assigned to it, and the date it was quarantined. To take an item out of quarantine, highlight it and click Restore. To delete an item permanently, highlight it and click Remove. Unless you absolutely know a file is safe, don't remove it from quarantine.
Whenever you run your PC, programs and services run in the background. The Software Explorer section of Windows Defender (Figure 8-16) lists them all for you and lets you terminate any that may be dangerous. When you get to the page, choose Startup Programs from the drop-down list and you'll see a list of programs that automatically start when you turn on your PC. Click on any to see details about it, such as the publisher, filename, file size, whether it ships with the operating system, and so on. Also included is a SpyNet Voting section, which shows you whether other people consider the file to be spyware. To stop a program from running on startup, highlight it and click Disable. The Show for All Users button at the bottom of the screen displays all software and services running for all users of the PC and lets you click Remove/Enable/Disable for programs and services that are running with elevated privileges.
Figure 8-16. The Software Explorer, which lets you get details about any piece of software currently running on your PC
When you choose Currently Running Programs from the drop-down list, you'll see all the services and files that are running on your system. Again, highlight any for details about it, and click End Process to end it.
When you choose Network Connected Programs from the drop-down list, you'll see the list of Internet-related services and programs currently running. Highlight any for details. To end one, highlight it and click End Process. You can also keep a service running but block it from receiving any incoming data. You might want to do this if you suspect a Trojan or other rogue program, but you're not sure whether it is dangerous and you don't want to terminate it. Highlight the program and click Block Incoming Connections.
Choosing Winsock Service Providers from the list shows you what Winsock Layered Service Providers are running. Winsock Layered Service Providers are services required for network and Internet communications. Most Service Providers are necessary for your system, but some spyware authors write malicious Winsock Layered Service Providers. However, Windows Defender gives you no way to distinguish the good from the bad and no way to halt the bad. This section is mainly for informational purposes.
Windows Defender automatically creates a list of programs that it considers safe. To see the list, click "Allowed items." If you think any are not safe, highlight them and click Remove.
Windows Defender web site
Click here to go to the Windows Defender web site and get the latest news, information, and help about Windows Defender and about spyware in general.
Windows Defender protects against spyware but not against other malware such as viruses and Trojans. So you'll need an antivirus program in addition to Windows Defender to be fully protected against malware.
Spyware may be installed on your computer when you click on pop-up ads, or when a "drive-by download" installs itself without your knowledge. Internet Explorer includes built-in tools for preventing against these and other dangers. See Chapter 5 for details.
The complex nature of spyware means that no single antispyware program is capable of protecting you against all spyware threats. So it's a good idea to use another piece of antispyware software in addition to Windows Defender. Good free ones are Ad-Aware (http://www.lavasoft.com) and Spybot Search & Destroy (http://www.safer-networking.org).
"Windows Firewall," discussed next, and "Pop-Up Blocker," in Chapter 5
Windows Firewall: \windows\system32\firewall.cpl (Windows Firewall Control Panel appletbasic features): \windows\system32\wf.msc (Windows Firewall with Advanced Security Group Policyadvanced features)
Protects against Internet-based and network-based threats.
Control Panel [Security] Windows Firewall
Control Panel [Network and Internet] Windows Firewall
Command Prompt firewall.cpl (Windows Firewall Control Panel applet)
Command Prompt wf.msc (Windows Firewall with Advanced Security Group Policy)
The Windows Firewall protects your PC against Internet threats by acting as a gatekeeper of sorts between you and the Internet, allowing only nonmalicious traffic through. It permits or denies network communication based on a predefined set of rules. These rules restrict communication so that only certain applications are permitted to use your network connection, or only certain network ports may be used. This effectively closes backdoors to your computer that viruses, hackers, and other malicious applications might otherwise exploit.
Windows Vista's firewall is a significant upgrade over the Windows XP firewall because it filters both inbound and outbound connections. (The Windows XP firewall blocked only inbound connections.) The addition of outbound filtering is important because some spyware, Trojans, and malicious software "phone home"that is, they live on your PC, silently, and then make an outbound connection to someone who uses that connection for malicious purposes. The Windows Vista Firewall, however, blocks those outbound connections.
By default, both outbound and inbound protection are turned on when you install Windows Vista.
Windows Vista offers an exceptional amount of control over how the Windows Firewall runs. You can block or allow specific applications from making inbound or outbound connections; you can block or allow specific inbound and outbound ports; you can customize how certain applications access the Internet; and more.
Turning the Windows Firewall on and off is simple; select Control Panel [Security] Turn Windows Firewall on or off, and on the General tab select On, then click OK.
The primary way to control the Windows Firewall is via the Windows Firewall Control Panel applet, which is the only obvious way of doing it. That applet, though, gives you control over inbound connections only; you can't use it to customize outbound connections. To customize outbound connections, you'll instead have to use Windows Firewall with Advanced Security in Group Policy. Windows Firewall with Advanced Security in Group Policy also gives you far more control over every aspect of the Windows Firewall.
For most purposes, the Control Panel applet works fine, but for fine-grained control and to customize outbound connections, you'll have to turn to the Windows Firewall with Advanced Security in Group Policy.
Windows Firewall Control Panel
The Windows Firewall Control Panel applet has the following three tabs:
In this tab you can switch the firewall on and off (see Figure 8-17). You can also use this tab to completely block any program from accessing the Internet. Check "Block all incoming connections" if you have a laptop with a wireless adapter, you're in a public location, and you don't want anyone to connect to your computer.
Figure 8-17. Controlling the basic functions of the Windows Firewall
You should never have more than one firewall running at one time, so if you're using a third-party firewall, such as ZoneAlarm or Norton Personal Firewall, you should turn off your Windows Firewall. Most third-party firewalls will turn off the Windows Firewall, but it's a good idea to check, just in case.
This tab lists programs or services that have attempted to make an Internet connection, as well as some services and programs that have not yet attempted to make a connection. Those with ticked checkboxes have been granted access; the rest are currently blocked. To grant access to one that is currently blocked, check the box next to it; to take away access from any, uncheck the box. For details about any program on the list, highlight it and click Properties.
To add a new program to the list, click the Add Program button to display a list of your installed software and double-click any application that you want to block or unblock. The Browse button on this dialog box lets you track down individual executables that don't appear on the list. The Add Port button lets you grant or deny access to a specific port by name and port number. Both the Add Program and Add Port buttons lead to dialog boxes with a "Change scope" button, where you can restrict the exception to just your network, a set of IP addresses and subnets that you specify, or any computer on the Internet (the default).
For details about any program on the Exceptions list, highlight it and click Properties. You'll get a brief description of the program, as well as a "How do I view and edit all properties?" link that leads to the Windows Vista help system. Don't bother to click the link; it leads to generic help about the Windows Firewall. However, if you dig deep enough, you'll find out that if you want to change the properties of how the firewall treats any program on the Exceptions list, you'll have to use the Windows Firewall with Advanced Security Group Policy. For details about how to use it, see the next section.
This tab controls the level of access that each connection has to network services such as web servers, FTP servers, and remote desktop functions. The Restore Defaults button returns Windows Firewall to its factory settings.
Windows Firewall with Advanced Security
Group Policy gives you a great deal of control over how the Windows Firewall runs. You can run the Windows Firewall with Advanced Security by running the file wf.msc in C:\Windows\System32 (Figure 8-18).
Figure 8-18. This powerful tool lets you customize almost every aspect of how the Windows Firewall works
This is a very powerful tool, and detailing every way you can customize the Windows Firewall with it is beyond the scope of this book. These, though, are the tool's most useful features:
Windows Firewall Properties
Click this link to customize how the Windows Firewall works on domains, public networks, and private networks (Figure 8-19). For each, you can choose to have the firewall turned on or off (off on a domain, for example, and on when on a public network), and you can fine-tune it by outbound and inbound connections. You can also control whether the firewall will send messages when it blocks a connection, and you can configure IPsec security settings.
Figure 8-19. Configuring how the Windows Firewall works on domains, as well as on public and private networks
Inbound Rules and Outbound Rules
Click this link to fine-tune how the Windows Firewall handles the way specific programs make inbound or outbound connections. This section is particularly relevant for network administrators, because it will allow them to customize how specific users and computers can access network connections and applications. The Outbound Rules link is the only way you can customize how the Windows Firewall handles outbound connections. Apart from that, however, you'll use these links only if you're a network administrator.
There are third-party firewall solutions available that might provide a higher level of security or more options, but the Windows Firewall should provide an adequate level of protection for most home and small-office computers and networks.
By default, Windows Vista does not log communication blocked by the Windows Firewall. To enable firewall logging, go to the Overview section of Windows Firewall with Advanced Security in Group Policy, select Windows Firewall Properties, and on the Domain Profile, Private Profile, and Public Profile tabs, click Customize in the logging section, then select On for both "Log dropped packets" and "Log successful connections." The default location of the log is \Windows\pfirewall.log, which is a text file that you can open in Notepad.
If you find that a particular program no longer works, the problem may be that the Windows Firewall is blocking it for some reason. Verify that the firewall is causing the problem by temporarily disabling it and trying again. If the firewall is indeed the culprit, add a new rule to permit the program to communicate over your Internet connection.
"Group Policy Object Editor," in Chapter 10