Using Windows Defender CHAPTER 24
1153
n
High Similar to the severe rating, but slightly less damaging. You should always
remove this software.
n
Medium Assigned to potentially unwanted software that might compromise your
privacy, affect your computer’s performance, or display advertising. In some cases,
software classified at a Medium alert level might have legitimate uses. Evaluate the
software before allowing it to be installed.
n
Low Assigned to potentially unwanted software that might collect information about
you or your computer or change how your computer works but operates in agree-
ment with licensing terms displayed when you installed the software. This software is
typically benign, but it might be installed without the user’s knowledge. For example,
remote control software might be classified as a Low alert level because it could be
used legitimately, or it might be used by an attacker to control a computer without the
owner’s knowledge.
n
Not yet classified Programs that haven’t yet been analyzed.
Understanding Microsoft SpyNet
Microsoft’s goal is to create definitions for all qualifying software. However, thousands of new
applications are created and distributed every day, some of which have behaviors unwanted
by some people. Because of the rapid pace of newly released software, people can possibly
encounter potentially unwanted software that Microsoft has not yet classified. In these cases,
Windows Defender should still warn the user if the software takes a potentially undesirable
action such as configuring itself to start automatically each time the computer is restarted.
To help users determine whether to allow application changes (detected by real-time
protection) when prompted, Windows Defender contacts Microsoft SpyNet to determine how
other users have responded when prompted about the same software. If the change is part
of a desired software installation, most users will have approved the change, and Windows

Tools page.
In addition to providing feedback to users about unknown software, SpyNet is also a valu-
able resource to Microsoft when identifying new malware. Microsoft analyzes information in
SpyNet to create new definitions. In turn, this helps slow the spread of potentially unwanted
software.
Configuring Windows Defender Group Policy
You can configure some aspects of Windows Defender Group Policy settings. Windows De-
fender Group Policy settings are located in Computer Configuration\Administrative Templates
\Windows Components\Windows Defender. From that node, you can configure the following
settings:
n
Turn On Definition Updates Through Both WSUS And Windows Update Enabled
by default, this setting configures Windows Defender to check Windows Update when a
WSUS server is not available locally. This can help ensure that mobile clients, who might
not regularly connect to your local network, can receive all new signature updates. If
you disable this setting, Windows Defender checks for updates using only the setting
defined for the Automatic Updates client—either an internal WSUS server or Windows
Update. For more information about WSUS and distributing updates, read Chapter 23,
“Managing Software Updates.”
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Using Windows Defender CHAPTER 24
1155
diReCt FRoM tHe SoURCe
Analysis of Potentially Unwanted Software
Sterling Reasor, Program Manager
Windows Defender
K
eeping up to date with the current malware definitions can help protect your
computer from harmful or potentially unwanted software. Microsoft has taken
several steps to create definition updates, including gathering new samples of

all detected threats automatically after about ten minutes. Enable this policy to configure
Windows Defender to prompt the user to choose how to respond to a threat.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 24 Managing Client Protection
1156
n
Configure Microsoft SpyNet Reporting SpyNet is the online community that helps
users choose how to respond to potential spyware threats that Microsoft has not yet
classified by showing users how other members have responded to an alert. When
enabled and set to Basic or Advanced, Windows Defender will display information
about how other users responded to a potential threat. When enabled and set to Basic,
Windows Defender will also submit a small amount of information about the poten-
tially malicious files on the user’s computer. When set to Advanced, Windows Defender
will send more detailed information. If you enable this setting and set it to No Member-
ship, SpyNet will not be used, and the user will not be able to change the setting. If you
leave this setting Disabled (the default), SpyNet will not be used unless the user changes
the setting on his local computer. The Microsoft Malware Protection Center recommends
that this setting be set to Advanced to provide their analysts with more complete infor-
mation on potentially unwanted software.
Windows Defender Group Policy settings are defined in WindowsDefender.admx, which
is included with Windows 7. For more information about using Group Policy administrative
templates, read Chapter 14, “Managing the Desktop Environment.”
Configuring Windows Defender on a Single Computer
Besides the settings that you can configure by using Group Policy, Windows Defender in-
cludes many settings that you can configure only by using the Windows Defender Options
page on a local computer. To open the Options page, start Windows Defender by searching
the Start menu, selecting Tools, and then selecting Options. Some of the settings you can
configure from this page include:
n
Frequency and time of automatic scans

pop-up advertisements appear when the user is not using the Web.
n
When the user attempts to visit a Web page, she is redirected to a completely different
Web page.
n
The computer runs more slowly than usual. This can be caused by many different
problems, but spyware is one of the most common causes.
Some spyware might not have any noticeable symptoms, but it still might compromise
private information. For best results, run Windows Defender real-time protection with daily
quick scans.
Best Practices for Using Windows Defender
To receive the security benefits of Windows Defender while minimizing the costs, follow these
best practices:
n
Teach users how malware works and the problems that malware can cause. In particular,
focus on teaching users to avoid being tricked into installing malware by social engi-
neering attacks.
n
Before deploying Windows 7, test all applications with Windows Defender enabled to
ensure that Windows Defender does not alert users to normal changes the application
might make. If a legitimate application does cause warnings, add the application to the
Windows Defender allowed list.
n
Change the scheduled scan time to meet the needs of your business. By default,
Windows Defender scans at 2 A.M. If third-shift staff uses computers overnight, you
might want to find a better time to perform the scan. If users turn off their computers
when they are not in the office, you should schedule the scan to occur during the day.
Although the automatic quick scan can slow computer performance, it typically takes
fewer than 10 minutes, and users can continue working. Any performance cost typically
is outweighed by the security benefits.

Often, spyware might install software that is classified as a virus, or the vulnerability
exploited by spyware might also be exploited by a virus. Windows Defender does not
detect or remove viruses. Remove any viruses installed on the computer.
4.
If you still see signs of malware, install an additional antispyware and antivirus applica-
tion from a known and trusted vendor. With complicated infections, a single anti-
malware tool might not be able to remove the infection completely. Your chances of
removing all traces of malware increase by using multiple applications, but you should
not configure multiple applications to provide real-time protection.
5.
If problems persist, shut down the computer and use the Startup Repair tool to per-
form a System Restore. Restore the computer to a date prior to the malware infection.
System Restore will typically remove any startup settings that cause malware applica-
tions to run, but it will not remove the executable files themselves. Use this only as a
last resort: Although System Restore will not remove a user’s personal files, it can cause
problems with recently installed or configured applications. For more information, see
Chapter 29, “Configuring Startup and Troubleshooting Startup Issues.”
These steps will resolve the vast majority of malware problems. However, when malware
has run on a computer, you can never be certain that the software is removed completely. In
particular, malware known as rootkits can install themselves in such a way that they are dif-
ficult to detect on a computer. In these circumstances, if you cannot find a way to confidently
remove the rootkit, you might be forced to reformat the hard disk, reinstall Windows, and
then restore user files using a backup created prior to the infection.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Network Access Protection CHAPTER 24
1159
Network Access Protection
Many organizations have been affected by viruses or worms that entered their private net-
works through a mobile PC and quickly infected computers throughout the organization.
Windows Vista, when connecting to a Windows Server 2008 infrastructure, supports Network

n
Health requirement policy compliance Administrators can help ensure compli-
ance with health requirement policies by choosing to automatically update noncom-
pliant computers with the required updates through management software, such as
Microsoft System Center Configuration Manager. In a monitoring-only environment,
computers will have access to the network even before they are updated with required
software or configuration changes. In an isolation environment, computers that do
not comply with health requirement policies have limited access until the software and
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 24 Managing Client Protection
1160
configuration updates are completed. Again, in both environments, the administrator
can define policy exceptions.
n
Limited access for noncompliant computers Administrators can protect network
assets by limiting the access of computers that do not comply with health require-
ment policies. Computers that do not comply will have their network access limited as
defined by the administrator. That access can be limited to a restricted network, to a
single resource, or to no internal resources at all. If an administrator does not configure
health update resources, the limited access will last for the duration of the connection.
If an administrator configures health update resources, the limited access will last only
until the computer is brought into compliance.
NAP is an extensible platform that provides an infrastructure and an application program-
ming interface (API) set for adding features that verify and remediate a computer’s health to
comply with health requirement policies. By itself, NAP does not provide features to verify
or correct a computer’s health. Other features, known as system health agents (SHAs) and
system health validators (SHVs), provide automated system health reporting, validation, and
remediation. Windows Vista, Windows Server 2008, and Windows 7 include an SHA and an
SHV that allow the network administrator to specify health requirements for the services
monitored by the Windows Security Center.

typically would be deployed on servers to protect applications, networks, and infrastructure.
Enterprise management of anti-malware software is useful for:
n
Centralized policy management.
n
Alerting and reporting on malware threats in your environment.
n
Comprehensive insight into the security state of your environment, including security
update status and up-to-date signatures.
Forefront provides a simple user interface for creating policies that you can distribute
automatically to organizational units and security groups by using GPOs. Clients also centrally
report their status so that administrators can view the overall status of client security in the
enterprise.
With Forefront, administrators can view statistics ranging from domain-wide to specific
groups of computers or individual computers to understand the impact of specific threats. In
other words, if malware does infect computers in your organization, you can easily discover
the infection, isolate the affected computers, and then take steps to resolve the problems.
Forefront also provides a client-side user interface. Similar to Windows Defender, Forefront
can warn users if an application attempts to make potentially malicious changes, or if it detects
known malware attempting to run. The key differences between Defender and Forefront are:
n
Forefront is managed centrally Forefront is designed for use in medium-sized
and large networks. Administrators can use the central management console to view
a summary of current threats and vulnerabilities, computers that need to be updated,
and computers that are currently having security problems. Windows Defender is
designed for home computers and small offices only, and threats must be managed on
local computers.
n
Forefront is highly configurable You can configure automated responses to alerts,
and, for example, prevent users from running known malware instead of giving them

One of the most significant security features is UAC. By default, both users and administra-
tors are limited to standard user privileges, which reduces the damage that malware could do
if it were to start a process successfully in the user context. If an application needs elevated
privileges, UAC prompts the user to confirm the request or to provide administrator creden-
tials. Because UAC changes the default privileges for applications, it can cause problems with
applications that require administrative rights. To minimize these problems, UAC provides
file and registry virtualization that redirects requests for protected resources to user-specific
locations that won’t impact the entire system.
AppLocker provides similar functionality to Software Restriction Policies available in earlier
versions of Windows. However, AppLocker’s publisher rules provide more flexible control and
enable administrators to create a single rule that allows both current and future versions of an
application without the risks of a path rule. Additionally, AppLocker includes auditing to en-
able administrators to identify applications that require rules and to test rules before enforc-
ing them.
Microsoft also provides Windows Defender for additional protection from spyware and
other potentially unwanted software. Windows Defender uses signature-based and heuristic
antispyware detection. If it finds malware on a computer, it gives the user the opportunity to
prevent it from installing or to remove it if it is already installed. Windows Defender isn’t de-
signed for enterprise use, however. For improved manageability and protection against other
forms of malware (including viruses and rootkits), use Forefront or another similar enterprise
client-security solution.
Additional Resources
These resources contain additional information and tools related to this chapter.
n
Chapter 2, “Security in Windows 7,” includes an overview of malware.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Additional Resources CHAPTER 24
1163
n
Chapter 4, “Planning Deployment,” includes more information about application

http://technet.microsoft.com/en-us/library/bb456992.aspx.
n
“Fundamental Computer Investigation Guide for Windows” at http://www.microsoft.com
/downloads/details.aspx?FamilyId=71B986EC-B3F1-4C14-AC70-EC0EB8ED9D57.
n
“Security Compliance Management Toolkit Series” at http://www.microsoft.com
/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e.
On the Companion Media
n
DeleteCertificate.ps1
n
FindCertificatesAboutToExpire.ps1
n
FindExpiredCertificates.ps1
n
Get-Certificates.ps1
n
Get-DefenderStatus.ps1
n
Get-ForefrontStatus.ps1
n
InspectCertificate.ps1
n
ListCertificates.ps1
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
PART V
Networking
CHAPTER 25
Configuring Windows Networking 1167

Additional Resources 1225
T
he Windows 7 operating system builds on the networking features introduced previ-
ously in Windows Vista and improves them. This chapter discusses how Windows 7
addresses the concerns of a modern network, how you can configure and manage these
new features, and how you can deploy Windows 7 to take advantage of modern, flexible
networking.
Usability Improvements
Improving the usability of Windows 7 helps both users and administrators. Users benefit
because they can get more done in less time, and administrators benefit because users
make fewer support calls.
The sections that follow describe important networking usability improvements
first introduced in Windows Vista and improved in Windows 7, including Network And
Sharing Center, Network Explorer, the Network Map, and the Set Up A Connection Or
Network Wizard. Understanding these features will help you to use them effectively and
guide you through many common network configuration and troubleshooting tasks.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1168
Network And Sharing Center
Improved Network And Sharing Center in Windows 7, shown in Figure 25-1, provides a
clear view of available wireless networks, a Network Map to show the surrounding network
resources on a home or unmanaged network, and easy methods to create or join ad
hoc wireless networks. Diagnostic tools built into Network And Sharing Center simplify
troubleshooting connectivity problems. Users can also browse network resources with the
new Network Explorer, which they can start by clicking the network.
FIGURE 25-1
Network And Sharing Center simplifies network management for users.
If a network connection is not available, such as a failed Internet connection (even if the
link connected to the computer is functioning), Network And Sharing Center detects this

simplify configuring and connecting network devices in home and small office environments.
For example, Network Discovery can enable the Media Center feature to detect a Media
Center Extender device (such as an Xbox 360) when it is connected to the network.
Network Discovery can be enabled or disabled separately for different network location
types. For example, Network Discovery is enabled by default on networks with the private
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1170
location type, but it is disabled on networks with the public or domain location types. By
properly configuring network location types (described later in this chapter), computers
running Windows Vista and Windows 7 in your environment can take advantage of Network
Discovery when connected to your internal networks but minimize security risks by disabling
Network Discovery when connected to other networks, such as the Internet. You might want
to leave Network Discovery enabled for some network location types so that users can more
easily find network resources on your intranet that aren’t listed in Active Directory Domain
Services (AD DS) and so that users with mobile PCs can configure network devices more
easily on their home networks or when traveling.
Although Network Discovery is preferred, Windows Vista and Windows 7 continue to use
the Computer Browser service and NetBIOS broadcasts to find earlier versions of Windows
computers on the network. In addition, Windows Vista and Windows 7 use the Function
Discovery Provider Host service and Web Services Dynamic Discovery (WS-Discovery) to find
other Windows Vista and Windows 7 computers and use Universal Plug and Play (UPnP)/
Simple Service Discovery Protocol (SSDP) to find networked devices that support the proto-
cols. Therefore, enabling Network Discovery creates exceptions for each of these protocols
through Windows Firewall.
WS-Discovery is a multicast discovery protocol developed by Microsoft, BEA, Canon, Intel,
and webMethods to provide a method for locating services on a network. To find network
resources, computers running Windows Vista and Windows 7 send a multicast request for
one or more target services, such as shared folders and printers. Then, any computers on the
local network with shared resources that match the request use WS-Discovery to respond to

Sends a BYE message for each registered resource on service shutdown.
The HELLO message includes the following information:
n
Name
n
Description
n
Whether the computer is part of a workgroup or domain
n
Computer type, such as desktop, laptop, tablet, Media Center, or server
n
Whether Remote Desktop is enabled and allowed through Windows Firewall
n
Folder and printer shares with at least Read access for Everyone if file sharing is en-
abled and allowed through Windows Firewall. Specifically, administrative shares are not
announced. For each share, the following information is included:
•
Path
•
If applicable, the folder type (such as documents, pictures, music, or videos)
•
The share permissions assigned to the Everyone special group
FDRP is primarily intended for home networks, where ease of use is typically a requirement
and networks are unmanaged. In corporate computing environments, where there can be
a large number of computers on a single subnet and the network is managed, FDRP is not
recommended because the traffic might become a nuisance. By default, FDRP is enabled in a
workgroup and disabled in a domain environment.
How Windows Creates the Network Map
Windows creates the Network Map in part by using the Link Layer Topology Discovery
(LLTD) protocol. As the name suggests, LLTD functions at Layer 2 (the layer devices use to

Mapper
Driver
NDIS
FIGURE 25-4
LLTD is implemented as a low-level mapper and responder.
note
Windows Vista and Windows 7 include an LLTD responder, but earlier versions of
Windows do not. To find out how to download an LLTD responder that you can add to
Windows XP, read Microsoft Knowledge Base article 992120 at http://support.microsoft.com
/kb/922120. This will enable computers running Windows XP to appear on the Network
Maps in Windows 7, but they still cannot generate the maps.
LLTD is not a secure protocol, and there is no guarantee that the Network Map is accurate.
It is possible for devices on the network to send false announcements, adding bogus items to
the map.
Because each user can have his own set of network profiles, Windows creates Network
Maps on a per-user basis. For each network profile that a user creates, Windows actually
generates two maps: the current map and a copy of the last functional map (similar to the
Last Known Good recovery option). When displaying the Network Map to the user, Windows
combines these two maps.
Network Map
The Network Map, shown in Figure 25-5, makes it simpler to visually examine how a computer
is connected to one or more networks and to other computers on your intranet. Although
the tool is primarily intended to simplify networking for users, it is also a useful tool for
administrators. A user can click the name of her computer to view her computer’s properties,
click a local network to view network resources with Network Explorer, or click the Internet
icon to browse the Web.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.