Skip to main content

Windows Vista Security Guide

Chapter 2: Defend Against Malware

Malicious software, or malware, is any program or file that is harmful to a computer user. Examples of malware include computer viruses, worms, Trojan horse programs, and spyware that gathers information about a computer user without permission.

Windows Vista™ includes several new technologies that you can use to help enhance protection against malware for computers running Windows Vista in your environment. You can use these features and services in addition to the settings included in the Group Policy objects (GPOs) described in the previous chapter, some of which also help provide protection against malware.

In Windows Vista, Microsoft® Internet Explorer® 7 also includes several enhancements that help protect against malware. Technologies that help prevent the installation of unwanted software, and technologies that help guard against unauthorized transmission of personal data greatly increase browser security and privacy protection.

This chapter provides overviews of these technologies, and recommendations on how to configure them when applicable. You can implement these recommendations in the appropriate GPOs described in Chapter 1, "Implementing the Security Baseline." However, it is important to note that many of the settings for these technologies require information specific to your environment. For this reason, most of the recommended values for these additional settings are not included in the GPOs described in the previous chapter.

All of these technologies are by default configured to provide enhanced protection for computers running Windows Vista in the Enterprise Client (EC) environment. However, there are some new Group Policy settings that you can use to help customize the behavior and functionality of these technologies to provide even better protection against malware for your environment.

This chapter divides into the following new and enhanced security technologies in Windows Vista and Internet Explorer 7:

  • Windows Vista defense technologies
  • Internet Explorer 7 defense technologies

Note   For each of these areas in the chapter, specific Group Policy settings are highlighted to document the default configuration for a new installation of Windows Vista. Specific setting modifications or recommendations are denoted with the ‡ symbol. For more details on these setting values, see Appendix A, "Security Group Policy Settings."

On This Page

Windows Vista Defense Technologies Windows Vista Defense Technologies
Internet Explorer 7 Defense Technologies Internet Explorer 7 Defense Technologies
More Information More Information

Windows Vista Defense Technologies

Windows Vista includes several new and enhanced technologies that provide enhanced defense against malware. These technologies include:

  • User Account Control (UAC)
  • Windows Defender
  • Windows Firewall
  • Windows Security Center
  • Malicious Software Removal Tool
  • Software Restriction Policies

In addition to these protection technologies it is important to understand that logging in as a standard user account is still a highly recommended security practice. Even with all these protection technologies in place, if you are not protecting who has the ability to gain administrative level access to your computers, you are exposing them to risk.

User Account Control

Windows Vista includes User Account Control (UAC) to provide a method of separating standard user privileges and tasks from those that require administrator access. UAC increases security by improving the user experience while running as a standard user account. Users can now perform more tasks and enjoy higher application compatibility without the need to be logged in with administrative level privileges. This helps reduce the affect of malware, the installation of unauthorized software, and unapproved system changes.

Note   In previous versions of the Windows operating system, the Power Users group was designed to enable members of this group to perform system tasks, such as installing applications without full administrator permissions. UAC does not use the Power Users group, and the permissions granted to it in Windows Vista have been removed. However, the Power Users group is still available for backward compatibility with other versions of the operating system. To use the Power Users group in Windows Vista, you must apply a new Security Template to change the default permissions on system folders and the registry to grant members of the Power Users group permissions equivalent to those for this group in Windows XP.

In Windows Vista, standard users can now perform many tasks that previously required administrator access but did not adversely affect security. Examples of tasks that standard users can now perform include modifying time zone settings, connecting to a secure wireless network, and installing approved devices and Microsoft ActiveX® controls.

Furthermore, the Administrator Approval Mode feature in the UAC technology also helps protect computers running Windows Vista from some types of malware. By default, administrators can run most programs and tasks with standard user privileges. When users need to perform administrative tasks, such as installing new software or modifying certain system settings, they are first prompted for consent before they can complete such tasks. However, this mode does not provide the same level of protection as a standard user account and it does not guarantee that malicious software already on the client computer cannot tamper with the elevated software. It also does not guarantee that the elevated software itself will not attempt malicious actions after it is elevated.

To take advantage of this technology, you can configure new Group Policy settings in Window Vista to control how UAC behaves. The Group Policy settings described in the previous chapter are configured to enforce prescribed behavior for UAC. However, Microsoft recommends reviewing the prescriptions for these settings, which are described in Appendix A, "Security Group Policy Settings," to ensure that they are optimally configured to meet the needs of your environment.

Risk Assessment

Users who have administrative privileges log on with their administrative capabilities enabled. This could allow administrative tasks to occur accidentally or maliciously without the knowledge of the individual. For example:

  • A user unknowingly downloads and installs malware from a malicious or infected Web site.
  • A user is tricked into opening an e-mail attachment that contains malware, which runs and possibly installs itself on the computer.
  • A removable drive is inserted into the computer and AutoPlay then attempts to run the malicious software automatically.
  • A user installs unsupported applications that can affect the computers performance or reliability.

Risk Mitigation

The recommended mitigation approach is to ensure that all users log on using a standard user account for everyday tasks. Users should only elevate to an administrator level account for tasks that require that level of access. Also ensure that UAC is enabled to prompt the user when an attempt is made to perform a task that requires administrative privileges.

Mitigation Considerations

UAC can help mitigate the risks described in the previous "Risk Assessment" section. However, it is important to consider the following:

  • If you have in-house application developers, Microsoft recommends requesting that they download and review the " Windows Vista Application Development Requirements for User Account Control Compatibility" article. This document describes how to design and develop UAC–compliant applications for Windows Vista.
  • UAC can introduce problems in applications that are not compliant with UAC. For this reason it is important to test applications with UAC before you deploy them. For more information about application compatibility testing, see the Desktop Deployment Web site on Microsoft TechNet®.
  • The administrative credential and privilege escalation requests of UAC increase the number of steps required to complete many common administrative tasks. You should evaluate the affect of the increased steps on your administrative staff. If the additional UAC prompts significantly affect these users, you can configure the UAC policy setting "Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Elevate without prompting." However, changing this policy may increase the security risk in your environment and the Windows Security Center will report it.
  • A user who has administrative privileges can disable Administrator Approval Mode, disable UAC from prompting for credentials to install applications, and change the elevation prompt behavior. For this reason, it is important to control the number of users who have access to administrative privileges on the computers in your organization.
  • Microsoft recommends assigning two accounts for administrative staff. For everyday tasks, staff should use a standard level account. When specific administrative tasks are required, staff should log on with the administrative level account, perform the tasks, and then log off to return to the standard user account.
  • The Group Policy settings for this guide disable a standard user’s ability to elevate privileges. This is the recommended approach because it enforces that administrative tasks can only be performed by accounts that have specifically been set up at the administrative level.
  • If an application is incorrectly identified as an administrative or user application (for example with an "administrator" or "standard" token), Windows Vista might start the application under the wrong security context.

Mitigation Process

Start the mitigation process by investigating the full capabilities of UAC. For more information, see Windows Vista User Account Control Step by Step Guide and Getting Started with User Account Control on Windows Vista.

To use this mitigation process

  1. Identify the number of users who are able to carryout administrative tasks.
  2. Identify how often administrative tasks are required.
  3. Determine if administrators should be able to perform administrative tasks by simply agreeing to the UAC prompt, or if they should be required to enter specific credentials to perform administrative tasks.
  4. Determine if standard users should have the ability to elevate privileges to perform administrative tasks. The policy settings applied as part of this guide specifically block the ability for standard users to elevate their privileges.
  5. Identify how application installations should be handled.
  6. Configure the UAC Group Policy settings to suit your requirements.
Using Group Policy to Mitigate Risk for UAC

You can configure the UAC settings in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

The following table provides security setting information specific to this technology in Windows Vista.

Table 2.1 UAC Control Settings

Policy objectDescriptionWindows Vista default

Admin Approval Mode for the Built-in Administrator account

This security setting determines the behavior of Administrator Approval Mode for the Built-in Administrator account.

Disabled ‡

Behavior of the elevation prompt for administrators in Admin Approval Mode

This security setting determines the behavior of the elevate privileges prompt for administrators.

Prompt for consent ‡

Behavior of the elevation prompt for standard users

This security setting determines the behavior of the elevation prompt for standard users.

Prompt for credentials ‡

Detect application installations and prompt for elevation

This security setting determines the behavior of application installation detection for the entire system.

Enabled

Only elevate executables that are signed and validated

This security setting enforces PKI signature checks on any interactive application that requests elevation of privilege. Enterprise administrators can control the administrator application allowed list using certificates in the local computers Trusted Publisher Store.

Disabled

Only elevate UIAccess applications that are installed in secure locations

This security setting enforces the requirement that applications that request execution with a UIAccess integrity level must reside in a secure location on the file system.

Enabled

Run all administrators in Admin Approval Mode

This security setting determines the behavior of all UAC policies for the entire system.

Enabled

Switch to the secure desktop when prompting for elevation

This security setting determines whether the elevation request will display a prompt on the interactive users desktop or the Secure Desktop.

Enabled

Virtualize file and registry write failures to per-user locations

This security setting enables the redirection of legacy application write failures to defined locations in both the registry and file system.

Enabled

 

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

You can configure the UAC Credentials user interface (UI) in the following location in the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Credential User Interface

The following table provides security setting information specific to this technology in Windows Vista.

Table 2.2 UAC Credential User Interface Settings

Policy objectDescriptionWindows Vista default

Enumerate administrator accounts on elevation

By default all administrator accounts display when a users attempts to elevate a running application. If you enable this setting, users are required to always type in a user name and password to elevate their privileges.

Not configured ‡

Require trusted path for credential entry

If you enable this setting Windows Vista requires the user to enter credentials using a trusted path to help prevent a Trojan horse program or other types of malicious code from stealing the user’s Windows credentials. This policy affects non-logon authentication tasks only. As a security best practice, this policy should be enabled.

Not configured ‡

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

You can configure the ActiveX Installer Service in the following location in the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\ActiveX Installer Service

The following table provides security setting information specific to the ActiveX Installer Service in Windows Vista.

Table 2.3 ActiveX Installer Service

Policy objectDescriptionWindows Vista default

Approved Installation Sites for ActiveX Controls

This setting enables an administrator to allow a standard user account to install ActiveX controls from a list of approved ActiveX installation sites.

Not configured

This table provides a simple description for this setting. For more information about this setting, see the Explain tab of the setting in the Group Policy Object Editor.

Windows Defender

Windows Defender is a program included in Windows Vista that is also available as a download for Windows XP. It helps protect computers against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. Windows Defender monitors, in real time, important checkpoints of the Windows Vista operating system that this unwanted software targets, such as the Startup folder and the autorun entries in the registry.

Windows Defender also helps detect and remove unwanted applications, such as adware, keyloggers, and spyware. When a program tries to modify a protected area in Windows Vista, Windows Defender prompts the user to either allow or reject the change in an effort to guard against spyware installation. This monitoring enhances the reliability of computers running Windows Vista, and helps provide additional user privacy protection. Windows Defender is enabled by default in Windows Vista, and although the technology provides you with enhanced protection against spyware, you can also use it with other third-party protection products. To offer the best protection against malicious software, Microsoft strongly recommends that customers also deploy a full antivirus solution in conjunction with Windows Defender.

You can configure new Group Policy settings in Window Vista to control how Windows Defender behaves. The Group Policy settings described in the previous chapter do not contain any settings that modify the default behavior of Windows Defender because the values for these settings are likely to be specific to the requirements of your environment.

Microsoft SpyNet Community

Microsoft SpyNet is an online community dedicated to helping a computer user choose how to respond to potential spyware threats. The community also helps stop the spread of new spyware infections.

When Windows Defender detects software or changes by software not yet classified for risks, you can see how other members are responding to the alert. In turn, actions you take help other community members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats. You can choose to send basic or additional information about detected software. Additional information helps improve how Windows Defender works. For example, the technology can include the location of detected items on your computer if harmful software has been removed. In these cases, Windows Defender will automatically collect and send the information to the community.

Risk Assessment

Spyware presents a number of serious risks to an organization that need to be mitigated to ensure that data and computers are not compromised. The most common identifiable risks that spyware create for an organization include:

  • Sensitive business data that could be exposed to unauthorized users.
  • Employee personal information that could be exposed to unauthorized users.
  • Computer compromise by an unauthorized attacker.
  • Lost productivity because of spyware that affects computer performance and stability.
  • Support cost increases because of spyware infections.
  • A potential blackmail risk to your organization if an infection exposes sensitive data.

Risk Mitigation

Windows Defender is designed to mitigate risks related to spyware. Regular updates for the technology are provided automatically via the Windows Update or you can instead use Microsoft Windows Server Update Services (WSUS).

In addition to the spyware protection that Windows Defender offers, Microsoft also strongly recommends installing an antivirus package that is capable of extending your spyware protection to detect viruses, Trojan horse programs, and worms. For example, products such as Microsoft Forefront Client Security provide unified malware defense for business desktops, laptops, and server operating systems.

Mitigation Considerations

Windows Defender is enabled by default in Windows Vista. The technology is designed to be as unobtrusive as possible to users under normal operational conditions. However, organizations should consider the following recommendations as part of deploying Windows Vista:

  • Test the interoperability of any third-party real-time spyware or antivirus scanners that you may want to use in your organization.
  • Design a system to manage signature definition updates deployments if your organization manages a large number of computers.
  • Train users in some of the common tricks that spyware programs employ to socially engineer a user into running a malicious program.
  • Adjust the scheduled scan time to suit the needs of your business. The default is 2:00 A.M. daily. If the computer is not able to perform the scan at this time, the user is later notified and asked to run a scan. If the scan does not occur within the next two days, it will occur approximately 10 minutes after the computer is next started. This scan is run as a low priority process so it will have as small an affect on the client as possible. Thanks to the performance improvements in input/output (I/O) handling in Windows Vista, this low priority scan has a much lower affect on the user than it did in Windows XP.
  • Windows Defender is not designed as an enterprise class antispyware application. It does not provide a business class centralized reporting, monitoring, or control mechanism. If additional reporting or control is required, you will need to investigate additional products such as Microsoft Forefront Client Security.
  • Determine a policy for your organization to report possible spyware to the Microsoft SpyNet online community.

Mitigation Process

Because Windows Defender is a default part of the operating system, no additional steps are required to activate Windows Defender. However, there are a few additional steps that Microsoft recommends considering to ensure that your organization stays protected.

To use this mitigation process

  1. Investigate antispyware capabilities of Windows Vista and Windows Defender.
  2. Investigate the Group Policy settings for Windows Defender.
  3. Evaluate additional antivirus protection for your organization.
  4. Plan the optimal update process for the computers in the organization. It is possible that mobile computers will need a different update configuration than desktop computers.
  5. Provide user training to enable them to identify suspicious computer activity.
  6. Provide training to support staff to use Windows Defender tools to help in resolving support calls.
Using Group Policy to Mitigate Risk for Windows Defender

You can review and configure the available Windows Defender settings in the following location in the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Windows Defender

Table 2.4 Windows Defender Control Settings

Policy objectDescriptionWindows Vista default

Turn on definition updates through both WSUS and Windows Update

This setting allows you to configure Windows Defender to check and install definition updates from Windows Update when a locally managed Windows Server Update Services (WSUS) server is not available.

Not configured

Check for New Signatures Before Scheduled Scans

If you enable this setting, the scheduled scan checks for new signatures before it scans the computer. If this setting is set to Disabled or Not configured, the scheduled scan starts without downloading new signatures.

Not configured

Turn off Windows Defender

Keeping this setting at it default value enables Windows Defender Real-Time Protection.

Not configured

Turn off Real-Time Protection Prompts for Unknown Detection

This setting determines if Windows Defender will prompt users to allow or block unknown activity.

Not configured

Enable Logging Known Good Detection

This setting enables logging detection data during Real-time Protection when Windows Defender detects known good files. Logging detections provides you with detailed information about the programs that run on the computers you monitor.

Not configured

Enable Logging Unknown Detection

This setting enables logging detections during Real-time Protection when Windows Defender detects unknown files. Logging detections provides you with detailed information about the programs that run on the computers you monitor.

Not configured

Download Entire Signature Set

This setting enables a download of the full signature set, rather than only the signatures that have been updated since the last signature download. Downloading the full signature set can help troubleshoot problems with signature installations, but because the file is large, it can take longer to download.

Not configured

Configure Microsoft SpyNet Reporting

This setting adjusts membership in the Microsoft SpyNet online community.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Windows Firewall

A personal firewall is a critical line of defense against many kinds of malware. Like the firewall functionality in Windows XP Service Pack 2 (SP2), the firewall in Windows Vista is turned on by default to help protect the user’s computer as soon as the operating system is operational.

Windows Firewall in Windows Vista includes both inbound and outbound filtering to help protect users by restricting operating system resources that behave unexpectedly. The firewall is also integrated with the Windows Vista network awareness so that specialized rules can be applied depending on the location of the client computer. For example, if a laptop computer is located on an organization's network, firewall rules can be defined by the administrator of the domain network environment that will match the security requirements of that network. However when a user attempts to connect the same laptop to the Internet via a public network, such as a free wireless hotspot, a different set of firewall rules can be automatically used to help ensure the computer is protected from an attack.

In addition, for the first time in a Windows operating system, Windows Vista integrates firewall management with Internet Protocol security (IPsec). In Windows Vista, a single console, known as the Windows Firewall with Advanced Security console, integrates IPsec and firewall management. The console centralizes inbound and outbound traffic filtering, and IPsec server and domain isolation settings in the user interface to simplify configuration and reduce policy conflicts.

Risk Assessment

A network connection is a vital requirement in modern business. However this connection has also become a major target for attackers. The threats associated with connectivity need to be mitigated to ensure that data or computers are not compromised. The most commonly identifiable threats to an organization from network-based attacks include:

  • A computer that is compromised by an unauthorized attacker who could then gain administrative level access to that computer.
  • Network scanner applications that an attacker can use to remotely determine open network ports to launch an attack.
  • Sensitive business data that could be exposed to unauthorized users if a Trojan horse program can open an unauthorized network connection from a client computer to an attacker.
  • Mobile computers that may be exposed to network attacks while outside the organization's network firewall.
  • Computers on an internal network that could be exposed to a network attack from a compromised computer that connects directly to the internal network.
  • A potential blackmail risk to your organization if an attacker successfully compromises internal computers.

Risk Mitigation

The firewall in Windows Vista provides protection to the client computer out of the box. The firewall blocks most unsolicited inbound traffic until a change is made either by an administrator or by Group Policy.

Windows Firewall also includes outbound network traffic filtering, and out of the box this rule is set to "Allow" for all outgoing network traffic. You can use Group Policy settings to configure these rules in the Windows Vista firewall to ensure that client security settings remain constant.

Mitigation Considerations

There are a few issues that you should consider if you are planning to use the firewall in Windows Vista:

  • Test the interoperability of applications that are required on your organization's computers. Each application should have a record of the network port requirements to help ensure only the required ports are opened through the Windows Firewall.
  • The Windows XP firewall supports a Domain and a Standard profile. The Domain profile is active when the client is connected to a network that contains the domain controllers for the domain in which its computer account resides. This allows you to create rules that are specific to the requirements of the organization's internal network. The Windows Vista firewall includes a Private and Public profile to provide a finer level of control to protect a client computer when a user operates it outside of the organization's network defenses.
  • Evaluate the logging capacities of the Windows Firewall to determine its ability to integrate into your existing enterprise reporting or monitoring solutions.
  • By default Windows Firewall blocks remote control or remote management of Windows Vista–based computers. Microsoft has created a number rules specifically for such remote tasks in the Windows Firewall. If you want your organizations computers to support these remote tasks, you will need to enable the required rules for each profile that the task will be required for. For example, you may chose to enable the Remote Desktop rule for the Domain profile to allow your helpdesk to support users on the organizations network, but leave it disabled for the Public and Private profiles to reduce the attack surface of your computers when they are away from your network.
Mitigating Risk Using Windows Firewall with Advanced Security

Windows Vista includes new Group Policy settings and management UI that assist you with configuring the new functionality available in the Windows Vista firewall. The advanced security settings for Windows Vista do not apply on a client computer running Windows XP.

Microsoft recommends that you closely review these new capabilities to determine if they can assist you to better secure your environment. If you plan to modify the default behavior of the Windows Vista firewall, Microsoft recommends using the Windows Firewall with Advanced Security Group Policy settings to manage client computers running Windows Vista.

You can review and configure the new Group Policy settings and management snap-in available for Windows Firewall in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security

Windows Firewall with Advanced Security supports the following environment profiles:

  • Domain Profile. This profile applies when a computer is connected to a network and authenticates to a domain controller in the domain to which the computer belongs.
  • Public Profile. This profile is the default network location type when the computer is not connected to a domain. Public profile settings should be the most restrictive because the computer is connected to a public network where security cannot be as tightly controlled as within an IT environment.
  • Private Profile. This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to Public. Microsoft recommends only doing this for a trusted network.

It is important to understand that only one profile is active at a time. If the computer has multiple interfaces and they are connected to multiple network locations, then the evaluation of which profile applies is as follows:

  1. If all network interfaces evaluate to a domain network location, apply the domain profile.
  2. If all network interfaces evaluate to a private network location, apply the private profile.
  3. If a network interface evaluates to a public network location, apply the public profile.

Microsoft recommends enabling Windows Firewall with Advanced Security for all three profiles. In addition to the advanced firewall rules, Windows Firewall also supports connection security rules. Connection security involves authenticating two computers before they begin communications, and securing information sent between the two computers. Windows Firewall with Advanced Security incorporates IPsec technology to support key exchange, authentication, data integrity, and optionally, data encryption.

For more information, see the IPsec Web page on Microsoft TechNet.

Appendix A, "Security Group Policy Settings," describes all of the prescribed Windows Firewall with Advanced Security settings, and indicates which settings require environment-specific information.

Windows Security Center

The Windows Security Center (WSC) feature runs as a background process on client computers running Windows Vista and Windows XP SP2. In Windows Vista this feature constantly checks and displays the status of four important security categories:

  • Firewall
  • Automatic Updates
  • Malware protection
  • Other security settings

The WSC process also serves as a starting point to access other security-related areas of the computer and provides a single point of reference for you to find security-related support and resources. For example, the WSC provides a link to help users without antivirus software to view offers from vendors that provide antivirus solutions that are compatible with WSC.

Microsoft has improved WSC in Windows Vista by including a new category called "Other security settings." This category displays the status of Internet Explorer security settings and User Account Control. Another new category in Windows Vista is "Malware protection," which includes monitoring for antivirus and antispyware software. In addition to the default protection that Windows Vista provides, WSC can monitor multiple vendor security solutions for Windows Firewall, as well as antivirus and antispyware software running on the same client computer, and indicate which solutions are enabled and up to date.

For client computers running Windows Vista, WSC provides direct links to vendors that you can use to remediate problems should they arise on the computer. For example, if a third-party antivirus or antispyware solution is turned off or out of date, WSC provides a button that you can click to launch a vendor solution on the computer to correct the problem. In addition, WSC provides links to the vendor Web site so that the user can use to activate or renew a subscription or obtain updates. Knowing when security software is turned off or out-of-date, and the ability to easily download updates, can mean the difference between staying protected as much as possible or becoming vulnerable to malware.

WSC runs by default on computers running Windows Vista. The Group Policy settings described in the previous chapter do not contain any settings that modify the default behavior of WSC. However, it is possible for administrators to use Group Policy to ensure that the WSC client UI remains either disabled or enabled for computers that are Domain members. You can review and configure the Group Policy setting available for WSC in the following location in the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Security Center

The Securitycenter.admx template file contains the XML setting information for this policy setting. The following table describes this setting.

Table 2.5 Windows Security Center Setting

Policy objectDescriptionWindows Vista default

Turn on Security Center (Domain PCs only)

This setting specifies whether the Security Center is turned on or off on users' computers that are joined to a domain that uses Active Directory. If this setting is left in the default of Not configured, the Security Center is turned off for computers that are domain members.

Not configured

This table provides a simple description for this setting. For more information about this setting, see the Explain tab of the setting in the Group Policy Object Editor.

Malicious Software Removal Tool

The Microsoft Windows Malicious Software Removal Tool is designed to help remove malware from infected computers. Every month, Microsoft releases a new version of the tool through Microsoft Update, Windows Update, WSUS, and the Microsoft Download Center. Because the Malicious Software Removal Tool is not a fully featured antivirus product, Microsoft strongly recommends that users run antivirus software that will continually detect and remove viruses. When you run the tool, it scans your computer in the background and produces a report if it detects any infections. This tool does not install into the operating system it is scanning. This tool does not have any Group Policy settings in Windows Vista.

Risk Assessment

Microsoft recommends that all computers run a real-time antivirus scanner in addition to the protection services provided as part of Windows Vista. However, even with these protection measures installed, there are two risks that can still apply to an organization:

  • If the installed real-time antivirus scanner does not detect a specific instance of malware.
  • If the malware manages to disable the installed real-time antivirus scanner.

For these situations, the Malicious Software Removal Tool does provide an additional layer of security to help detect and remove common malicious software.

Risk Mitigation

To mitigate these risks, Microsoft recommends configuring your client computers to run Automatic Updates so that the Malicious Software Removal Tool will download and run when it is released.

If you are considering using the this tool in your environment, the following list highlights some considerations that will help ensure a successful deployment:

  • The Malicious Software Removal Tool is approximately 4 MB in size, which can affect an organization's Internet connection if a large number of client computers attempt to download the tool at the same time.
  • The tool is primarily intended for noncorporate users who do not have an existing, up-to-date antivirus product installed on their computers. However, you also can deploy the tool in an enterprise environment to enhance existing protection and as part of a defense-in-depth strategy. To deploy the tool in an enterprise environment, you can use one or more of the following methods:
    • Windows Server Update Services
    • SMS Software Package
    • Group Policy–based computer startup script
    • Group Policy–based user logon script

    For enterprise environments, Microsoft recommends reviewing the Microsoft Knowledge Base article 891716 " Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment."

  • Typically, when you run the Windows Malicious Software Removal Tool, the tool creates a randomly named temporary directory in the root drive of your computer. This directory will contain several files and includes the Mrtstub.exe file. Most of the time, this folder will be deleted automatically after the tool has finished running or after the computer next restarts. But sometimes this folder may not be deleted automatically. In these cases, you can delete this folder manually with no adverse effect on the computer.
  • A user may log on to a computer at the same time that the Malicious Software Removal Tool is running in the background. (The tool may be running as part of a deployment that uses Windows Server Update Services.) In this case, Windows may inform the user that the current user profile is corrupted and that a new profile is being created. To resolve this issue, the new profile can be removed. The user can log on to the system again at a time when the tool is not running. This issue is most likely to occur on a Windows 2000–based computer.

Mitigation Process

To effectively use the Malicious Software Removal Tool, use the following process.

To use this mitigation process

  1. Investigate the Malicious Software Removal Tool capabilities.
    For more information, see the Malicious Software Removal Tool Web page.
  2. Assess the need for the tool in your environment.
  3. Determine the most appropriate method of deploying the tool in your organization.
  4. Identify the systems in your organization that would benefit from the protection that the tool offers.
  5. Deploy the tool via the selected deployment method.

Software Restriction Policies

Software restriction policies provide administrators with a way to identify application software and control its ability to run on local computers. This feature can help protect computers running Windows Vista and Windows XP Professional against known conflicts, and help safeguard them against malicious software, such as viruses and Trojan horse programs. Software restriction policies integrate fully with Active Directory and Group Policy. You can also use this feature on stand-alone computers. You can use software restriction policies to accomplish the following:

  • Control what software can run on the client computers in your environment.
  • Restrict access to specific files on multi-user computers.
  • Decide who can add trusted publishers to client computers.
  • Define whether the policies affect all users or a subset of users on the client computers.
  • Prevent executable files from running on local computers based on policies set at the following levels: computer, organizational unit (OU), site, and domain.

Important   It is important to thoroughly test all of the policy settings that are discussed in this guide before you deploy them to a production environment. This is especially true when you configure settings for software restriction policies. Mistakes in the design or implementation of this feature can cause considerable user frustration.

Software restriction policies have not changed significantly in Windows Vista. For this reason, they are not covered in this guide. For more information about how to design and implement these policies, see " Using Software Restriction Policies to Protect Against Unauthorized Software" on TechNet.

Internet Explorer 7 Defense Technologies

It is possible for malicious Web sites to compromise the client computers that you manage. Internet Explorer 7 includes technologies that help prevent the installation of unwanted software, and technologies that help guard against unauthorized transmission of personal data to greatly increase browser security and privacy protection. New security technologies in Internet Explorer 7 include:

  • Internet Explorer Protected Mode
  • ActiveX Opt-in
  • Cross-domain scripting attack protection
  • Security Status Bar
  • Phishing Filter
  • Additional security features

Internet Explorer 7 is available for both the Windows Vista and Windows XP operating systems. Windows Vista enhances the Internet Explorer experience. For example, some features available in Internet Explorer 7, such as Protected Mode and Parental Controls, are not available when using the browser on client computer running Windows XP. Also, the Aero user interface is not available through Internet Explorer 7 on computers running Windows XP.

Internet Explorer Protected Mode

Internet Explorer Protected Mode in Windows Vista adds additional defenses to help enable a safer Internet browsing experience for users. In addition, Protected Mode helps to prevent malicious users from taking over a user’s browser and executing code through elevated privileges.

Protected Mode helps reduce previous software vulnerabilities in the extensions for the browser by eliminating the possibility of using them for silent installation of malicious code. Protected Mode uses mechanisms with higher integrity levels in Windows Vista that restrict access to processes, files, and registry keys to accomplish this goal. The Protected Mode application programming interface (API) enables software vendors to develop extensions and add-ons for Internet Explorer that can interact with the file system and registry while the browser is in Protected Mode.

In Protected Mode, Internet Explorer 7 runs with reduced permissions to help prevent user or system files or settings from changing without the user’s explicit permission. The new browser architecture also introduces a "broker" process that helps to enable existing applications to elevate out of Protected Mode in a more secure way. This prevents downloading data outside of the low-rights directories in the browser, such as the Temporary Internet Files folder.

Protected Mode is enabled by default in Internet Explorer 7 for all security zones except the Trusted Sites zone. However, users can disable the mode, which reduces overall security. For this reason, the Group Policy settings described in the previous chapter enable Protected Mode in all the Web content zones for the browser except the Trusted Site zone, and prevent users from disabling it.

You can review and configure the Group Policy setting for Internet Explorer 7 Protected Mode in the following location in the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\<Zone>

The following table describes this setting.

Table 2.6 Protected Mode Setting

Policy objectDescriptionWindows Vista default

Turn on Protected Mode *

If this setting is enabled, Protected Mode will be turned on and users will not be able to turn off protected mode.
If this setting is disabled, Protected Mode will be turned off and users will not be able to turn on protected mode.
If this setting is configured to Not configured, users can turn it on or off.

Not configured

* This setting only works in Internet Explorer 7 with Windows Vista.

This table provides a simple description for this setting. For more information about this setting, see the Explain tab of the setting in the Group Policy Object Editor.

Protected Mode is available for the following security areas and zones in Internet Explorer 7:

  • Internet
  • Intranet
  • Local Machine
  • Locked-Down Internet
  • Locked-Down Intranet
  • Locked-Down Local Machine
  • Locked-Down Restricted Sites
  • Locked-Down Trusted Sites
  • Restricted Sites
  • Trusted Sites

ActiveX Opt-in

Internet Explorer 7 in Windows Vista offers a powerful new security mechanism for the ActiveX platform to help protect user information and computer systems. ActiveX Opt-in automatically disables all controls that are not explicitly allowed by the user. This mitigates the potential misuse of preinstalled controls.

In Windows Vista, the Information Bar prompts users before they can access a previously installed ActiveX control that has not yet been used on the Internet. This notification mechanism enables the user to permit or deny access on a control-by-control basis, which helps further reduces the available surface area for attacks. Malicious users cannot use Web sites to launch automated attacks with ActiveX controls that were never intended to be used on the Internet.

Cross-Domain Scripting Attack Protection

New cross-domain script barriers help limit the ability of malicious Web sites to manipulate vulnerabilities in other Web sites. For example, before cross-domain scripting attack protection a user might visit a page on a malicious Web site that opens a new browser window containing a legitimate page (such as a banking Web site) that prompts the user to enter account information. This information could then be extracted by a script and made available to the attacker. With Internet Explorer 7, cross-domain scripting attack protection helps to ensure that these types of attacks will fail.

Security Status Bar

The new Security Status Bar in Internet Explorer 7 helps users quickly differentiate authentic Web sites from suspicious or malicious ones. To provide this information, the Security Status Bar enhances access to digital certificate information that helps identify secure (HTTPS) Web sites.

The Security Status Bar provides users with clearer, more prominent visual cues that indicate the safety and identity of Web sites. The technology also supports information about High Assurance certificates to clearly identify secure (HTTPS) sites that have stronger identification measures in place.

Phishing Filter

Phishing is a technique that many attackers use to trick computer users into revealing personal or financial information through an e-mail message or Web site. Phishers masquerade as a legitimate person or business to deceive people into revealing personal information, such as account passwords and credit card numbers. The Phishing Filter in Internet Explorer 7 advises users about suspicious or known phishing Web sites to help them more safely browse content on the Internet. The filter analyzes Web site content for known phishing techniques, and uses a global network of data sources to assess the trustworthiness of Web sites.

Developers who create fraudulent e-mail, online advertisements, and Web sites thrive on lack of communication and limited information sharing. The new Phishing Filter in Internet Explorer 7, which uses an online service that updates the filter several times an hour, consolidates the latest industry information about fraudulent Web sites, and shares it with Internet Explorer 7 customers to help proactively warn and help protect them.

The Phishing Filter combines client-side scans for suspicious Web site characteristics with an opt-in online service. It helps protect users from phishing scams in three ways:

  • It compares the addresses of Web sites that a user attempts to visit with a list of reported legitimate sites stored on the user’s computer.
  • It analyzes Web sites that users want to visit by checking them for characteristics that are common to phishing sites.
  • It sends the Web site address that a user attempts to visit to an online service Microsoft maintains that immediately checks it against a frequently updated list of phishing sites. These sites have been confirmed by reputable sources as fraudulent and reported to Microsoft.

Even if the site is unknown to the Phishing Filter service, Internet Explorer 7 can examine the behavior of the site and report to the user if it is doing anything suspicious, such as collecting user information without a Secure Socket Layer (SSL) certificate. In this way, the Phishing Filter helps to prevent a site from collecting user information before it has been officially reported.

When users run Internet Explorer 7, the Phishing Filter is configured by default to prompt users to enable or disable the filter. The Group Policy settings described in the previous chapter do not contain any settings that modify this default behavior. However, it is possible for administrators to control the behavior of the Phishing Filter using Group Policy.

You can review and configure the Group Policy settings available for the Phishing Filter in the following location in the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer

The following table describes this setting.

Table 2.7 Phishing Filter Setting

Policy objectDescriptionWindows Vista default

Turn off Managing Phishing filter *

This setting allows the user to enable a phishing filter that will warn if the Web site being visited is known for fraudulent attempts to gather personal information through "phishing."
By default the user will be prompted to decide the mode of operation for the phishing filter.

Not configured

* To take advantage of this setting, the computer must run Internet Explorer 7 with any of the following operating systems: Windows Vista, Windows XP SP2, or Windows Server 2003 Service Pack 1 (SP1).

This table provides a simple description for this setting. For more information about this setting, see the Explain tab of the setting in the Group Policy Object Editor.

Microsoft recommends configuring this setting to Enabled and the operating mode to Automatic. However, administrators should be aware that this configuration automatically causes the browser to send information to Microsoft without prompting the user.

Additional Security Features

Internet Explorer includes a number of specialized security features that help protect against malware. You can manage all of these settings through Group Policy.

You can review and configure the Group Policy Security Features settings available for Internet Explorer 7 in the following location in the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features

This section provides an overview of these settings in Internet Explorer 7. For a full list of all Group Policy settings for Internet Explorer 7, see the Group Policy Object Editor.

Note   All of the features in this section also work on computers running Internet Explorer 6.0 or later with the following operating systems: Windows XP SP2 and Windows Server 2003 SP1.

Add-on Management

You can use the policy settings in this section to restrict the add-ons that Internet Explorer 7 can use. The settings in the following table manage add-ons.

Table 2.8 Add-on Management Settings

Policy objectDescriptionWindows Vista default

Add-on List

This setting allows you to manage a list of add-ons

Not configured ‡

Deny all add-ons unless specifically allowed in the Add-on List

This policy setting allows only the add-ons that you specify to run with Internet Explorer 7.

Not configured ‡

All Processes

This setting allows you to manage whether user preferences affect processes (as reflected by Add-on Manager) or policy settings.

Not configured

Process List

This setting allows you to manage whether user preferences affect the listed processes (as entered into Add-on Manager) or policy settings.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Binary Behavior Security Restriction

Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for the HTML elements to which they are attached. You can use the settings in the following table to restrict these behaviors.

Table 2.9 Binary Behavior Security Restriction Settings

Policy objectDescriptionWindows Vista default

All Processes

This setting controls whether the Binary Behavior Security Restriction setting is prevented or allowed.

Not configured

Internet Explorer Processes

If you configure this setting to Not configured or Enabled, the binary behaviors are prevented for Windows Explorer and Internet Explorer processes.

Not configured

Process List

This setting allows administrators to define applications for which they want this security feature to be prevented or allowed.

Not configured

Admin-approved behaviors

If you configure this setting to Enabled, it allows a list of behaviors permitted in each zone to be defined for the Allow binary and script behaviors as Administrator approved.

Not configured

The previous table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Consistent MIME Handling

Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. The following table provides information about the Group Policy settings for MIME that are available for Internet Explorer 7.

Table 2.10 Consistent MIME Handling Settings

Policy objectDescriptionWindows Vista default

All Processes

This setting determines whether Internet Explorer requires that all file type information provided by Web servers is consistent.

Not configured

Internet Explorer Processes

This setting determines whether Internet Explorer requires consistent MIME data for all received files.
If you configure this setting to Not configured or Enabled, Internet Explorer requires consistent MIME data for all received files.

Not configured ‡

Process List

This setting allows administrators to define applications for which they want this security feature to be prevented or allowed.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Information Bar

Policy settings in this section allow you to manage whether the Information Bar is displayed for processes other than the Internet Explorer processes when file or code installation is restricted. By default, the Information Bar displays for Internet Explorer Processes, but not for any process when file or code installs are restricted. The following table provides setting information that you can use to modify this behavior.

Table 2.11 Information Bar Settings

Policy objectDescriptionWindows Vista default

All Processes

If you configure this setting to Enabled, the Information Bar displays for all processes.

Not configured

Internet Explorer Processes

If you configure this setting to Disabled, the Information Bar does not display for Internet Explorer Processes.

Not configured

Process List

This policy setting allows you to manage whether the Information Bar displays for specific processes when file or code installs are restricted.

Not configured

Local Machine Zone Lockdown Security

Internet Explorer places zone restrictions on each Web page it opens, which depend on the location of the Web page (Internet, Intranet, Local Machine zone, and so on). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone. Local Machine zone security applies to all local files and content. This feature helps to mitigate attacks when the Local Machine zone is used as an attack vector to load malicious HTML code.

Table 2.12 Local Machine Zone Lockdown Security Settings

Policy objectDescriptionWindows Vista default

All Processes

If you configure this setting to Enabled, Local Machine zone security applies to all local files and content processed by any process other than Internet Explorer or those defined in a process list.
By default Local Machine zone security is not applied to local files or content processed by any process other than Internet Explorer or those defined in a process list.

Not configured

Internet Explorer Processes

If you configure this setting to Not configured or Enabled, Local Machine zone security applies to all local files and content processed by Internet Explorer.

Not configured

Process List

If you configure this setting to Enabled and you define a process name with a value of 1, Local Machine zone security applies. If you define a value of 0, Local Machine zone security does not apply.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

MIME Sniffing Safety Feature

This feature helps to prevent promotion of a file of one type to a more dangerous file type. The following table lists the settings that are available for this feature.

Table 2.13 MIME Sniffing Safety Feature Settings

Policy objectDescriptionWindows Vista default

All Processes

If you configure this setting to Enabled, the MIME Sniffing Safety Feature is enabled for all processes.

Not configured

Internet Explorer Processes

If you configure this setting to Disabled, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type.
The default (Not configured) behavior does not allow promotion.

Not configured ‡

Process List

This policy setting allows administrators to define applications on which they want to prevent or not allow this security feature to run.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

MK Protocol Security Restriction

The MK Protocol Security Restriction policy setting reduces attack surface area by blocking the MK protocol. If this setting is enabled the resources hosted on the MK protocol will fail.

Table 2.14 MK Protocol Security Restriction Settings

Policy objectDescriptionWindows Vista default

All Processes

By default this restriction is disabled for all processes. However, if you configure this setting to Enabled, the MK Protocol is blocked for all processes and any use of the MK Protocol is blocked.

Not configured

Internet Explorer Processes

If you configure this setting to Disabled, applications can use the MK protocol API and resources hosted on the MK protocol will work for the Windows Explorer and Internet Explorer processes.
The default setting prevents the MK Protocol for Windows Explorer and Internet Explorer, and resources hosted on the MK protocol are blocked.

Not configured ‡

Process List

This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Network Protocol Lockdown

You can configure Internet Explorer 7 to prevent active content obtained through restricted protocols from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protocols is prevented or allowed.

Table 2.15 Network Protocol Lockdown Settings

Policy objectDescriptionWindows Vista default

All Processes

If you configure this setting to Enabled, restricting content obtained through restricted protocols is allowed for all processes other than Windows Explorer or Internet Explorer. If you configure this setting Disabled, restricting content obtained through restricted protocols is prevented for all processes other than Windows Explorer or Internet Explorer. The default setting (Not configured) does not enforce this policy for processes other than Windows Explorer and Internet Explorer.

Not configured

Internet Explorer Processes

If you configure this setting to Enabled, restricting content obtained through restricted protocols is allowed for Windows Explorer and Internet Explorer processes. If you configure this setting to Disabled, restricting content obtained through restricted protocols is prevented for Windows Explorer and Internet Explorer processes. The default (Not configured) setting causes Internet Explorer to ignore this setting.

Not configured

Process List

This setting allows administrators to define applications for which they want restricting content obtained through restricted protocols to be prevented or allowed.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

For each zone, the Network Protocol Lockdown security restriction may be configured to prevent active content obtained through restricted protocols from running in an unsafe manner, either by prompting the user, or simply disabling the content.

Note   If you set policy for a zone in both Computer Configuration and User Configuration, this action restricts both protocol lists for that zone.

Table 2.16 Restricted Protocols for Security Zone Settings

Policy objectDescriptionWindows Vista default

Internet Zone Restricted Protocols

If this setting is enabled, it creates a list of protocols that are restricted for the Internet zone.

Not configured

Intranet Zone Restricted Protocols

If this setting is enabled, it creates a list of protocols that are restricted for the Intranet zone.

Not configured

Local Machine Zone Restricted Protocols

If this setting is enabled, it creates a list of protocols that are restricted for the Local Machine zone.

Not configured

Restricted Sites Zone Restricted Protocols

If this setting is enabled, it creates a list of protocols that are restricted for the Restricted Sites zone.

Not configured

Trusted Sites Zone Restricted Protocols

If this setting is enabled, it creates a list of protocols that are restricted for the Trusted Sites zone.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Object Caching Protection

This policy setting defines whether a reference to an object is accessible when the user navigates within the same domain or to a new domain.

Table 2.17 Object Caching Protection Settings

Policy objectDescriptionWindows Vista default

All Processes

If you configure this setting Disabled or Not configured, object reference is retained when navigating within or across domains in the Restricted Zone sites.

Not configured

Internet Explorer Processes

If you do not change this setting from Not configured or configure it to Enabled, an object reference is no longer accessible when navigating within or across domains for Internet Explorer processes.

Not configured

Process List

This setting allows administrators to define applications for which they want this security feature to be prevented or allowed.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Protection From Zone Elevation

Internet Explorer places restrictions on each Web page it opens. The restrictions depend on the location of the Web page (Internet, Intranet, Local Machine zone, and so on). For example, Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine zone a prime target for malicious users.

Table 2.18 Protection From Zone Elevation Settings

Policy objectDescriptionWindows Vista default

All Processes

If you configure this setting to Enabled, you can protect any zone from zone elevation for all processes.
If you do not change this setting from Not configured or is configure it to Disabled, processes other than Internet Explorer or those listed in the Process List receive no such protection.

Not configured

Internet Explorer Processes

If you do not change this setting from Not configured or configure it to Enabled, any zone can be protected from zone elevation by Internet Explorer processes.
If you configure this setting to Disabled, this protection is not applied to Internet Explorer processes.

Not configured ‡

Process List

This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Restrict ActiveX Install

These policy settings apply restrictions to the installation of ActiveX controls.

Table 2.19 Restrict ActiveX Install Settings

Policy objectDescriptionWindows Vista default

All Processes

This setting enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control installation.

Not configured

Internet Explorer Processes

This setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.

Not configured ‡

Process List

This setting allows administrators to define a list of executables where automatic prompting of ActiveX control installation is allowed or blocked. By default this security feature is allowed.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Restrict File Download

These policy settings apply restrictions to file downloads that are automatically attempted without a user initiating the download.

Table 2.20 Restrict File Download Settings

Policy objectDescriptionWindows Vista default

All Processes

This setting enables applications hosting the Web Browser Control to block automatic prompting of file downloads that are not user initiated.

Not configured

Internet Explorer Processes

This setting enables blocking of file download prompts that are not user initiated.

Not configured ‡

Process List

This setting allows administrators to create a list of executables that will allow or disallow the blocking of automatic prompting of file downloads that are not user initiated.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

Scripted Windows Security Restrictions

Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other windows' title and status bars.

Table 2.21 Scripted Windows Security Restrictions Settings

Policy objectDescriptionWindows Vista default

All Processes

If you do not change this setting from Not configured or configure it to Disabled, scripted windows are not restricted. However, if you configure this setting to Enabled, scripted windows are restricted for all processes.

Not configured

Internet Explorer Processes

If you do not change this setting from Not configured or configured it to Enabled, popup windows and other restrictions apply for Windows Explorer and Internet Explorer processes. However, if you configure this setting to Disabled, scripts can continue to create popup windows and windows that may be used to obfuscate other windows.

Not configured ‡

Process List

This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed.

Not configured

This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of the setting in the Group Policy Object Editor.

More Information

For additional information about the new and enhanced security features and technologies in Windows Vista, see the following resources: