Phishing Filter and Resulting Internet Communication in Windows Vista
In This Section
Benefits and Purposes of Phishing Filter in Internet Explorer 7
Overview: Using Phishing Filter in a Managed Environment
How Phishing Filter Communicates with a Site on the Internet
Controlling Phishing Filter to Limit the Flow of Information to and from the Internet
For information about Internet Explorer 7 as a whole, see Internet Explorer 7 and Resulting Internet Communication in Windows Vista in this white paper.
Benefits and Purposes of Phishing Filter in Internet Explorer 7
Internet Explorer 7 includes Microsoft Phishing Filter to help protect against phishing Web sites that attempt to trick users into revealing personally identifiable information. Phishing Filter, when enabled, includes the following functionality:
A list of Web site addresses stored on the computer that have been reported to Microsoft as legitimate ("legitimate list"). If an URL matches the built-in "legitimate list," Phishing Filter takes no action. This initial screening is fast and occurs completely on the local system.
Note that the list of Web site addresses that have been reported to Microsoft as legitimate is stored locally, but is kept up-to-date like other software when you apply software updates, as described in Windows Update and Resulting Internet Communication in Windows Vista.
Phishing Filter ignores intranet sites, that is, sites within the boundary created by your corporate firewall. You can also configure Phishing Filter so it ignores all sites on the Trusted Sites list in Internet Explorer.
The ability to communicate with the Microsoft URL Reputation Service, an online service that uses data about phishing sites obtained from non-Microsoft data providers and end-user feedback reports. Phishing Filter communicates with the URL Reputation Service if an URL that a user attempts to go to does not match any site on the built-in "legitimate list." The data about phishing sites is updated at least hourly. If the check reveals that the URL has been placed on the list maintained by the URL Reputation Service, Phishing Filter blocks the user from going to the site.
If Phishing Filter is set to "automatic," it performs these checks with the URL Reputation Service automatically. If it is enabled but not set to automatic, and the user attempts to go to an URL that is not on the "legitimate list," Phishing Filter asks the user whether to perform the check with the URL Reputation Service.
Browser-based heuristics that can analyze Web pages in real time, looking for suspicious characteristics. If these characteristics are seen, Phishing Filter warns the user. However, if the Web site is not on the list maintained by the URL Reputation Service, the user can still connect to the site.
Overview: Using Phishing Filter in a Managed Environment
In a managed environment, you can use Group Policy to control Phishing Filter in a variety of ways, including:
Turning on automatic Phishing Filter for all computers running Windows Vista.
Controlling Phishing Filter so that it always prompts before checking with the online URL Reputation Service (that is, you can enable Phishing Filter but set it to "manual" instead of "automatic").
Turning off Phishing Filter.
For details about all of the preceding options, see "Controlling Phishing Filter to Limit the Flow of Information to and from the Internet," later in this section.
How Phishing Filter Communicates with a Site on the Internet
Internet Explorer 7 includes Phishing Filter to help protect against phishing Web sites that attempt to trick users into revealing personally identifiable information. This subsection describes how Phishing Filter might communicate with a site on the Internet as it evaluates a Web site URL that a user is trying to reach.
Important
Phishing Filter only communicates with a site on the Internet if the URL that the user is trying to reach is not on a built-in list of Web site addresses that have been reported to Microsoft as legitimate ("legitimate list"). If the site is on the "legitimate list" or is an intranet site (inside the boundary defined by your organization's firewall), Phishing Filter takes no action.
Default settings: When the computer is first started after installation of Windows Vista, prompts appear, recommending steps that can help protect the computer, including opting into and turning on automatic Phishing Filter.
Triggers: When a user tries to go to a Web site, the URL that the user is trying to reach is compared to a "legitimate list" that is built into Phishing Filter. If the URL matches a site on the list, the user can go to the site without any further checks (Phishing Filter takes no action). If the URL does not match any site on the list and Phishing Filter is enabled, one of the following actions occurs:
If automatic Phishing Filter is enabled, Phishing Filter sends an inquiry to the Microsoft URL Reputation Service.
If Phishing Filter is enabled but not set to "automatic," the user is prompted about whether to allow Phishing Filter to check that site with the online Microsoft URL Reputation service.
If the URL Reputation Service detects that an URL is a known phishing site, the site is blocked, preventing the user from entering any personal information into it.
If a check that Phishing Filter performs on the contents of the site shows that the site appears to be suspicious, a warning about phishing sites is displayed to the user, although the user can still choose to go to the site.
Specific information sent:
URL: Only the domain and path information in the URL, without additional information such as search strings that might be appended to the domain and path of the URL.
However, if the URL is on the built-in "legitimate list" in Windows Vista, Phishing Filter takes no action and nothing is sent.
Detailed software version information: The browser version, the Phishing Filter version, and the version of the "legitimate list" (described in the note labeled "Important" at the beginning of this subsection).
Operating system version: Windows Vista
Language/locale setting for the browser: The language/locale for the browser display, for example, English (United States).
Anonymous statistics about how often Phishing Filter is triggered: Phishing Filter tracks basic statistics, such as how often a warning is generated and how often a query is made to the URL Reputation Service. This statistical information is sent to Microsoft and used to analyze the performance and improve the quality of the Phishing Filter service. For more information, see the privacy statement for Internet Explorer 7 on the Microsoft Web site at:
User notification: If Phishing Filter is enabled, the user is not notified when Phishing Filter performs a check, but is notified if Phishing Filter detects a known or suspicious phishing site.
Logging: By default, Phishing Filter does not log events. However, if you use the Application Compatibility Toolkit to enable logging for application compatibility events, Phishing Filter logs an event when a Web site is blocked or has suspicious characteristics. For information about the Application Compatibility Toolkit, see the TechNet Web site at:
Encryption: Any information sent to the URL Reputation Service is encrypted.
Access: The teams that maintain Phishing Filter and the URL Reputation Service have access to the data that is sent to the URL Reputation Service (including the anonymous statistics described earlier in this list).
Privacy: The privacy statement for Internet Explorer 7 is on the Microsoft Web site at:
Transmission protocol and port: The transmission protocol for any information transmitted to the URL Reputation Service is HTTPS, and the port is 443.
Ability to disable: Phishing Filter can be disabled through the Windows Vista interface or through Group Policy. For more information, see the resources listed in the subsection that follows.
Controlling Phishing Filter to Limit the Flow of Information to and from the Internet
This subsection provides information about controlling settings for Phishing Filter.
Note that when the computer is first started after installation of Windows Vista, prompts appear recommending steps that can help protect the computer, including opting into and turning on automatic Phishing Filter. Also, if Phishing Filter is turned on but not set to "automatic," and a user tries to access a Web site that is not on the built-in list of Web site addresses that have been reported to Microsoft as legitimate, the user is asked whether to allow Phishing Filter to check that site with the online Microsoft URL Reputation service.
Note that the list of Web site addresses that have been reported to Microsoft as legitimate is stored locally, but is kept up-to-date like other software when you apply software updates, as described in Windows Update and Resulting Internet Communication in Windows Vista.
To Control Phishing Filter on a Computer Running Windows Vista
On the computer on which you want to control Phishing Filter, in Internet Explorer, click Tools, point to Phishing Filter, and then click Turn on Automatic Website Checking or Turn off Automatic Website Checking.
Click the option you want:
Turn on automatic Phishing Filter
Turn off automatic Phishing Filter
Note that if you want to completely disable Phishing Filter, in Internet Explorer, instead of following Step 1, use Tools\Phishing Filter\Phishing Filter Settings to display the Advanced tab of the Properties sheet for Internet Options. Scroll down, and under Security, click Disable Phishing Filter.
To Control Whether Phishing Filter is Turned On for Trusted Sites in Internet Explorer 7 on a Computer Running Windows Vista
On the computer on which you want to control Phishing Filter, in Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
Select Trusted sites.
Under Security level for this zone, click Custom Level, then scroll down to Use Phishing Filter (more than halfway down the list).
Choose the setting you want for Trusted sites (Enable or Disable).
To Control Phishing Filter by Using Group Policy
- See Appendix B: Resources for Learning About Group Policy for Windows Vista for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Vista, open Group Policy Management Console by running gpmc.msc, and then edit an appropriate Group Policy object (GPO).
Note
You must perform this procedure by using GPMC on a computer running Windows Vista (GPMC is included in Windows Vista).
If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, expand Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, expand User Configuration.
Expand Administrative Templates, expand Windows Components, and then click Internet Explorer.
In the details pane, double-click Turn off Managing Phishing filter. Click Enabled, which means that users cannot control Phishing Filter settings, and then be sure to choose a setting for Select phishing filter mode:
Automatic: Automatic Phishing Filter is always enabled.
Manual: Phishing Filter is always enabled, but it will always prompt before checking with the online URL Reputation Service.
Off: Phishing Filter is completely disabled.
Note
Disabling this Group Policy setting (Turn off Managing Phishing filter) does not disable Phishing Filter, but instead means that users control Phishing Filter settings on the local computer running Windows Vista.
Additional References
For information about Internet Explorer 7, see Internet Explorer 7 and Resulting Internet Communication in Windows Vista in this white paper.
For information about Phishing Filter, Protected Mode, and security-related features in Windows Vista, see the security-related documents available at the Microsoft Web site at:
For the privacy statement for Internet Explorer 7 (which includes Phishing Filter), see the Microsoft Web site at: