Phishing Filter and Resulting Internet Communication in Windows Server 2008

Applies To: Windows Server 2008

In This Section

Benefits and Purposes of Phishing Filter in Internet Explorer 7

Overview: Using Phishing Filter in a Managed Environment

How Phishing Filter Communicates with a Site on the Internet

Controlling Phishing Filter to Limit the Flow of Information to and from the Internet

For information about Internet Explorer 7 as a whole, see Internet Explorer 7 and Resulting Internet Communication in Windows Server 2008 in this white paper.

Benefits and Purposes of Phishing Filter in Internet Explorer 7

Internet Explorer 7 includes Microsoft Phishing Filter to help protect against phishing Web sites. Phishing Filter operates in the background when the browser is running and provides an early warning system to notify users of suspicious Web sites that could be engaging in identity and data theft. Phishing Filter is one of multiple layers of defense in the anti-phishing strategies developed by Microsoft. For more information, see the Microsoft Web site at:

https://go.microsoft.com/fwlink/?LinkId=108082

Phishing Filter, when enabled, includes the following functionality:

• A list of Web site addresses stored on your computer that have been reported to Microsoft as legitimate ("legitimate list"). If a URL that you attempt to go to matches the list, Phishing Filter takes no action. This initial screening is fast and occurs completely on the local system.

  Note that the list of Web site addresses that have been reported to Microsoft as legitimate is stored locally, but is kept up-to-date like other software when you apply software updates, as described in Windows Update and Resulting Internet Communication in Windows Server 2008.

  Phishing Filter ignores intranet sites, that is, sites within the boundary created by your corporate firewall. You can also configure Phishing Filter so it ignores all sites on the Trusted Sites list in Internet Explorer.

• The ability to communicate with the Microsoft URL Reputation Service, an online service that uses data about phishing sites obtained from non-Microsoft data providers and end-user feedback reports. Phishing Filter communicates with the URL Reputation Service if a URL that you attempt to go to does not match any site on the built-in "legitimate list." The data about phishing sites is updated at least hourly. If the check reveals that the URL has been placed on the list maintained by the URL Reputation Service, Phishing Filter blocks you from going to the site.

  If Phishing Filter is set to "automatic," it performs these checks using the URL Reputation Service automatically. If it is enabled but not set to automatic, and you attempt to go to a URL that is not on the "legitimate list," Phishing Filter asks you whether to perform the check with the URL Reputation Service.

• Browser-based heuristics that can analyze Web pages in real time, looking for suspicious characteristics. If these characteristics are detected, Phishing Filter warns you. However, if the Web site is not on the list maintained by the URL Reputation Service, you can still connect to the site.

Overview: Using Phishing Filter in a Managed Environment

In a managed environment, you can use Group Policy to control Phishing Filter in a variety of ways, including:

• Turning on automatic Phishing Filter for all computers running Windows Server 2008.

• Controlling Phishing Filter so that it always prompts before checking with the online URL Reputation Service (that is, you can enable Phishing Filter but set it to "manual" instead of "automatic").

• Turning off Phishing Filter.

For details about all of the preceding options, see Controlling Phishing Filter to Limit the Flow of Information to and from the Internet, later in this section.

How Phishing Filter Communicates with a Site on the Internet

Internet Explorer 7 includes Phishing Filter to help protect against phishing Web sites that attempt to trick you into revealing personally identifiable information. This subsection describes how Phishing Filter might communicate with a site on the Internet as it evaluates a Web site URL that you are trying to reach.

• Default settings: By default, Phishing Filter is enabled but not set to automatic in the version of Internet Explorer built into Windows Server 2008. In other words, a URL that you are trying to reach is compared to a "legitimate list" that is built into Phishing Filter. If the URL does not match any site on the list, you are prompted about whether to allow Phishing Filter to check that site with the online Microsoft URL Reputation service.

• Triggers: When you try to go to a Web site, the URL that you are trying to reach is compared to a "legitimate list" that is built into Phishing Filter. If the URL matches a site on the list, you can go to the site without any further checks (Phishing Filter takes no action). If the URL does not match any site on the list and Phishing Filter is enabled, one of the following actions occurs:

  • If automatic Phishing Filter is enabled, Phishing Filter sends an inquiry to the Microsoft URL Reputation Service.

  • If Phishing Filter is enabled but not set to "automatic," you are prompted about whether to allow Phishing Filter to check that site with the online Microsoft URL Reputation service.

    If the URL Reputation Service detects that a URL is a known phishing site, the site is blocked, preventing you from entering any personal information into it.

    If a check that Phishing Filter performs on the contents of the site shows that the site appears to be suspicious, a warning about phishing sites is displayed, although you can still choose to go to the site.

• Specific information sent:

  • URL: Only the domain and path information in the URL, without additional information such as search strings that might be appended to the domain and path of the URL.

    However, if the URL is on the built-in "legitimate list" in Windows Server 2008, Phishing Filter takes no action and nothing is sent.

  • Detailed software version information: The browser version, the Phishing Filter version, and the version of the "legitimate list" (described in the note labeled "Important" at the beginning of this subsection).

  • Operating system version: Windows Server 2008

  • Language/locale setting for the browser: The language/locale for the browser display, for example, English (United States).

  • Anonymous statistics about how often Phishing Filter is triggered: Phishing Filter tracks basic statistics, such as how often a warning is generated and how often a query is made to the URL Reputation Service. This statistical information is sent to Microsoft and used to analyze the performance and improve the quality of the Phishing Filter service. For more information, see the privacy statement for Internet Explorer 7 on the Microsoft Web site at:

    https://go.microsoft.com/fwlink/?LinkId=70681

• User notification: If Phishing Filter is enabled, you are not notified when Phishing Filter performs a check, but you are notified if Phishing Filter detects a known or suspicious phishing site.

• Logging: By default, Phishing Filter does not log events. However, if you use the Application Compatibility Toolkit to enable logging for application compatibility events, Phishing Filter logs an event when a Web site is blocked or has suspicious characteristics. For information about the Application Compatibility Toolkit, see the TechNet Web site at:

  https://go.microsoft.com/fwlink/?LinkId=106403

• Encryption: Any information sent to the URL Reputation Service is encrypted.

• Access: The teams that maintain Phishing Filter and the URL Reputation Service have access to the data that is sent to the URL Reputation Service (including the anonymous statistics described earlier in this list).

• Privacy: The privacy statement for Internet Explorer 7 (which includes Phishing Filter) is on the Microsoft Web site at:

  https://go.microsoft.com/fwlink/?LinkId=70681

• Transmission protocol and port: The transmission protocol for any information transmitted to the URL Reputation Service is HTTPS, and the port is 443.

• Ability to disable: Phishing Filter can be disabled through the Windows Server 2008 interface or through Group Policy. For more information, see the resources listed in the subsection that follows.

Controlling Phishing Filter to Limit the Flow of Information to and from the Internet

This subsection provides information about controlling settings for Phishing Filter.

To Control Phishing Filter on a Computer Running Windows Server 2008

1. On the computer on which you want to control Phishing Filter, in Internet Explorer, click Tools, point to Phishing Filter, and then click Turn on Automatic Website Checking or Turn off Automatic Website Checking.

2. Click the option you want:

   • Turn on automatic Phishing Filter

   • Turn off automatic Phishing Filter

   Note that if you want to completely disable Phishing Filter, in Internet Explorer, instead of following Step 1, use Tools\Phishing Filter\Phishing Filter Settings to display the Advanced tab of the Properties sheet for Internet Options. Scroll down, and under Security, click Disable Phishing Filter.

To Control Whether Phishing Filter is Turned On for Trusted Sites in Internet Explorer 7 on a Computer Running Windows Server 2008

1. On the computer on which you want to control Phishing Filter, in Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

2. Select Trusted sites.

3. Under Security level for this zone, click Custom Level, then scroll down to Use Phishing Filter (more than halfway down the list).

4. Choose the setting you want for Trusted sites (Enable or Disable).

To Control Phishing Filter by Using Group Policy

1. See Appendix B: Resources for Learning About Group Policy for Windows Server 2008 for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Server 2008 (with the Group Policy Management feature installed) or Windows Vista. Then open Group Policy Management Console (GPMC) by running gpmc.msc and edit an appropriate Group Policy object (GPO).

2. If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, expand Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, expand User Configuration.

3. Expand Policies (if present), expand Administrative Templates, expand Windows Components, and then click Internet Explorer.

4. In the details pane, double-click Turn off Managing Phishing filter. Click Enabled, which means that users cannot control Phishing Filter settings, and then be sure to choose a setting for Select phishing filter mode:

   • Automatic: Automatic Phishing Filter is always enabled.

   • Manual: Phishing Filter is always enabled, but it will always prompt before checking with the online URL Reputation Service.

   • Off: Phishing Filter is completely disabled.

Additional References

• For information about Phishing Filter and related anti-phishing technologies from Microsoft, see the Microsoft Web site at:

  https://go.microsoft.com/fwlink/?LinkId=108082

• For information about Internet Explorer 7, see Internet Explorer 7 and Resulting Internet Communication in Windows Server 2008 in this white paper.

• For information about Phishing Filter, Protected Mode, and security-related features in Windows Server 2008, see the security-related documents available at the Microsoft Web site at:

  https://go.microsoft.com/fwlink/?LinkId=70680

• For the privacy statement for Internet Explorer 7 (which includes Phishing Filter), see the Microsoft Web site at:

  https://go.microsoft.com/fwlink/?LinkId=70681