Protecting Client Computers from Network Attacks
On This Page
Many organizations rely heavily on their network firewalls to protect their workstations and servers from the threats of the Internet. This approach is often called “Hard on the outside, soft on the inside.” Microsoft recommends the use of a network firewall and the workstation security features outlined in the rest of this document. This approach delivers more of a “hard on the inside and outside” approach to security. Network worms making their way inside organizations' firewalls have shown that firewalls are not enough.
Attackers on the Internet create worms and viruses that can destroy or result in the loss or theft of information stored on client computers. These attacks can result in the loss of private information and company secrets, render computers unbootable, and can even be used to launch attacks against other computers. These attacks represent a very real threat to computers connected to the Internet.
Most methods of attack attempt to take advantage of known computer security issues. Implementing the following features can provide significant protection for client computers that run the Microsoft® Windows® XP operating system with Service Pack 2 (SP2):
Personal firewall (Windows Firewall)
Updating service packs and patches (Auto-Update)
Antivirus software with up-to-date signatures (Windows Live OneCare)
Antispyware software with up-to-date signatures (Windows Defender)
Objective of this Document
At the end of this document, the reader should be familiar with the tools and features available from Microsoft to increase the security of Windows XP SP2 client computers within a small to medium-sized business network.
Before You Begin
You should be aware of the following information before you apply any of the recommendations in this document.
Most of the tasks described within this document require an administrative account. A regular user will not be able to perform these tasks.
Microsoft recommends upgrading all Windows workstations to Windows XP SP2. It contains the most current security features, many of which are enabled by default.
Microsoft also recommends upgrading all versions of existing installations of Internet Explorer to the most current version.
The security setting defaults found within the tools discussed in this document are Microsoft recommendations. These recommendations were made to balance the functionality and security of Windows XP SP2. Many organizations have unique security requirements; all of these security features are configurable or can be disabled.
Windows Live OneCare
Microsoft offers Windows Live OneCare, an automatically self-updating PC care service that runs quietly in the background. It helps provide persistent protection against viruses, hackers, and other threats, and helps keep your PC tuned up and your important documents backed up. For more details, see Windows Live OneCare at www.windowsonecare.com.
Windows Live OneCare provides a single console to check the status of several security-related services on your Windows XP workstation. The single screen describes the status of virus protection, patch levels, system health, and last data backup.
Computer viruses are software programs deliberately designed to interfere with computer operation. They can record, corrupt, or delete data, or spread themselves to other computers and throughout the Internet, often slowing things down and causing other problems in the process.
Just as human viruses range in severity from the 24-hour flu to the Ebola virus, computer viruses range from the mildly annoying to the downright destructive. They also take on new and different forms. The good news is that with an ounce of prevention and a little knowledge, you are less likely to fall victim to viruses and you can diminish their impact.
With Windows Live OneCare, antivirus signatures and operating system security patches are updated automatically, keeping your computer up-to-date without manual intervention.
For a list of software vendors that also provide antivirus software compatible with Windows XP, see http://support.microsoft.com/kb/49500.
Windows Firewall works on a single computer, and helps protect your computer from hackers when you send or receive files. Windows Live OneCare continuously monitors Windows Firewall.
Windows Defender can be downloaded from Microsoft, and it helps protect privacy information on computers from Internet attacks. Windows Live OneCare monitors the status of Windows Defender.
Windows Live OneCare updates itself automatically to help ensure that your virus, firewall, and spyware protection is always up-to-date and ready to help protect you from the latest threats.
File Backup and Restore
With Windows Live OneCare you can make copies of important files and documents and store them on a CD, DVD, or an external hard drive in case of an emergency. You can do it manually or have Windows Live OneCare do it automatically so you don't have to remember to back up your files and documents on a regular basis. Windows Live OneCare will also help restore backed-up files to your computer if you've encountered problems.
Spyware is often associated with software that displays advertisements (called adware) or software that tracks personal or sensitive information. That does not mean all software that provides ads or tracks your online activities is bad. For example, you might sign up for a free music service, but "pay" for the service by agreeing to receive targeted ads. If you understand the terms and agree to them, you may have decided that it is a fair tradeoff. You might also agree to let the company track your online activities to determine which ads to show you.
Other kinds of unwanted software will make changes to your computer that can be annoying and can cause your computer slow down or crash. These programs have the ability to change your Web browser's home page or search page, or add additional components to your browser you do not need or want. These programs also make it very difficult for you to change your settings back to the way you originally had them. These types of unwanted programs are also often called spyware.
Windows Defender (Beta2) is a security technology that helps protect Windows users from spyware and other potentially unwanted software. Known spyware on your PC can be detected and removed, which helps reduce negative effects caused by spyware, including slow PC performance, annoying pop-up ads, unwanted changes to Internet settings, and unauthorized use of your private information. Continuous protection improves Internet browsing safety by guarding more than 50 ways spyware can enter your PC. Participants in the worldwide SpyNet™ community play a key role in determining which suspicious programs are classified as spyware. Microsoft researchers quickly develop methods to counteract these threats, and updates are automatically downloaded to your PC so you stay up-to-date.
You can Windows Defender from www.microsoft.com/athome/security/spyware/software/default.mspx. The current version is a Beta 2 version. The file name is WindowsDefender.msi and is about 5.5MB in size. (The file name and size may change after the full release.)
Complete the following steps to install Windows Defender (Beta 2) when you download it.
When you download Windows Defender (Beta 2), the following dialog box will display. Click Run.
The following Welcome to the Installation Wizard for Windows Defender screen will display. Click Next.
The Windows Defender License Agreement will display (shown in the following screen shot). Review the terms of the agreement.
To continue installation, select I accept the terms in the license agreement and then click Next.
On the Help protect Windows screen (shown in the following screen shot), select Use recommended settings. Click the Privacy Statement button if you wish to read it. Then click Next.
On the Setup Type screen (shown in the following screen shot), select Complete and then click Next.
When the following Ready to Install Windows Defender screen displays, click the Install button to begin the installation.
After the installation process is complete, the following Windows Defender Installation Complete screen should display.
Ensure the Check for updated definitions and run a quick scan now option is selected, and then click Finish.
Note An Internet connection is required for this step.
When the following screen displays, click the Check for Updates button to obtain recent updates.
For more details and advanced features of Windows Defender (Beta 2), see the Windows Defender (Beta 2) Web site at www.microsoft.com/athome/security/spyware/software/default.mspx.
A firewall is a security system that acts as a protective boundary between a network and the outside world. Windows XP SP2 includes Windows Firewall, software that functions in much the same way for each individual client computer.
Windows Firewall comes installed on Windows XP Professional SP2 and is highly configurable. It is enabled by default and helps protect against network attacks. Windows Live OneCare also monitors Windows Firewall, and provides a single console to check the overall security status of your PC. The rest of this document will show you how to change Windows Firewall settings through the Windows Security Center, which is found within the Control Panel.
Note Windows Firewall is not intended to replace the functionality of a network firewall. Windows networking is enabled and allowed to pass Windows Firewall, which means that you can still communicate with other network computers, print, and access network shares. A network firewall is still recommended to protect the ports that are opened by these functions.
Windows Firewall general settings allow you to configure these options:
Off (not recommended). Turning off Windows Firewall will make your computer more vulnerable to damage from viruses, worms, or intruders.
To open the Windows Security Center, click Start, then click Control Panel. The following screen will display.
In the Pick a category section, click Security Center. The Windows Security Center screen will display (shown in the following screen shot).
By default, Windows Firewall displays a notification dialog box whenever it blocks a program that attempts to communicate from your computer to another. The dialog box looks similar to the one shown in the following screen shot:
The dialog box indicates which program has been blocked and allows you to choose whether to allow this program. The available options are:
Keep Blocking. Use this option so the program won't accept connections from the Internet or network without your permission.
Unblock. Use this option to place the program in the Windows Firewall exceptions list.
Ask me later. Use this option if you do not know whether to block or to unblock the program. This option keeps the program blocked for greater security. This message appears again the next time that this program is blocked.
Understand How Applications Use Ports
A port is a connection point that a program uses to communicate with other programs, especially programs running on other computers. Each port is identified by the combination of a transport and a port number. Specific ports are associated with each type of application or service. For example, the standard port for a Web server is TCP port 80, the standard port for a File Transfer Protocol (FTP) server is TCP port 21, and the Windows Server service that provides file and print sharing receives messages at four ports: UDP ports 137 and 138, and TCP ports 139 and 445.
Windows Firewall blocks all ports from receiving unsolicited inbound messages. This functionality protects your computer because it blocks the messages that malicious code typically uses to gain access to your computer. Windows Firewall does not interfere with most legitimate business software because, as a general rule, that software does not send unsolicited messages to client computers.
Because firewalls restrict communication between the Internet and your computer, you might need to adjust settings for some other programs that prefer an open connection. You can make exceptions for these programs so that they can communicate through Windows Firewall.
Allowing Exceptions—the Risks
Each time you allow an exception for a program to communicate through Windows Firewall, your computer is made more vulnerable. To allow an exception is like poking a hole through the firewall. If there are too many holes, there's not much wall left in your firewall. Hackers often use software that scans the Internet looking for computers with unprotected connections. If you have lots of exceptions and open ports, your computer can become more vulnerable.
To help decrease your security risk:
Only allow an exception when you really need it.
Never allow an exception for a program that you don’t recognize.
Remove an exception when you no longer need it.
Allowing Exceptions Despite the Risks
Sometimes you might want someone to be able to connect to your computer, despite the risk—such as when you expect to receive a file sent through an instant messaging program over the Internet.
If you're exchanging instant messages with someone who wants to send you a file (a spreadsheet, for example), Windows Firewall will display a prompt that asks if you want to unblock the connection and allow the file transfer. Alternatively, you can add the instant messaging program as an exception so that Windows Firewall will allow the connection to reach your computer.
To add a program to the exceptions list, complete the steps in the following procedure.
Click Start and then click Control Panel.
In Control Panel, click Security Center and then click Windows Firewall.
On the Exceptions tab, under Programs and Services (shown in the following sample screen shot), select the check box for the program or service that you want to allow. Then click OK.
If the program (or service) that you want to allow is not listed:
Click Add Program.
In the Add a Program dialog box, select the program that you want to add, and then click OK.
Tip If the program (or service) that you want to allow is not listed in the Add a Program dialog box, click Browse, locate the program that you want to add, and then double-click it. (Programs are usually stored in the Program Files folder on your computer.) The program will appear under Programs, in the Add a Program dialog box.
As a Last Resort, Open a Port
If you still do not find the program, you can open a port instead. A port is like a small door in the firewall that allows communications to pass through. To specify which port to open, on the Exceptions tab, click Add Port. (When you open a port, remember to close it again when you are done using it.)
Adding an exception is preferable to opening a port for the following reasons:
It is easier to do.
You do not need to know which port number to use.
Adding an exception is more secure than opening a port, because the firewall is only open while the program is waiting to receive a connection.
Advanced users can open ports for, and configure the scope of, individual connections to minimize opportunities for intruders to connect to a computer or network. To do so, open Windows Firewall, click the Advanced tab, and use the settings under Network Connection Settings.
To learn more about advanced features, see "Understanding Windows Firewall" at www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx.
For more information about opening ports, see the following:
“Network Ports Used by Key Microsoft Server Products” on the Microsoft Small Business Center Web site at www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx.
"Port Numbers," a document on the Internet Assigned Numbers Authority Web site at www.iana.org/assignments/port-numbers.
For more general information about firewalls, see the following:
"Changes to Functionality in Microsoft Windows XP Service Pack 2 - Part 2: Network Protection Technologies" on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?linkid=35486.
For more information about Windows XP SP2 security, see the following:
The Windows XP Security Guide on the Microsoft Download Center Web site at http://go.microsoft.com/fwlink/?linkid=35309.
For definitions of security-related terms, see the following:
The Microsoft Security Glossary on the Microsoft Web site at http://go.microsoft.com/fwlink/?linkid=35468.