Introduction to Controlling Communication with the Internet in Windows 7 and Windows Server 2008 R2

Updated: December 16, 2009

Applies To: Windows 7, Windows Server 2008 R2

Windows Server® 2008 R2 and Windows® 7 include a variety of technologies that communicate with the Internet to provide increased ease-of-use and functionality. Browser and e-mail technologies are examples, but there are also technologies such as automatic updating that help you obtain the latest software and product information, including bug fixes and software updates. These technologies provide many benefits for users, but they also involve communication with Internet sites, which administrators might want to control.

You can control this communication through a variety of options that are built in to individual features, the operating system, and features that are designed for managing configurations across your organization. For example, as an administrator, you can use Group Policy settings to control the way some features communicate. For some features, you can create an environment in which all communication is directed to the organization’s internal Web site instead of to an external Internet site.

This document provides information about the communication that flows between features in Windows Server 2008 R2 and Windows 7 and Internet sites, and it describes steps to take to limit, control, or prevent that communication in an organization with many users. This document is designed to assist you, the administrator, in planning strategies for deploying and maintaining Windows Server 2008 R2 and Windows 7 in a way that helps provide an appropriate level of security and privacy for your organization’s networked assets.

This document provides guidelines for controlling features in the following operating systems:

  • Windows 7 Ultimate

  • Windows 7 Enterprise

  • Windows 7 Professional

  • Windows Web Server 2008 R2

  • Windows Server 2008 R2 Standard

  • Windows Server 2008 R2 Enterprise

  • Windows Server 2008 R2 Datacenter

For more information about the features that are available in each edition of Windows Server 2008 R2 and Windows 7, see the following sites on the Web site:

This document is organized around individual features that are found in Windows Server 2008 R2 and Windows 7, so that you can find detailed information for any feature you are interested in.

In this section

Standard computer information sent by Internet-enabled features

Types of features covered in this document

Types of features not covered in this document

Security basics that are beyond the scope of this document

When you use software with Internet-enabled features, information about your computer ("standard computer information") is sent to the Web sites you visit and online services you use. Microsoft® uses standard computer information to provide you with Internet-enabled services, to help improve our products and services, and for statistical analysis. Standard computer information typically includes information such as your IP address, operating system version, browser version, and regional and language settings. In some cases, standard computer information may also include hardware ID, which indicates the device manufacturer, device name, and version. The purpose of this document is not to describe standard computer information sent by Internet-enabled features in Windows Server 2008 R2 and Windows 7. Instead this document describes the additional information that can be sent or received by these features and how to manage this information.

This document provides the following:

  • Information about features that in the normal course of operation send information to or receive information from Internet sites. An example of this type of feature is Windows Error Reporting. If you choose to use this feature, it sends information to a site on the Internet.

    For more information, see Windows Error Reporting and the Problem Reports and Solutions Feature in Windows 7 and Windows Server 2008 R2 later in this document.

  • Information about features that routinely display buttons or links that make it easy for you to initiate communication with Internet sites. An example of this type of feature is Event Viewer. If you open an event in Event Viewer and click a link, you are prompted with a message box that says, "Event Viewer will send the following information across the Internet. Is this OK?" If you click OK, information about the event is sent to a Web site, which replies with information that might be available about that event.

  • Brief descriptions of features like Internet Information Services (IIS), which is designed to communicate with the Internet. It is beyond the scope of this document to describe all aspects of maintaining appropriate levels of security in an organization running servers that communicate across the Internet. This document does, however, provide basic information about how components such as Internet Information Services work. It provides sources of information about balancing your organization’s requirements for Internet communication with requirements for protecting networked assets.

This document does not provide the following:

  • Information about managing or working with applications, scripts, utilities, Web interfaces, Microsoft ActiveX® controls, extensible user interfaces, Microsoft .NET Framework, and application programming interfaces (APIs). These are applications or layers that support applications, and they provide extensions that go beyond the operating system itself.

  • Information about Windows Installer—although Windows Installer includes some technology that you can choose to use for installing drivers or other software from the Internet. Windows Installer packages are not described here because they involve scripts or utilities that are created specifically for communicating across the Internet.

    Among the applications that are not covered in this document are Web-based and server-based applications such as databases, e-mail, or instant messaging. You must work with your software provider to learn how to mitigate risks that are part of using particular applications (including Web-based or server-based applications), scripts, utilities, and other software that runs on Windows Server 2008 R2 and Windows 7

  • Information about features that store local logs that could potentially be made available to support personnel or others. You may want to treat this information like other sensitive information by providing guidelines for your support staff about handling logs and other information that you want to protect.

This document is designed to assist you, the administrator, in planning strategies for deploying and maintaining Windows Server 2008 R2 and Windows 7 in a way that provides an appropriate level of security and privacy for your organization’s networked assets. This document does not describe security basics, that is, strategies and risk-management methods that provide a foundation for security across your organization. It is assumed that you are actively evaluating and studying these security basics as a standard part of network administration.

Some security basics that are a standard part of network administration include:

  • Monitoring. This includes using a variety of software tools, including tools to assess which ports are open on servers and clients.

  • Virus-protection software.

  • The principle of least privilege (for example, not logging on as an administrator if logging on as a user is just as effective).

  • The principle of running only the services and software that are necessary—that is, stopping unnecessary services and keeping computers (especially servers) free of unnecessary software.

  • Strong passwords—that is, requiring all users and administrators to choose passwords that are not easily broken.

  • Risk assessment as a basic element in creating and implementing security plans.

  • Software deployment and maintenance routines to help ensure that your organization’s software is running with the latest security updates and patches.

  • Defense-in-depth. In this context, defense-in-depth (also referred to as in-depth defense) means creating redundancy in security systems. An example is using firewall settings together with Group Policy to control a particular type of communication with the Internet.

The following books and Web sites are a few of the many sources of information about the security basics described previously:

Community Additions