Skip to main content


Security: Home vs. the Enterprise

Published: July 14, 2010

Author: Frank Simorjay, Senior Product Manager, Microsoft Trustworthy Computing

Version 8 of the Microsoft® Security Intelligence Report provides information for the latter half of 2009, from July to December. It includes many topics that are relevant to threats your organization faces on a daily basis. In this article we will take a quick look at the differences between threats for home (non-domain) users and those who use enterprise (domain-joined) computers.

You might wonder why non-domain users and those who use domain-joined computers face different threats. The reason is because their computer behavior patterns tend to be very different.

Enterprise users typically use computers to perform business functions and may have limitations placed on their Internet and email usage through technologies such as Group Policy, managed firewalls, and proxies. These users are also more likely to be collaborating with several members on a team, or working with customers and clients. They frequently share files using local or remote file shares, or removable solid state thumb drives. Among these users are "road warriors" who take enterprise laptops home or to other locations and unwittingly expose them to public and home networks that are not managed as carefully as networks in the workplace.

Home users are more likely to use their computers for entertainment purposes, such as playing games, watching videos, and communicating with friends. Home users have full control of their computers, and are typically more willing to install applications and browser extensions when they are prompted by websites to do so, especially when viewing videos that require the installation of video drivers. Unfortunately, criminals are also well aware that home users are more willing to install software. They frequently prey on this behavior by working to exploit users' willingness to trust Web content and convincing them to install or apply seemingly innocent software add-ons that in fact are Trojans.

The following figure shows the threat category breakdown for domain-joined versus non-domain computers in the second half of 2009:

threat category breakdown

Comparing the threats encountered by domain-joined computers and non-domain computers can provide insights into the different ways attackers target enterprise and home users and which threats are more likely to succeed in each environment.

The figure below shows the relative prevalence of different categories of malware and unwanted software on infected domain-joined and non-domain computers, and is expressed as a percentage of the total number of computers of each type that were cleaned. Totals exceed 100 percent because some computers were cleaned of more than one category of malware.

malware types

Worms accounted for two of the top three malware categories detected on domain-joined computers. The worm family Win32/Conficker, which employs several methods of propagation that work more effectively within typical enterprise network environments than they do over the public Internet, leads the list by a wide margin.

Other malware categories that are more common in domain environments include Win32/RealVNC, categorized as Miscellaneous Unwanted Software, and remote administration tools. RealVNC is a program that enables a computer to be controlled remotely, similar to Remote Desktop. It has a number of legitimate uses, but attackers also use it to gain control of users' computers for malicious purposes. Detections of RealVNC and other Virtual Network Computing (VNC) programs, which are often used for remote administration, are partially responsible for the relative prevalence of the Miscellaneous Unwanted Software category on domain-joined computers.

trojan types

The Miscellaneous Trojan category includes the rogue or fake anti-malware security software-related families Win32/Renos and Win32/FakeXPA, which were more likely to be found on non-domain computers.And Win32/Taterf is a worm that is designed to steal the passwords of users who play massively multiplayer online role-playing games (MMORPGs). Such games are not common in the workplace, yet both categories were detected with similar frequency on both domain-joined and non-domain computers. Frethog, a family of Trojans, and Taterf both rely heavily on removable drives to propagate, a technique that was probably developed to help spread them in Internet cafés and public gaming centers, but one that has had the (perhaps unexpected) effect of spreading them efficiently in enterprise environments as well.

Protecting your users requires diligence in both network environments and in users' homes. The following list includes best practices and solutions that need to be considered when protecting your users:

  • Create focused, scalable, and prescriptive guidance (for example, "How-Do-I" podcast modules).
  • Mandate security training for developers. Microsoft has used the Security Development Lifecycle (SDL) successfully to build products that are both productive and secure, and offers extensive guidance on SDL principles and guidance on the Security Development Lifecycle website.
  • Use tools and templates such as the Microsoft security awareness program tool kit and guide and Microsoft IT's Work Smart productivity guides  to educate your people about secure practices.
  • Any user who thinks they may have been a victim of an attack, or who suspects something unusual on your network, should immediately contact the IT department for assistance.
  • A number of enterprise antivirus providers offer licensing arrangements that allow employers to distribute antivirus software to their employees for home use. Consider taking advantage of one of these arrangements. In addition, several security vendors offer basic real-time protection products at no charge to home computer users.
  • Educate users about the benefits of keeping their computers up to date with Windows Update and Microsoft Update, and the importance of running the monthly release of the Malicious Software Removal Tool (MSRT) to check their computers for specific, prevalent malware threats.
  • Users who think their computers are infected should run the Windows Live OneCare safety scanner or make a free call (in North America) to 1-866-PC-SAFETY.

If you found this information useful, you will likely find much other valuable information in the Security Intelligence Report, including information about protecting your networks, systems, and people.

Related Resources

Microsoft Security Intelligence Report
Download the latest version of this comprehensive and wide-ranging study of the evolving threat landscape, and addresses such topics as software vulnerability disclosures and exploits, malicious software (malware), and unwanted software.

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.