Logo
programming4us
programming4us
programming4us
programming4us
Windows XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
 
programming4us
Windows 7

Protecting Windows from Viruses and Spyware : Antimalware Strategy: Defense in Depth (part 4) - User Account Control Options

1/24/2013 6:32:13 PM

7. User Account Control Options

Experienced computer professionals know it is bad juju to perform casual work on a system using a full-fledged administrator account because it is far too easy to blow things up. Instead, they create two different accounts for themselves: a limited-access standard user account with enough power to get daily tasks done but restricted enough to keep them out of serious trouble, and a second, unrestricted administrator account for use only when they need to perform serious tasks.

This best practice, however, didn’t reduce the aggravation factor of the User Account Control (UAC) feature introduced in Windows Vista. Designed as a safety mechanism, Vista prompted you for permission to perform system changes, install software, and so on, to help avoid accidents or prevent hackers from accessing your system. Standard users were frequently prompted for permission; administrators received fewer prompts but at a still-annoying rate. And you had two basic choices: leave it on or throw caution to the wind by turning it off.

In Windows 7, you have four sets of options, which vary slightly depending on whether you’re logged on as a standard user or administrator. The following are options for an administrator account, unless noted otherwise:

  • Always notify me when programs try to install software or make changes to the computer, or when I make changes to Windows settings. (This is the same as Windows Vista UAC turned on, and is the default for a standard user account.)

  • Notify me only when programs try to install software or make changes to my computer, and don’t notify me when I make changes to Windows settings. (This is the default for an administrator account in Windows 7. This and the next option are new to Windows 7.)

  • Notify me only when programs try to make changes to my computer (do not dim my desktop), and don’t notify me when I make changes to Windows settings. (Dimming the desktop is a big visible red flag for most users, so going without it is risky.)

  • Never notify me of installations or changes. (This is just like disabling UAC in Windows Vista.)

You can also use the Local Security Policy console to control whether prompts appear. When using a standard user account, for example, if a task is attempted that requires administrator-level access, the user can either be prompted to enter administrator account credentials or be flat-out denied. The default approach in this case is to prompt the user for credentials so that an over-the-shoulder parent or system administrator can authorize privileged actions. If you would prefer that such requests simply be denied, you can use the Local Security Policy console (click Start, and then type secpol.msc in the Search box) to change the setting highlighted in Figure 6. See Local Policies, Security Options for this setting.

Figure 6. Use the Local Security Policy console to change UAC settings.

8. Service Hardening

In addition to security improvements that can be configured, several improvements in Windows 7 might go unnoticed to all but software developers, including malware writers. Microsoft adheres more closely to the well-known security Principle of Least Privilege, which means that people or things should have access only to what they need, and nothing more. It’s a sound idea that, had it been followed more closely in earlier version of Windows, would have prevented numerous security exploits.

Core Windows programs, called services, have in the past been favorite targets because many of them are always running, often with a wide scope of access to the system. When a service could be compromised, it provided many avenues for further exploration and exploitation. This time around, Microsoft limits access for services to only what the services need. For example, a service’s capability to write to the disk or Registry is based strictly on the requirements of the service. This is a real security improvement, which will continue to pay unsung dividends as long as Windows 7 exists.

Note

Some features of Windows 7 are available only if you have a 64-bit processor and purchase the 64-bit version of Windows 7. The 64-bit version requires digitally signed kernel-mode drivers, the core software that controls various devices on a PC. Iffy drivers have long been a source of computer crashes and instability. Malicious drivers can open a path for kernel-mode rootkits, which are difficult to detect. The desire to ensure that drivers come only from reputable sources is intended to improve stability and security. It may also help prevent installation of sneaky drivers that do things such as circumvent audio or video copy protection.


9. Internet Explorer 8 Malware Protection

Internet Explorer 8 has several new features specifically designed to increase security. First, tab isolation means that if a website or add-on crashes in Internet Explorer, only the current tab is affected: the browser remains stable and other tabs are unaffected. Internet Explorer also includes crash recovery, which automatically reloads all open tabs and restores connections to their respective sites.

Internet Explorer 8 adds an InPrivate feature to browsing, accessed by selecting Safety, InPrivate Browsing on the command bar. This opens a browser session that records no information, including searches or web page visits. Likewise, InPrivate Filtering turns off any website’s capability to track and record your online activities. Deletion of browsing history has been enhanced to preserve or remove cookies and temporary Internet files as you see fit.

Internet Explorer 8 also adds improved techniques to protect you online. The SmartScreen Filter checks a database of dangerous or questionable websites and warns you if you attempt to visit one. It will also warn you if you attempt to download software that is potentially unsafe.

In addition, Internet Explorer 8 includes a cross-site scripting (XSS) filter that can detect malicious code running on compromised websites, to protect you from unwanted information disclosure, cookie theft, account or identity theft, and so on. This new filter stops most such attacks as soon as they begin. Internet Explorer 8 also turns DEP on by default.

Avoiding Malware

Taking a minimalist approach to installing software on your computer goes a long way toward avoiding malware. It also saves space, avoids bogging down your PC, and can make the computer simpler and easier to use. That doesn’t mean you must forego all the software gadgetry that makes computers useful and fun, but it does require a more judicious attitude on installing software. As with many areas in life, when it comes to installing software from the Internet, installing a CD purchased at the dollar store, or downloading content from a peer-to-peer program, less is more.

Whenever seemingly innocuous software is installed, be it a toolbar, cute purple gorilla, weather program, or anything at all, you are potentially transferring full ownership of your computer to somebody else. One would expect that before such a transition of ownership, the previous owner would ceremoniously sign a title or perform some similar ritual, but clicking OK is usually all it takes.

The best way to prevent an unintentional computer donation is to follow this rule: NEVER install software from a source you don’t trust. Once installed, malware can and will take major liberties with your computer. Malware writers go to amazingly creative and destructive lengths to achieve their goals—whether to profit by directing you to ads, theft of personal information, or worse. If your computer gets infected with malware and runs slowly, it might be busy doing lots of work in the background on someone else’s behalf. Computer criminals have been known to control an army of thousands, or more than a million, compromised computers and then extort money from online businesses by threatening to use their army of “zombies” to barrage a commercial website, shutting it down for hours or days. It’s a credible threat.

You’ll find many long lists of things you can to do avoid malware and keep your computer from becoming a zombie. Here are three essential things to remember to protect your Windows 7 computer:

  • Install an antivirus program with real-time protection.

  • Keep all elements under the Security heading in Action Center set to On.

  • Only install software from sources you trust.

Other -----------------
- Managing Windows 7 : Managing Multiple Monitors
- Managing Windows 7 : Controlling the Power Options
- Managing Windows 7 : Creating a Linked Online ID, Managing Travel Settings
- Designing an Update Management Strategy : Updating with System Center Configuration Manager
- Designing an Update Management Strategy : Configuring an Update Testing Infrastructure, Verifying Update Deployment
- Zero Touch Installations : Creating and Capturing a Reference Image (part 3) - Advertise the Reference Image Task Sequence, Run the Reference Image Task Sequence
- Zero Touch Installations : Creating and Capturing a Reference Image (part 2) - Install Packages on the Distribution Points, Create a Collection and a Computer Association
- Zero Touch Installations : Creating and Capturing a Reference Image (part 1)
- Preparing and Configuring Boot Images (part 2) - Adding Drivers to a Boot Image
- Preparing and Configuring Boot Images (part 1) - Creating Boot Images
 
 
Video tutorials
- How To Install Windows 8 On VMware Workstation 9

- How To Install Windows 8

- How To Install Windows Server 2012

- How To Disable Windows 8 Metro UI

- How To Change Account Picture In Windows 8

- How To Unlock Administrator Account in Windows 8

- How To Restart, Log Off And Shutdown Windows 8

- How To Login To Skype Using A Microsoft Account

- How To Enable Aero Glass Effect In Windows 8

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
programming4us programming4us
 
programming4us
Women
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone