Protecting Windows from Viruses and Spyware : Antimalware Strategy: Defense in Depth (part 4) - User Account Control Options

7. User Account Control Options

Experienced computer professionals know it is bad juju to perform casual work on a system using a full-fledged administrator account because it is far too easy to blow things up. Instead, they create two different accounts for themselves: a limited-access standard user account with enough power to get daily tasks done but restricted enough to keep them out of serious trouble, and a second, unrestricted administrator account for use only when they need to perform serious tasks.

This best practice, however, didn’t reduce the aggravation factor of the User Account Control (UAC) feature introduced in Windows Vista. Designed as a safety mechanism, Vista prompted you for permission to perform system changes, install software, and so on, to help avoid accidents or prevent hackers from accessing your system. Standard users were frequently prompted for permission; administrators received fewer prompts but at a still-annoying rate. And you had two basic choices: leave it on or throw caution to the wind by turning it off.

In Windows 7, you have four sets of options, which vary slightly depending on whether you’re logged on as a standard user or administrator. The following are options for an administrator account, unless noted otherwise:

• Always notify me when programs try to install software or make changes to the computer, or when I make changes to Windows settings. (This is the same as Windows Vista UAC turned on, and is the default for a standard user account.)

• Notify me only when programs try to install software or make changes to my computer, and don’t notify me when I make changes to Windows settings. (This is the default for an administrator account in Windows 7. This and the next option are new to Windows 7.)

• Notify me only when programs try to make changes to my computer (do not dim my desktop), and don’t notify me when I make changes to Windows settings. (Dimming the desktop is a big visible red flag for most users, so going without it is risky.)

• Never notify me of installations or changes. (This is just like disabling UAC in Windows Vista.)

You can also use the Local Security Policy console to control whether prompts appear. When using a standard user account, for example, if a task is attempted that requires administrator-level access, the user can either be prompted to enter administrator account credentials or be flat-out denied. The default approach in this case is to prompt the user for credentials so that an over-the-shoulder parent or system administrator can authorize privileged actions. If you would prefer that such requests simply be denied, you can use the Local Security Policy console (click Start, and then type secpol.msc in the Search box) to change the setting highlighted in Figure 6. See Local Policies, Security Options for this setting.

Figure 6. Use the Local Security Policy console to change UAC settings.

8. Service Hardening

In addition to security improvements that can be configured, several improvements in Windows 7 might go unnoticed to all but software developers, including malware writers. Microsoft adheres more closely to the well-known security Principle of Least Privilege, which means that people or things should have access only to what they need, and nothing more. It’s a sound idea that, had it been followed more closely in earlier version of Windows, would have prevented numerous security exploits.

Core Windows programs, called services, have in the past been favorite targets because many of them are always running, often with a wide scope of access to the system. When a service could be compromised, it provided many avenues for further exploration and exploitation. This time around, Microsoft limits access for services to only what the services need. For example, a service’s capability to write to the disk or Registry is based strictly on the requirements of the service. This is a real security improvement, which will continue to pay unsung dividends as long as Windows 7 exists.

9. Internet Explorer 8 Malware Protection

Internet Explorer 8 has several new features specifically designed to increase security. First, tab isolation means that if a website or add-on crashes in Internet Explorer, only the current tab is affected: the browser remains stable and other tabs are unaffected. Internet Explorer also includes crash recovery, which automatically reloads all open tabs and restores connections to their respective sites.

Internet Explorer 8 adds an InPrivate feature to browsing, accessed by selecting Safety, InPrivate Browsing on the command bar. This opens a browser session that records no information, including searches or web page visits. Likewise, InPrivate Filtering turns off any website’s capability to track and record your online activities. Deletion of browsing history has been enhanced to preserve or remove cookies and temporary Internet files as you see fit.

Internet Explorer 8 also adds improved techniques to protect you online. The SmartScreen Filter checks a database of dangerous or questionable websites and warns you if you attempt to visit one. It will also warn you if you attempt to download software that is potentially unsafe.

In addition, Internet Explorer 8 includes a cross-site scripting (XSS) filter that can detect malicious code running on compromised websites, to protect you from unwanted information disclosure, cookie theft, account or identity theft, and so on. This new filter stops most such attacks as soon as they begin. Internet Explorer 8 also turns DEP on by default.

Avoiding Malware

Taking a minimalist approach to installing software on your computer goes a long way toward avoiding malware. It also saves space, avoids bogging down your PC, and can make the computer simpler and easier to use. That doesn’t mean you must forego all the software gadgetry that makes computers useful and fun, but it does require a more judicious attitude on installing software. As with many areas in life, when it comes to installing software from the Internet, installing a CD purchased at the dollar store, or downloading content from a peer-to-peer program, less is more.

Whenever seemingly innocuous software is installed, be it a toolbar, cute purple gorilla, weather program, or anything at all, you are potentially transferring full ownership of your computer to somebody else. One would expect that before such a transition of ownership, the previous owner would ceremoniously sign a title or perform some similar ritual, but clicking OK is usually all it takes.

The best way to prevent an unintentional computer donation is to follow this rule: NEVER install software from a source you don’t trust. Once installed, malware can and will take major liberties with your computer. Malware writers go to amazingly creative and destructive lengths to achieve their goals—whether to profit by directing you to ads, theft of personal information, or worse. If your computer gets infected with malware and runs slowly, it might be busy doing lots of work in the background on someone else’s behalf. Computer criminals have been known to control an army of thousands, or more than a million, compromised computers and then extort money from online businesses by threatening to use their army of “zombies” to barrage a commercial website, shutting it down for hours or days. It’s a credible threat.

You’ll find many long lists of things you can to do avoid malware and keep your computer from becoming a zombie. Here are three essential things to remember to protect your Windows 7 computer:

• Install an antivirus program with real-time protection.

• Keep all elements under the Security heading in Action Center set to On.

• Only install software from sources you trust.