Small Business Security Guidance

Protecting Client Computers from

Network Attacks
Updated: July 2006
For the latest information, please see
www.microsoft.com/technet/security/smallbusiness/default.mspx

 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial
License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to
Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

Protecting Client Computers from Network Attacks

Contents
Introduction...............................................................................................
Objective of this Document......................................................................
Before You Begin.........................................................................................
Required Credentials..............................................................................
Recommendations..................................................................................
Defaults................................................................................................
Windows Live OneCare.................................................................................
Virus Protection.....................................................................................
Firewall Monitoring.................................................................................
Windows Defender.................................................................................
Updates................................................................................................
File Backup and Restore..........................................................................
Windows Defender.......................................................................................
Windows Firewall.........................................................................................
General Settings....................................................................................
Configuration Notifications.......................................................................
Understand How Applications Use Ports...................................................
Allowing Exceptionsthe Risks...............................................................
Allowing Exceptions Despite the Risks.....................................................
As a Last Resort, Open a Port.................................................................
Advanced Options................................................................................
Related Information...................................................................................

iii

Introduction
Many organizations rely heavily on their network firewalls to protect their workstations
and servers from the threats of the Internet. This approach is often called Hard on the
outside, soft on the inside. Microsoft recommends the use of a network firewall and the
workstation security features outlined in the rest of this document. This approach delivers
more of a hard on the inside and outside approach to security. Network worms making
their way inside organizations' firewalls have shown that firewalls are not enough.
Attackers on the Internet create worms and viruses that can destroy or result in the loss
or theft of information stored on client computers. These attacks can result in the loss of
private information and company secrets, render computers unbootable, and can even be
used to launch attacks against other computers. These attacks represent a very real
threat to computers connected to the Internet.
Most methods of attack attempt to take advantage of known computer security issues.
Implementing the following features can provide significant protection for client computers
that run the Microsoft Windows XP operating system with Service Pack 2 (SP2):

Personal firewall (Windows Firewall)

Updating service packs and patches (Auto-Update)

Antivirus software with up-to-date signatures (Windows Live OneCare)

Antispyware software with up-to-date signatures (Windows Defender)

Objective of this Document

At the end of this document, the reader should be familiar with the tools and features
available from Microsoft to increase the security of Windows XP SP2 client computers
within a small to medium-sized business network.

Before You Begin

You should be aware of the following information before you apply any of the
recommendations in this document.

Required Credentials
Most of the tasks described within this document require an administrative account. A
regular user will not be able to perform these tasks.

Recommendations
Microsoft recommends upgrading all Windows workstations to Windows XP SP2. It
contains the most current security features, many of which are enabled by default.
Microsoft also recommends upgrading all versions of existing installations of Internet
Explorer to the most current version.

Defaults
The security setting defaults found within the tools discussed in this document are
Microsoft recommendations. These recommendations were made to balance the

functionality and security of Windows XP SP2. Many organizations have unique security
requirements; all of these security features are configurable or can be disabled.

Windows Live OneCare

Microsoft offers Windows Live OneCare, an automatically self-updating PC care service
that runs quietly in the background. It helps provide persistent protection against viruses,
hackers, and other threats, and helps keep your PC tuned up and your important
documents backed up. For more details, see Windows Live OneCare at
www.windowsonecare.com.
Windows Live OneCare provides a single console to check the status of several securityrelated services on your Windows XP workstation. The single screen describes the status
of virus protection, patch levels, system health, and last data backup.

Virus Protection
Computer viruses are software programs deliberately designed to interfere with computer
operation. They can record, corrupt, or delete data, or spread themselves to other
computers and throughout the Internet, often slowing things down and causing other
problems in the process.
Just as human viruses range in severity from the 24-hour flu to the Ebola virus, computer
viruses range from the mildly annoying to the downright destructive. They also take on
new and different forms. The good news is that with an ounce of prevention and a little
knowledge, you are less likely to fall victim to viruses and you can diminish their impact.
With Windows Live OneCare, antivirus signatures and operating system security patches
are updated automatically, keeping your computer up-to-date without manual
intervention.
For a list of software vendors that also provide antivirus software compatible with
Windows XP, see http://support.microsoft.com/kb/49500.

Firewall Monitoring
Windows Firewall works on a single computer, and helps protect your computer from
hackers when you send or receive files. Windows Live OneCare continuously monitors
Windows Firewall.

Windows Defender
Windows Defender can be downloaded from Microsoft, and it helps protect privacy
information on computers from Internet attacks. Windows Live OneCare monitors the
status of Windows Defender.

Updates
Windows Live OneCare updates itself automatically to help ensure that your virus,
firewall, and spyware protection is always up-to-date and ready to help protect you from
the latest threats.

Protecting Client Computers from Network Attacks

File Backup and Restore

With Windows Live OneCare you can make copies of important files and documents and
store them on a CD, DVD, or an external hard drive in case of an emergency. You can do
it manually or have Windows Live OneCare do it automatically so you don't have to
remember to back up your files and documents on a regular basis. Windows Live
OneCare will also help restore backed-up files to your computer if you've encountered
problems.

Windows Defender
Spyware is often associated with software that displays advertisements (called adware)
or software that tracks personal or sensitive information. That does not mean all software
that provides ads or tracks your online activities is bad. For example, you might sign up
for a free music service, but "pay" for the service by agreeing to receive targeted ads. If
you understand the terms and agree to them, you may have decided that it is a fair
tradeoff. You might also agree to let the company track your online activities to determine
which ads to show you.
Other kinds of unwanted software will make changes to your computer that can be
annoying and can cause your computer slow down or crash. These programs have the
ability to change your Web browser's home page or search page, or add additional
components to your browser you do not need or want. These programs also make it very
difficult for you to change your settings back to the way you originally had them. These
types of unwanted programs are also often called spyware.
Windows Defender (Beta2) is a security technology that helps protect Windows users
from spyware and other potentially unwanted software. Known spyware on your PC can
be detected and removed, which helps reduce negative effects caused by spyware,
including slow PC performance, annoying pop-up ads, unwanted changes to Internet
settings, and unauthorized use of your private information. Continuous protection
improves Internet browsing safety by guarding more than 50 ways spyware can enter
your PC. Participants in the worldwide SpyNet community play a key role in
determining which suspicious programs are classified as spyware. Microsoft researchers
quickly develop methods to counteract these threats, and updates are automatically
downloaded to your PC so you stay up-to-date.
You can Windows Defender from
www.microsoft.com/athome/security/spyware/software/default.mspx. The current version
is a Beta 2 version. The file name is WindowsDefender.msi and is about 5.5MB in size.
(The file name and size may change after the full release.)

Small Business Security Guidance

Complete the following steps to install Windows Defender (Beta 2) when you download it.
1. When you download Windows Defender (Beta 2), the following dialog box will
display. Click Run.

2. The following Welcome to the Installation Wizard for Windows Defender screen
will display. Click Next.

Protecting Client Computers from Network Attacks

3. The Windows Defender License Agreement will display (shown in the following
screen shot). Review the terms of the agreement.
To continue installation, select I accept the terms in the license agreement and
then click Next.

4. On the Help protect Windows screen (shown in the following screen shot), select
Use recommended settings. Click the Privacy Statement button if you wish to read
it. Then click Next.

Small Business Security Guidance

5. On the Setup Type screen (shown in the following screen shot), select Complete
and then click Next.

6. When the following Ready to Install Windows Defender screen displays, click the
Install button to begin the installation.

Protecting Client Computers from Network Attacks

7. After the installation process is complete, the following Windows Defender

Installation Complete screen should display.
Ensure the Check for updated definitions and run a quick scan now option is
selected, and then click Finish.
Note

An Internet connection is required for this step.

8. When the following screen displays, click the Check for Updates button to obtain
recent updates.

For more details and advanced features of Windows Defender (Beta 2), see the Windows
Defender (Beta 2) Web site at
www.microsoft.com/athome/security/spyware/software/default.mspx.

Small Business Security Guidance

Windows Firewall
A firewall is a security system that acts as a protective boundary between a network and
the outside world. Windows XP SP2 includes Windows Firewall, software that functions in
much the same way for each individual client computer.
Windows Firewall comes installed on Windows XP Professional SP2 and is highly
configurable. It is enabled by default and helps protect against network attacks. Windows
Live OneCare also monitors Windows Firewall, and provides a single console to check
the overall security status of your PC. The rest of this document will show you how to
change Windows Firewall settings through the Windows Security Center, which is found
within the Control Panel.
Note Windows Firewall is not intended to replace the functionality of a network firewall.
Windows networking is enabled and allowed to pass Windows Firewall, which means that you can
still communicate with other network computers, print, and access network shares. A network
firewall is still recommended to protect the ports that are opened by these functions.

General Settings
Windows Firewall general settings allow you to configure these options:

On (recommended).

Off (not recommended). Turning off Windows Firewall will make your computer more
vulnerable to damage from viruses, worms, or intruders.

1. To open the Windows Security Center, click Start, then click Control Panel. The
following screen will display.

Protecting Client Computers from Network Attacks

2. In the Pick a category section, click Security Center. The Windows Security
Center screen will display (shown in the following screen shot).

Configuration Notifications
By default, Windows Firewall displays a notification dialog box whenever it blocks a
program that attempts to communicate from your computer to another. The dialog box
looks similar to the one shown in the following screen shot:

10

Small Business Security Guidance

The dialog box indicates which program has been blocked and allows you to choose
whether to allow this program. The available options are:

Keep Blocking. Use this option so the program won't accept connections from the
Internet or network without your permission.

Unblock. Use this option to place the program in the Windows Firewall exceptions
list.

Ask me later. Use this option if you do not know whether to block or to unblock the
program. This option keeps the program blocked for greater security. This message
appears again the next time that this program is blocked.

Understand How Applications Use Ports

A port is a connection point that a program uses to communicate with other programs,
especially programs running on other computers. Each port is identified by the
combination of a transport and a port number. Specific ports are associated with each
type of application or service. For example, the standard port for a Web server is TCP
port 80, the standard port for a File Transfer Protocol (FTP) server is TCP port 21, and
the Windows Server service that provides file and print sharing receives messages at
four ports: UDP ports 137 and 138, and TCP ports 139 and 445.
Windows Firewall blocks all ports from receiving unsolicited inbound messages. This
functionality protects your computer because it blocks the messages that malicious code
typically uses to gain access to your computer. Windows Firewall does not interfere with
most legitimate business software because, as a general rule, that software does not
send unsolicited messages to client computers.
Because firewalls restrict communication between the Internet and your computer, you
might need to adjust settings for some other programs that prefer an open connection.
You can make exceptions for these programs so that they can communicate through
Windows Firewall.

Allowing Exceptionsthe Risks

Each time you allow an exception for a program to communicate through Windows
Firewall, your computer is made more vulnerable. To allow an exception is like poking a
hole through the firewall. If there are too many holes, there's not much wall left in your
firewall. Hackers often use software that scans the Internet looking for computers with
unprotected connections. If you have lots of exceptions and open ports, your computer
can become more vulnerable.
To help decrease your security risk:

Only allow an exception when you really need it.

Never allow an exception for a program that you dont recognize.

Remove an exception when you no longer need it.

Allowing Exceptions Despite the Risks

Sometimes you might want someone to be able to connect to your computer, despite the
risksuch as when you expect to receive a file sent through an instant messaging
program over the Internet.
If you're exchanging instant messages with someone who wants to send you a file (a
spreadsheet, for example), Windows Firewall will display a prompt that asks if you want
to unblock the connection and allow the file transfer. Alternatively, you can add the instant

Protecting Client Computers from Network Attacks

11

messaging program as an exception so that Windows Firewall will allow the connection to
reach your computer.
To add a program to the exceptions list, complete the steps in the following procedure.
1. Click Start and then click Control Panel.
2. In Control Panel, click Security Center and then click Windows Firewall.
3. On the Exceptions tab, under Programs and Services (shown in the following
sample screen shot), select the check box for the program or service that you want to
allow. Then click OK.

If the program (or service) that you want to allow is not listed:
1. Click Add Program.
2. In the Add a Program dialog box, select the program that you want to add, and then
click OK.
3. Click OK.
Tip If the program (or service) that you want to allow is not listed in the Add a Program dialog
box, click Browse, locate the program that you want to add, and then double-click it. (Programs
are usually stored in the Program Files folder on your computer.) The program will appear under
Programs, in the Add a Program dialog box.

12

Small Business Security Guidance

As a Last Resort, Open a Port

If you still do not find the program, you can open a port instead. A port is like a small door
in the firewall that allows communications to pass through. To specify which port to open,
on the Exceptions tab, click Add Port. (When you open a port, remember to close it
again when you are done using it.)
Adding an exception is preferable to opening a port for the following reasons:

It is easier to do.

You do not need to know which port number to use.

Adding an exception is more secure than opening a port, because the firewall is only
open while the program is waiting to receive a connection.

Advanced Options
Advanced users can open ports for, and configure the scope of, individual connections to
minimize opportunities for intruders to connect to a computer or network. To do so, open
Windows Firewall, click the Advanced tab, and use the settings under Network
Connection Settings.
To learn more about advanced features, see "Understanding Windows Firewall" at
www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx.

Related Information
For more information about opening ports, see the following:

Network Ports Used by Key Microsoft Server Products on the Microsoft Small
Business Center Web site at
www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx.

"Port Numbers," a document on the Internet Assigned Numbers Authority Web site at
www.iana.org/assignments/port-numbers.

For more general information about firewalls, see the following:

"Changes to Functionality in Microsoft Windows XP Service Pack 2 - Part 2: Network

Protection Technologies" on the Microsoft TechNet Web site at
http://go.microsoft.com/fwlink/?linkid=35486.

For more information about Windows XP SP2 security, see the following:

The Windows XP Security Guide on the Microsoft Download Center Web site at
http://go.microsoft.com/fwlink/?linkid=35309.

For definitions of security-related terms, see the following:

The Microsoft Security Glossary on the Microsoft Web site at

http://go.microsoft.com/fwlink/?linkid=35468.