Introduction to Controlling Communication with the Internet for Windows Vista
The Windows Vista® operating system includes a variety of technologies that communicate with the Internet to provide increased ease-of-use and functionality. Browser and e-mail technologies are obvious examples, but there are also technologies such as automatic updating that help users obtain the latest software and product information, including bug fixes and software updates. These technologies provide many benefits, but they also involve communication with Internet sites, which administrators might want to control.
Control of this communication can be achieved through a variety of options built into individual features, into the operating system as a whole, and into server features designed for managing configurations across your organization. For example, as an administrator, you can use Group Policy to control the way some features communicate. For some features, you can create an environment in which all communication is directed to the organization’s own internal Web site instead of to an external site on the Internet.
This white paper provides information about the communication that flows between features in Windows Vista and sites on the Internet, and describes steps to take to limit, control, or prevent that communication in an organization with many users. The white paper is designed to assist you, the administrator, in planning strategies for deploying and maintaining Windows Vista in a way that helps provide an appropriate level of security and privacy for your organization’s networked assets.
This white paper provides guidelines for controlling features in the following set of operating systems:
- Microsoft Windows Vista® Business or Windows Vista® Enterprise on users' computers. The focus is on the installation or configuration steps needed for these computers.
This white paper does not cover desktop products other than Windows Vista Business and Windows Vista Enterprise. For example, it does not cover Windows Vista® Starter or Windows Vista® Home Premium.
- Windows Server® 2003 on servers. The white paper does not focus on these servers, but it provides information for using them as part of your deployment or maintenance strategies. For instance, it describes ways of using Group Policy in a domain, which requires domain controllers that will most likely be running Windows Server 2003.
The white paper is organized around individual features found in Windows Vista, so that you can easily find detailed infor mation for any feature you are interested in.
This white paper provides links to privacy statements for a number of individual features in Windows Vista. You can read the overall privacy statement for Windows Vista on the Microsoft Web site at:
What This White Paper Covers and What It Does Not Cover
This section describes the:
Types of features covered in this white paper
Types of features not covered in this white paper
Security basics that are beyond the scope of this white paper, with listings of some other sources of information about these security basics
Types of Features Covered in This White Paper
This white paper provides:
Information about features that in the normal course of operation send information to or receive information from one or more sites on the Internet. An example of this type of feature is Windows Error Reporting. If a user chooses to use this feature, it sends information to a site on the Internet.
Information about features that routinely display buttons or links that make it easy for a user to initiate communication with one or more sites on the Internet. An example of this type of feature is Event Viewer. If a user opens an event in Event Viewer and clicks a link, the user is prompted with a message box that says, "Event Viewer will send the following information across the Internet. Is this OK?" If the user clicks OK, information about the event is sent to a Web site, which replies with any additional information that might be available about that event.
Brief descriptions of features like Microsoft Internet Explorer® and Windows Mail that are designed to communicate with the Internet. It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where users connect to sites on the Internet, download items from the Internet, send and receive e-mail, and perform similar actions. This white paper does, however, provide basic information about how features such as Internet Explorer and Windows Mail work, and it provides suggestions for other sources of information about balancing your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets.
Types of Features Not Covered in This White Paper
This white paper does not provide:
Information about managing or working with applications, scripts, utilities, Web interfaces, Microsoft ActiveX® controls, extensible user interfaces, Microsoft .NET Framework, and application programming interfaces (APIs). These are either applications or layers that support applications, and as such, they provide extensions that go beyond the operating system itself.
Windows Installer is not covered in this white paper, although Windows Installer includes some technology that you can choose to use for installing drivers or other software from the Internet. Such Windows Installer packages are not described here because they are like a script or utility that is created specifically for communication across the Internet.
You must work with your software provider to learn what you can do to mitigate any risks that are part of using particular applications (including Web-based applications), scripts, utilities, and other software that runs on Windows Vista.
Information about features that store local logs that could potentially be sent to someone or could potentially be made available to support personnel. This information is similar to any other type of information that can be sent through e-mail or across the Internet in other ways. You must work with your support staff to provide guidelines for handling logs and any other similar information you might want to protect.
Security Basics that are Beyond the Scope of This White Paper
This white paper is designed to assist you, the administrator, in planning strategies for deploying and maintaining Windows Vista in a way that helps provide an appropriate level of security and privacy for your organization’s networked assets. The white paper does not describe security basics, that is, strategies and risk-management methods that provide a foundation for security across your organization. It is assumed you are actively evaluating and studying these security basics as a standard part of network administration.
Some security basics that are a standard part of network administration include:
Monitoring. This includes using a variety of software tools, including tools to assess which ports are open on servers and clients.
The principle of least privilege (for example, not logging on as an administrator if logging on as a user is just as effective).
The principle of running only the services and software that are necessary—that is, stopping unnecessary services and keeping computers (especially servers) free of unnecessary software.
Strong passwords—that is, requiring all users and administrators to choose passwords that are not easily cracked.
Risk assessment as a basic element in creating and implementing security plans.
Software deployment and maintenance routines to help ensure that your organization’s software is running with the latest security updates and patches.
Defense-in-depth. In this context, defense-in-depth (also referred to as in-depth defense) means redundancy in security systems. An example is using firewall settings together with Group Policy to control a particular type of communication with the Internet.
Other Sources of Information About Security Basics
The following books and Web sites are a few of the many sources of information about the security basics described previously:
Howard, Michael, et al. "Designing Secure Web-Based Applications for Microsoft Windows 2000." Redmond, WA: Microsoft Press, 2000.
Howard, Michael, and David LeBlanc. "Writing Secure Code, Second Edition." Redmond, WA: Microsoft Press, 2003.
Kaufman, C., R. Perlman, and M. Speciner. "Network Security: Private Communication in a Public World." Upper Saddle River, New Jersey: Prentice-Hall Inc., 2002.
Smith, B., B. Komar, and the Microsoft Security Team. "Microsoft® Windows® Security Resource Kit, Second Edition." Redmond, WA: Microsoft Press, 2005.
For more information, see the Microsoft Press Web site at:
The Security Guidance Center on the Microsoft Web site at:
The Prescriptive Architecture Guides on the Microsoft Web site at:
Web pages focused on security for Windows Vista on the Microsoft Windows Web site at:
The Web page focused on security on the Microsoft Developer Network (MSDN®) Web site at:
Web pages focused on security on the Microsoft TechNet Web site at:
Resources for IT professionals using Windows Vista, available on the Microsoft Web site at: