Chapter 12. Security Troubles

What You’ll Learn

In this chapter, I’ll show you:

• How to tweak UAC so it’s not so annoying

• How to remove a virus and spyware manually

• How to scan for rootkits

• How to tweak the Windows Firewall

• How to spyware-proof Vista

• How to make browsing the Internet more secure

• How to master little-known Vista security tips

Introduction to Vista Security

Ask any Microsoft employee what Vista is all about, and the first thing out of his mouth will be “security.” Sure, he’ll go on to mention ease of use and the new look and feel, but security is the big fix that Microsoft wanted to implement with Vista.

That’s because from a security perspective, Windows XP, which came before Vista, was a big fat disaster. XP was the most infected and attacked operating system in the history of personal computers. Ironically, Microsoft initially called it the most secure. But the company got broadsided with the maturation of mass-market, always-on broadband Internet for PCs. Everyone got fast Internet connections on their XP computers, and the OS was not designed to be secure in that environment.

As a result, XP was vulnerable to hundreds of thousands of viruses and millions of spyware infections. XP was engineered to be easy to use, so locked-down security was not in the blueprints. When the onslaught of malware came, Microsoft got bitten viciously by critics and customers. And the personal computer security business became a multibillion dollar business.

So, Bill and the geeks in Redmond had to respond with a more secure operating system the next time around. The result is Windows Vista. Is it more secure? Yes. Absolutely. Is it impenetrable? No. Vista still has some fairly significant vulnerabilities.

New Security Tools in Vista

Let’s review the new security features in Vista and their pros and cons.

User Account Control (UAC)

Microsoft’s not-so-secret weapon in its Vista security strategy is a new feature called User Account Control or UAC. It’s a permission-based mechanism that pops up an alert when a change is initiated to the system.

When it’s triggered, the screen dims and you see a challenge to Continue or Cancel (see Figure 12.1).

Figure 12.1. Get used to these. User Access Control alerts pop onto a dimmed secure desktop whenever a system setting change is initiated.

If you initiated the system change, you would, of course, click Continue. If you didn’t, another process is at work, likely malware, which is trying to make an unauthorized change.

If a UAC alert occurs and you didn’t initiate a change, you’d want to click Cancel and scan your system with an antivirus or antispyware application.

You can tell what buttons and controls in Vista will trigger UAC by looking for a shield icon (see Figure 12.2).

Figure 12.2. When a shield icon appears on a Vista button, it indicates UAC will be initiated when it is clicked.

Pros: This stops unauthorized malware from installing itself or making changes to the system.

Cons: You’ll suffer dialog fatigue after a while and may be tempted to turn it off.

Data Execution Prevention

One of the tricks programs use to take control of your computer is use protected memory illicitly to execute malicious code. Vista includes a feature called Data Execution Prevention (DEP) that can prevent this (see Figure 12.3).

Figure 12.3. Vista’s Data Execution Protection guards against buffer overruns.

Pros: DEP disables one of the most common tricks malware uses to do bad things to your computer.

Cons: It trips up some older software and throws false positives.

Windows Defender

Windows Defender is a built-in antispyware application that offers some antispyware protection (see Figure 12.4).

Figure 12.4. Windows Defender won’t stop all spyware by itself.

Pros: This is better than no protection at all. Kudos to Microsoft for including it.

Cons: It doesn’t catch all spyware.

Internet Protected Mode

The new Internet Explorer 7 includes a new feature called Internet Protected mode, which prevents malware from self-installing from the Internet.

Pros: This significantly improves protection from drive-by downloads.

Cons: It makes it harder to install legitimate add-ons and ActiveX controls from the Internet.

Improved Standard User Mode

You can set up two types of users in Vista: administrator and standard user. The standard user has been enhanced, so it’s easier to use that mode for everyday computing.

Pros: You can now do everyday computing in standard user and not go crazy.

Cons: Making system-critical changes requires that you have to log out and log back in as an administrator.

New Anti-Phishing Protection

Anti-phishing mechanisms in Windows Mail and Internet Explorer prevent fraudsters from tricking you into handing over your personal finance or banking info so they can steal your money.

Pros: This is an alert system that notifies you of phishing activity to augment your common sense or stop more naïve users from being duped.

Cons: There’s not much that’s bad with this feature. It’s actually highly rated.

Vista Security Snapshot

Have a quick look at the state of the security on your system by opening Vista Security Center. Click the Windows button and type security center; then click Security Center when it appears in the Start menu.

If your system is set up as it should be, all four areas—Firewall, Automatic Updating, Malware Protection, and Other Security Settings—should be green and set to On. If not, the heading will be in red and show Off (see Figure 12.5).

Figure 12.5. Uh oh, the Vista Security Center says the Windows Firewall is turned off.

Address anything in red as a first step in improving security on your Vista machine.

The only area I don’t trust in the Security Center is the item called Internet Security Settings (to get to it, click Other Security Settings in the Security Center). This relates to the state that Internet Explorer is in and the security level it is set to. I turned off Internet Protected mode and messed with the custom Internet Security Settings, and this item still showed “OK.”

How Vista Measures Up to Threats

Let me first run through some of the most common security hazards. Table 12.1 lists common malware categories, as well as some quickie tips on action you can take to tighten up security on Vista. I’ll go into more detail on action you can take later in this chapter for each threat.

Table 12.1. Vista Defenses and Vulnerabilities

Preventing Viruses on Vista

Vista can offer a false sense of security. It is more secure, and because security is more visible, it could lull naïve users into thinking they don’t need to take any action to make it secure. The reality is Vista needs some substantial tweaks to make it as secure as it should be.

Your first job is to install a Vista-compatible antivirus (AV) program on the system. Simply installing the AV application you used on your XP machine is not recommended, unless you can get a free upgrade from the program maker that will make it Vista compatible.

Vista’s new plumbing requires that older AV products won’t install or work properly on Vista. So, be sure to obtain an application that is Vista-compliant or has a Vista patch issued by its publisher.

Antivirus for Vista

Table 12.2 offers a quick overview of the AV products for Vista that you might encounter, including two freebies.

Table 12.2. Vista Antivirus Programs

Figure 12.6. F-Secure is one of the better security suites and features multiple signature files.

Preventing Spyware on Vista

Vista is the first edition of Windows to include a built-in spyware detection and removal utility.

Spyware, of course, is malware that sneaks onto your system and watches what you do, stealing your data and shipping it back to bad guys on the Internet.

The primary mission for spyware is to steal bank account info, collect personal info to be used in identity theft, or to show you pop-up ads on your computer (called adware).

Microsoft Defender will not catch or remove all spyware variants. There are millions, and no one utility will detect and remove them all.

If you want to be certain that you have no spyware infections, scan your system with at least two other antispyware applications from Table 12.3.

Table 12.3. Recommended Antispyware Applications

Figure 12.7. Webroot’s Spy Sweeper is a decent addition to Vista spyware defenses.

The freeware products are good, but my research shows that scanning your system with a well-known commercial antispyware product is a good idea. Detection rates are much higher.

Virus and Spyware Removal on Vista

Viruses and spyware can be tricky little beasts. Sometimes your antivirus or antispyware applications can detect them but not remove them, partly because the malware has its own evasion technologies and sometimes because security software just misses the mark. What follows is how to manually remove an infection.

Remove routines can be lengthy and complex, but I recommend you check out Chapter 9, “Software Troubles.” In it, I show you how to manually remove software. You can also use it to remove a virus or a spyware infection; however, let me give you a few extra tips in dealing with manual malware removal.

Do Your Research

If you know the name of the infection (provided by the antivirus or antispyware scanner that fails to remove it), do your research on the Internet and find out as much as you can about the malware that is infecting your system. Type the name of the infection into Google or another search engine and see what you can find out about it.

Companies such as Symantec and McAfee provide in-depth analysis of infections, naming the files and folders that are infected or that are part of the malware architecture. They also list Registry keys the malware might have installed or modified.

Disconnect

Start by physically disconnecting your system from the Internet and your network (if applicable) so that any active virus or spyware can’t communicate back to the Internet or infect other computers nearby.

Back Up Data

Back up any data you are concerned about losing onto an external media source. Note that if any of your data is infected, this backup will preserve the malware, so be cautious about this and see the instruction on restoring it at the end.

Disable System Restore

Before you do any manual malware removal work, disable the System Restore feature on Vista. Here’s how:

1. Type System into the Search bar on the Start menu and click System when it appears.

2. Click System Protection on the left.

3. Click Continue on the UAC warning.

4. Clear the check box next to your hard disk.

5. Click Turn System Restore Off on the dialog box that pops up (see Figure 12.8) and click OK.

Figure 12.8. Disable System Restore before manually removing any malware.

6. Don’t forget to come back and check the box again to turn System Restore back on after you are done.

Work in Safe Mode

Restart your computer and continuously tap F8 until you get a menu that lets you select Safe mode. Enter Safe mode, a bare-bones version of Windows that doesn’t load anything but necessary Windows components. It’s a good place to do malware diagnosis, scanning, and removal.

Scan with Security Products

In Safe mode, be sure to use the antivirus and antispyware scanners installed on your system. In this diagnostic mode, it’s easier for the scanners to remove malware.

Clean Out Windows Startup

If you decide to do a manual removal, start working with the Windows System Configuration tool. In the Search bar of the Start menu, type msconfig and press Enter to start the application.

Then go into the Startup tab and uncheck any application that looks suspicious. Make a note of the information in the Command column and the Location column.

The Command column provides the path to the file used to execute the application. You want to track it down and remove it later.

The Location column provides the location of the Registry key that starts the application.

If the information in the Command or Location columns is obscured, put your mouse on the separator until you get a cursor that looks like a plus sign with two arrows on either side. Click and drag the separator bar to expand the column so you see its contents better.

Also inspect the Services tab for rogue entries and turn those off. Be sure to click Hide All Microsoft Services to suppress system services.

Clean Out the Registry

Open the Registry Editor by typing regedit and pressing Enter in the Search box on the Start menu.

Use the data you gathered to find the rogue Registry entries and delete them.

Here’s a sample Registry entry you might find in the Location column in the Startup tab of System Configuration:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

To find it, you’d start the Registry Editor and click the arrow next to HKEY_LOCAL_MACHINE (HKLM), then click Software, Microsoft, and so on down to the Registry key in question.

To delete the key, you’d right-click and choose Delete.

Here’s a legend to the short forms of the Registry hives:

HKLM - HKEY_LOCAL_MACHINE
HKCR - HKEY_CLASS_ROOT
HKCU - HKEY_CURRENT_USER
HKU - HKEY_USERS
HKCC - HKEY_CURRENT_CONFIG

Disable Malware That Runs as a Windows Service

If you discover through your research that the malware runs components as a Windows service, disable the service and (in the next step) delete the source file of the service if applicable. You can locate the file that starts the service in the Properties tab under Path to Executable:

1. Go to Control Panel and double-click Administrative Tools.

2. Click Continue at the UAC warning.

3. Choose Services.

4. Locate the service and right-click it. Choose Properties and then click Stop. From the Startup pull-down menu, choose Disabled.

5. Vista processes the request and you can then click OK.

Delete Files and Folders Related to the Malware

Finally, go on a search and destroy and delete any files or folders created or used by the malware that you have discovered through your research or through working through the preceding steps.

Restart and Check

When you are done, restart your system and boot into Windows normally.

Check that the system runs as expected. Turn System Restore back on and carry out any other tasks needed to restore the system to normal.

If your antivirus or antispyware failed you (resulting in the infection you just removed), now is a good time to go shopping for a replacement. Don’t forget to look at the recommended products in Tables 12.2 and 12.3 earlier in this chapter.

Scan and Restore Your Data

Scan the external storage you used to back up your data to with your antivirus and antispyware programs before you return the data to your system’s hard drive.

Rootkit Removal on Vista

A rootkit is a malware application that helps conceal other malware—such as viruses, spyware, and Trojans—from detection by security software and the operating system itself. If an infection on your system is using a rootkit for malware concealment, it will be very hard to detect.

Although rootkits are a big issue for XP users, Vista users need not be as concerned. The irony is that just as the security application makers have had a hard time adapting their products to work in Vista, so have the malware makers.

So although rootkits are a threat to Vista, the likelihood relative to XP of getting a rootkit on your Vista machine is diminished.

That said, your best defense against rootkits on Vista is to scan with antivirus programs such as Grisoft’s AVG, F-Secure’s Internet Security Suite, or one of the big brand incumbents such as McAfee VirusScan or Norton AntiVirus. They all have rootkit sniffing and removal technologies built in.

What About Free Anti-Rootkit Scanners?

Several free anti-rootkit scanners are available on the Internet that you might be tempted to use; however, most of them have compatibility issues with Windows Vista at the time of writing, so I don’t recommend that you use them.

If you do try them anyway, make sure you use the Run as Administrator command. To do this, right-click on the file’s executable or shortcut and choose Run as Administrator (see Figure 12.9).

Figure 12.9. AVG Anti-Rootkit will run on Vista if you use the Run as Administrator command.

I offer all of the well-known anti-rootkit scanners in Table 12.4 because their authors might decide to release Vista versions in the coming years. So visit their websites occasionally to see whether there are Vista updates.

Table 12.4. Free Anti-Rootkit Scanners

Troubleshooting the Windows Firewall

Vista comes with a newly designed software firewall that scans traffic inbound from the Internet and outbound from your machine.

This updates the one-way firewall that came in Windows XP.

The firewall can be turned on and off in the Vista Security Center. Access it by typing security center into the Search bar on the Start menu.

Click Windows Firewall in the left-hand sidebar and then Change Settings to turn it on or off.

Block/Unblock Applications

The most likely issue you’ll have to worry about when it comes to the Windows Firewall is unblocking an application that has been blocked from accessing the Internet. (Maybe you blocked it by mistake when the firewall first detected it.)

To block or unblock an application:

1. Type security center in the Search box on the Start menu and click Security Center when it appears.

2. Click Windows Firewall on the left column of the Security Center to launch the firewall controls.

3. Click the Change Settings link.

4. Click Continue on the UAC dialog.

5. Click the Exceptions tab (see Figure 12.10) and look for the application you want to change in the list. Check the items you want to allow through the firewall. Uncheck boxes for applications you want to block from communicating to the Internet.

Figure 12.10. Check the Exceptions tab if a program is blocked by the Windows Firewall.

6. If your application is not listed, click the Add Program button to find the application you want to add to the Firewall Exceptions.

Advanced Windows Firewall

If you type in firewall into the Start menu Search bar, you’ll see two listings. One shows Windows Firewall, which, when clicked, starts the basic firewall controls. The second is Windows Firewall with Advanced Security. This launches the Microsoft Management Console with the Windows Firewall snap-in activated that gives you more advanced (and geekier) firewall controls. It’s designed for system administrators to customize the firewall to their liking.

If you’re keen to learn how to use these, check out this great tutorial at http://articles.techrepublic.com.com/5100-10877-6098592.html.

A Few More Firewall Tips

Here are a few extra things to keep in mind when looking at your firewall security on Windows Vista:

• Be sure to turn off Windows Firewall if you install a third-party firewall. Two software firewalls are not better than one.

• It is always a good idea to augment your firewall security by connecting your computer to a home network router and connecting it in turn to your high-speed Internet modem. Home network routers from companies such as DLink, Netgear, and Linksys have built-in one-way hardware firewall functionality and add a layer of protection to your home computer(s) from Internet threats such as hackers and worms.

• If you want a good, free, two-way software firewall for Vista to replace the Windows Firewall, download and install Firewall Plus from PCTools at www.pctools.com/firewall/.

Troubleshooting Internet Protected Mode

If you can’t download web helper applets when you use Internet Explorer 7 on Vista, chances are the new Internet Protected mode is getting in the way. It’s designed to demote the privilege level of the browser so that applications can’t install directly from the Internet through the browser.

When it is engaged, an application downloaded or executed through IE7 cannot write files and Registry keys in a user’s profile or anywhere on his system.

Previously, malware programmers could engineer web pages to automatically drop and install applications in the background on computers that access the Web using IE6 on XP. This was called drive-by-downloads.

Although this is a welcome protection, Internet Protected mode can also block legitimate installations from the Web when you initiate them.

So, if you are having trouble with this, turn off Internet Protected mode and then install the application, and afterward, turn it back on. Here’s how:

1. In IE7, select Tools, Internet Options.

2. Click the Security tab.

3. Uncheck the Enable Protected Mode box and click Apply.

4. Install your web-based application.

5. When done, turn Internet Protected mode back on by reversing the preceding process. You will have to restart IE7 afterward.

Use an Alternate Web Browser

IE7 has a legacy of security problems. Besides that, I think it’s a clumsy browser. And my cats hiss when it’s running. OK, that’s an exaggeration, but I do avoid using it at all costs. Thankfully, there are alternative browsers for Vista that you can use instead. You can’t remove IE7 from Vista, but you can ignore it most of the time.

I personally prefer Firefox. If it’s not your cup of tea, try either Safari or Opera, both listed in the following sections.

Firefox

I use Mozilla Firefox (see Figure 12.11), which is inherently more secure because it doesn’t use ActiveX technology, which is the conduit used by drive-by-downloads. Do yourself a favor and install it from www.getfirefox.com. It’s a better browser and more secure.

Figure 12.11. Use the Firefox web browser; it’s more secure than IE.

Safari

Apple released a version of its Safari browser for Windows. It had security vulnerabilities early on during its initial beta release, but given Apple’s decent security track record, they will surely engineer it to be competitive with Firefox. Get it from www.apple.com/safari/.

Opera

One other browser is worth mentioning. It’s called Opera and is available for free from www.opera.com. You might want to try it as well.

Run Vista with UAC Disabled

The User Account Control can be an enormous pain in the butt. However, you can turn it off or turn it halfway off (see the next section). The problem is this exposes your system to malware. Still, if you are wise, you can get along without it if you are cautious and protect your computer.

I’ll show you how to turn it off in a moment, but first be sure you follow these guidelines if you’re going to try to live without it:

1. Install a decent antivirus application and turn on its automatic signature updates.

2. Scan weekly with the Microsoft Defender antispyware application. Augment your weekly scanning with at least one and preferably two other antispyware applications that I mentioned in this chapter.

3. Keep your Windows Firewall on or replace it with a good third-party software firewall.

4. Use a home network router between your computer and your high-speed Internet modem because it has a hardware firewall.

5. When you use Internet Explorer, ensure Internet Protected Mode is on, and when possible, use an alternate browser such as Firefox.

6. Make sure Windows Update is up to date with any security fixes made available by Microsoft.

7. Use WEP or WPA to secure your router if you have a wireless home network router.

8. Use common sense when you receive emails. Don’t open unsolicited attachments or get fooled into executing a file that might contain malware.

Assuming that you’re going to follow these good security practices, here’s how to turn off UAC.

How to Turn Off UAC

You can turn off UAC in a few different ways. Here’s how:

1. Click the Windows button and type msconfig and press Enter.

2. Click Continue on the UAC warning for the last time.

3. In the System Configuration dialog, click the Tools tab.

4. Scroll down to Disable UAC and select it (see Figure 12.12).

Figure 12.12. Turn off UAC, if you engage in good security practices.

5. Click Launch.

6. A command window opens and runs a script. Click it afterward to close it.

7. UAC will be turned off.

8. You’re free of UAC!

Partially Disabling UAC

There is a way to turn off UAC just for administrators. This is a good idea if you have children or others who use your system in Standard User mode and want to continue to protect them, but want to live free from UAC yourself when you are working in an administrator account.

There’s a great application called TweakUAC, which can put UAC into “quiet mode” (see Figure 12.13)—that is, turn it off for administrators and leave it on for standard users. It also has controls for turning UAC off or on completely.

Figure 12.13. TweakUAC lets you run UAC in quiet mode.

Download it for free from www.TweakUAC.com.

Adjust UAC for Screen Readers and Capture Utilities

UAC pushes its alerts to a secure desktop that can’t be seen by applications. This poses a problem if you use a screen reader or a screen capture product such as Camtasia Studio or SnagIt (www.techsmith.com).

To work around it, you can set UAC to show alerts on the regular desktop as follows if you use either Vista Business or Vista Ultimate:

1. Type local in the Search bar on the Start menu and click Local Security Policy when it appears.

2. On the left pane of the Local Security Policy window, click Local Policies and then Security Options.

3. On the right pane, scroll all the way down to User Account Control: Switch to the secure desktop when prompting for elevation (see Figure 12.14).

Figure 12.14. Use the Local Policy Editor to push UAC alerts to the normal Vista desktop.

4. Right-click on it, choose Properties, and then click the radio button next to Disabled, click Apply, and then OK.

5. Now when UAC alerts are triggered, your screen reader or capture utility will be able to see it; however, so will malware. Note that the screen won’t be dimmed in this mode.

Standard User Versus Administrator

I should say a few words about how Microsoft has reworked user privileges in Vista to be more useful.

There are two functional types:

• Administrator—This user level can make changes to the system, do maintenance, and install software systemwide. It is God.

• Standard user—This user can modify his own desktop and add content to his own user folders; however, he cannot install software. This protects everyone else who uses the computer from people who might potentially infect the system with spyware or viruses or questionable software that destabilizes the whole system.

You’ll want to set up all users of the computer with their own standard user account, including yourself.

To do this:

1. Log on as an administrator (the account you set the system up with).

2. Type User into the Search bar of the Start menu and click User Accounts when it appears.

3. Click Manage Another Account to set up or modify other user accounts on the system.

To stay the most secure, all day-to-day operations on Vista should be run in a standard user account, so create one for yourself. When you need to make system changes, you can hop out of the standard user account and log in as the administrator.

Now, this all sounds fine and dandy, but it’s not very practical. It certainly wasn’t in Windows XP. What makes it more livable in Vista is that if a standard user wants to do something that requires administrator privileges, an escalation dialog box pops open. Here you can type in an admin password and allow the standard user to execute this specific admin-level task (see Figure 12.15).

Figure 12.15. A standard user can call over the administrator for permission to execute a specific task such as installing games.

You can further limit a standard user’s activities, including software usage, time of day limitations, and Internet usage, in the new Parental Controls in Vista. Log in as an administrator, type parental, and then click Parental Controls when it appears in the Start menu.

Click Continue on UAC; then choose a standard user to turn on Parental Controls (see Figure 12.16) for them.

Figure 12.16. Parental Controls can be used by an administrator to customize and monitor a standard user’s activities on a Vista computer.

Tweaking Data Execution Prevention (DEP)

Data Execution prevention, or DEP, was deployed in Windows XP SP2, but was well hidden from the end user. It’s a little more functional in Windows Vista.

DEP is designed to thwart a malware trick where it runs its malicious code in a protected memory space; that is, area of memory that only Windows or other programs have permission to use.

Disabling/Enabling DEP

The problem is DEP can shut down legitimate programs, especially legitimate software that downloads off the Web. DEP does this with little warning. Usually you get an alert after it’s done the application in.

The good news is you can turn off DEP completely.

Here’s how:

1. Click the Windows button and type cmd in the Search box.

2. When the command shortcut appears in the Start menu, right-click it and select Run as Administrator.

3. Click Continue on UAC, as necessary.

4. At the command prompt, type the following: bcdedit.exe /set {current} nx AlwaysOff.

5. You’ll see a message that says the operation was completed successfully (see Figure 12.17), but if not, make sure you don’t skip step 2.

Figure 12.17. Use the command prompt to turn DEP on or off.

6. If you want to turn it back on again in the future, use the same procedure, but type the following: bcdedit.exe /set {current} nx AlwaysOn.

Turn DEP On for Ultimate Protection

If you want ultimate protection from DEP, turn it on as follows.

1. Click the Windows button and type System, and then click it when it appears in the Start menu.

2. On the left side of the window, click System Protection.

3. Click Continue when UAC kicks in.

4. Click the Advanced tab and then the Settings button in the Performance section.

5. Click the Data Execution Prevention tab.

6. Now select the radio button next to Turn on DEP For All Programs and Services Except Those I Select.

7. Leave it at that if you want DEP to check everything on the system that runs. You’ll need to restart the system to put the changes into effect.

Exclude Some Applications from DEP

If DEP is full on, it might try to shut down some legitimate programs—and that can drive you crazy. To avoid the annoyance, exclude programs that get shut down by mistake by DEP:

1. To explicitly exclude a program from DEP, click the Add button below the box and browse to the executable file of the program you want to exclude from DEP (see Figure 12.18).

Figure 12.18. Use the Add button to exclude specific programs from Data Execution Prevention.

2. Click Open, and the file will be added to the DEP exclusion list with a check box next to it. Click Apply and then click OK.

3. You’ll need to reboot your computer to apply the exclusion.

4. To undo the exception, select the file in the DEP box and click the Remove button on the Data Execution Prevention tab.