Malware can steal computing resources, reduce employee productivity, and lead to inadvertent disclosure of confidential information. To address the problem of malware, develop policies to help manage the three main vectors of attack: spam, insecure Web browsing, and software downloads. Once policies are developed, use tools and technologies such as the Malicious Software Removal Tool and Windows Defender (Beta 2).

Business process tools like the Microsoft Security Assessment Tool can help small to medium size businesses develop a set of best practices to enhance security in their infrastructure. For larger organizations, the Security Risk Management Guide helps customers of all types plan, build, and maintain a successful security risk management program.

Establish software restriction policies and utilize systems management tools like Microsoft Systems Management Server (SMS) 2003 and Group Policy to enforce this policy.

Ensure you have an inbound firewall such as Windows Firewall in Windows XP Service Pack 2 (SP2) and Windows Vista firewall in Vista, Microsoft’s new desktop operating system.

Define policies for acceptable use and enforce those rules using network appliances, firewalls, and group policy restrictions. We provide more guidance on usage policies below.

Be sure you are using the latest versions of software. Desktop systems should be running Windows XP Service Pack 2 (SP2), which includes enhancements like desktop firewall, pop-up blocker, local machine zone lockdown, and add-on management tools, all which reduce the chances of a malware infection.

Microsoft Internet Explorer’s default security settings provide protection for everyday Web browsing. Monitor Microsoft Security Response Center updates for guidance to see if higher security settings are recommended. Administrators can use Group Policy settings to control zone management for a temporary security level increase and return it to the default level once the update has been deployed.

Have a strategy to reduce spam and phishing e-mails. Deploy products like Microsoft’s Antigen line of products to provide edge and server level anti-virus, anti-spam, and content filtering. Internet Explorer 7 will also contain an opt-in phishing filter service to provide real-time protection to help prevent users from unintentionally disclosing personal information.

Organizations running Windows XP Service Pack 2 (SP2) should use Active Directory to manage installations of Internet Explorer 6 Service Pack 2 (SP2). Internet Explorer 7 will offer a new version of the Internet Explorer Administrator’s Kit (IEAK) for centralized management and settings control. Customers using Internet Explorer 6 Service Pack 1 (SP1) can leverage the IEAK to centrally configure and deploy the settings of Internet Explorer 6 Service Pack 1 (SP1).

Once available, evaluate new tools such as the recently announced Microsoft Client Protection, which will provide enterprise-level anti-spyware and anti-virus protection against malware, rootkits, and virus attacks.

Make sure anti-virus and desktop firewall software is installed on all computers in your network and that the network is protected by an Internet firewall.

Having a robust defense-in-depth strategy is critical to ensuring that if one defense measure fails, there are more layers behind it for continuous protection. No one tool or application can block all threats effectively so it’s important to understand the features and limitations of the various technical security measures of each application in your enterprise. With that information, you can develop a threat preparedness matrix and identify areas of vulnerability.

To reduce malware, implement a usage policy that restricts non-business related computing activity. Advise employees not to download content from unfamiliar sites. “Piggy back downloads,” where unwanted software is quietly bundled in with another application, are a common avenue for malware to make its way on to machines. Games and other non-business applications are popular sources for piggy backs. Network applications like Microsoft Internet Security and Acceleration (ISA) Server 2004 and other firewall/content filtering applications can be used to block unknown software. Some organizations may prefer to block all unauthorized downloads and establish an approval/exemption process.

Prevent employees from downloading unsigned ActiveX programs. You can use Group Policies to enforce these settings.

Educate users about the dangers of opening e-mail messages and attachments or visiting Websites referenced in messages from people they don’t know.

Complete an inventory of all desktops and servers in your environment. Use tools such as Microsoft Systems Management Server (SMS) 2003 for large organizations or Microsoft Baseline Security Analyzer (MBSA) for smaller numbers of workstations. Also, identify threats and weaknesses in your infrastructure based on the current application and patch levels found in the inventory.

Be sure to keep security protections up-to-date and scan your computers on a regular basis. Use the Microsoft Windows Malicious Software Removal Tool (MSRT) for computers running Windows XP, Windows 2000, and Windows Server 2003. MSRT is updated monthly and checks for infections by specific, malicious software including Blaster, Sasser, and Mydoom, and helps remove any infections found.

Automate update management:

Many of the security goals outlined here can be attained with Internet Explorer 7 in your environment. Because we have made so many changes, we encourage organizations to use this beta period and evaluate Internet Explorer 7 in their own networks and give us feedback. Specialized developer toolbars and an application compatibility toolkit have been created. These tools will enable developers to identify changes in behavior of Web applications and Web sites caused by the new security features in Internet Explorer 7. For more information and guidance on finding security compatibility issues in Internet Explorer 7, please visit Security360: Learn Best Practices to Guide Your Security Strategy.

Finding Security Compatibility Issues in Internet Explorer 7

Microsoft Security Updates