Using Windows Defender CHAPTER 24
1153
n
High Similar to the severe rating, but slightly less damaging. You should always
remove this software.
n
Medium Assigned to potentially unwanted software that might compromise your
privacy, affect your computer’s performance, or display advertising. In some cases,
software classified at a Medium alert level might have legitimate uses. Evaluate the
software before allowing it to be installed.
n
Low Assigned to potentially unwanted software that might collect information about
you or your computer or change how your computer works but operates in agree-
ment with licensing terms displayed when you installed the software. This software is
typically benign, but it might be installed without the user’s knowledge. For example,
remote control software might be classified as a Low alert level because it could be
used legitimately, or it might be used by an attacker to control a computer without the
owner’s knowledge.
n
Not yet classified Programs that haven’t yet been analyzed.
Understanding Microsoft SpyNet
Microsoft’s goal is to create definitions for all qualifying software. However, thousands of new
applications are created and distributed every day, some of which have behaviors unwanted
by some people. Because of the rapid pace of newly released software, people can possibly
encounter potentially unwanted software that Microsoft has not yet classified. In these cases,
Windows Defender should still warn the user if the software takes a potentially undesirable
action such as configuring itself to start automatically each time the computer is restarted.
To help users determine whether to allow application changes (detected by real-time
protection) when prompted, Windows Defender contacts Microsoft SpyNet to determine how
other users have responded when prompted about the same software. If the change is part
of a desired software installation, most users will have approved the change, and Windows

Defender can use the feedback from SpyNet when informing the user about the change. If
the change is unexpected (as it would be for most unwanted software), most users will not
approve the change.
Two levels of SpyNet participation are available:
n
Basic Windows Defender sends only basic information to Microsoft, including where
the software came from, such as the specific URL, and whether the user or Windows
Defender allowed or blocked the item. With basic membership, Windows Defender
does not alert users if it detects software or changes made by software that has not
yet been analyzed for risks. Although personal information might possibly be sent to
Microsoft with either basic or advanced SpyNet membership, Microsoft will not use
this information to identify or contact the user.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 24 Managing Client Protection
1154
note
For more information about what information might be transferred and how
Microsoft might use it, view the Windows Defender privacy statement online at
/>.
n
Advanced Advanced SpyNet membership is intended for users who have an
understanding of the inner workings of the operating system and might be able to
evaluate whether the changes an application is making are malicious. The key difference
between basic and advanced membership is that with advanced membership, Windows
Defender will alert users when it detects software or changes that have not yet been
analyzed for risks. Also, advanced membership sends additional information to SpyNet,
including the location of the software on the local computer, filenames, how the soft-
ware operates, and how it has affected the computer.
You can configure your SpyNet level by clicking Microsoft SpyNet on the Windows Defender
Tools page.

In addition to providing feedback to users about unknown software, SpyNet is also a valu-
able resource to Microsoft when identifying new malware. Microsoft analyzes information in
SpyNet to create new definitions. In turn, this helps slow the spread of potentially unwanted
software.
Configuring Windows Defender Group Policy
You can configure some aspects of Windows Defender Group Policy settings. Windows De-
fender Group Policy settings are located in Computer Configuration\Administrative Templates
\Windows Components\Windows Defender. From that node, you can configure the following
settings:
n
Turn On Definition Updates Through Both WSUS And Windows Update Enabled
by default, this setting configures Windows Defender to check Windows Update when a
WSUS server is not available locally. This can help ensure that mobile clients, who might
not regularly connect to your local network, can receive all new signature updates. If
you disable this setting, Windows Defender checks for updates using only the setting
defined for the Automatic Updates client—either an internal WSUS server or Windows
Update. For more information about WSUS and distributing updates, read Chapter 23,
“Managing Software Updates.”
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Using Windows Defender CHAPTER 24
1155
diReCt FRoM tHe SoURCe
Analysis of Potentially Unwanted Software
Sterling Reasor, Program Manager
Windows Defender
K
eeping up to date with the current malware definitions can help protect your
computer from harmful or potentially unwanted software. Microsoft has taken
several steps to create definition updates, including gathering new samples of
suspicious files, observing and testing the samples, and performing a deep analy-

sis. If we determine that the sample does not follow our criteria, its alert level is
determined and the software is added to the software definitions and released to
customers.
For more information, visit
/software/msft/analysis.mspx.
n
Turn On Definition Updates Through Both WSUS And The Microsoft Malware
Protection Center Provides similar functionality to the previous Group Policy set-
ting, but clients download updates from a different site. You should set these two
policies to the same value unless the computer has no access to the Internet and relies
only on an internal WSUS server.
n
Check For New Signatures Before Scheduled Scans Disabled by default, you can
enable this setting to cause Windows Defender to always check for updates prior to a
scan. This helps ensure that Windows Defender has the most up-to-date signatures.
When you disable this setting, Windows Defender still downloads updates on a regular
basis but will not necessarily check immediately prior to a scan.
n
Turn Off Windows Defender Enable this setting to turn off Windows Defender
real-time protection and to remove any scheduled scans. You should enable this setting
only if you are using different anti-malware software. If Windows Defender is turned
off, users can still run the tool manually to scan for potentially unwanted software.
n
Turn Off Real-Time Monitoring If you enable this policy setting, Windows Defender
does not prompt users to allow or block unknown activity. If you disable or do not con-
figure this policy setting, by default Windows Defender prompts users to allow or block
unknown activity on their computers.
n
Turn Off Routinely Taking Action By default, Windows Defender will take action on
all detected threats automatically after about ten minutes. Enable this policy to configure

Windows Defender to prompt the user to choose how to respond to a threat.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 24 Managing Client Protection
1156
n
Configure Microsoft SpyNet Reporting SpyNet is the online community that helps
users choose how to respond to potential spyware threats that Microsoft has not yet
classified by showing users how other members have responded to an alert. When
enabled and set to Basic or Advanced, Windows Defender will display information
about how other users responded to a potential threat. When enabled and set to Basic,
Windows Defender will also submit a small amount of information about the poten-
tially malicious files on the user’s computer. When set to Advanced, Windows Defender
will send more detailed information. If you enable this setting and set it to No Member-
ship, SpyNet will not be used, and the user will not be able to change the setting. If you
leave this setting Disabled (the default), SpyNet will not be used unless the user changes
the setting on his local computer. The Microsoft Malware Protection Center recommends
that this setting be set to Advanced to provide their analysts with more complete infor-
mation on potentially unwanted software.
Windows Defender Group Policy settings are defined in WindowsDefender.admx, which
is included with Windows 7. For more information about using Group Policy administrative
templates, read Chapter 14, “Managing the Desktop Environment.”
Configuring Windows Defender on a Single Computer
Besides the settings that you can configure by using Group Policy, Windows Defender in-
cludes many settings that you can configure only by using the Windows Defender Options
page on a local computer. To open the Options page, start Windows Defender by searching
the Start menu, selecting Tools, and then selecting Options. Some of the settings you can
configure from this page include:
n
Frequency and time of automatic scans
n

The security agents that are scanned automatically
n
Specific files and folders to be excluded from scans
n
Whether non-administrators can run Windows Defender
Because you cannot easily configure these settings with Group Policy settings, Windows
Defender might not be the right choice for enterprise spyware control.
How to Determine Whether a Computer Is Infected with
Spyware
Several signs indicate whether a computer is infected with spyware. You should train users
in your environment to notice these changes and call your Support Center if they suspect a
malware infection:
n
A new, unexpected application appears.
n
Unexpected icons appear in the system tray.
n
Unexpected notifications appear near the system tray.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Using Windows Defender CHAPTER 24
1157
n
The Web browser home page, default search engine, or favorites change.
n
The mouse pointer changes.
n
New toolbars appear, especially in Web browsers.
n
The Web browser displays additional advertisements when visiting a Web page, or
pop-up advertisements appear when the user is not using the Web.

n
When the user attempts to visit a Web page, she is redirected to a completely different
Web page.
n
The computer runs more slowly than usual. This can be caused by many different
problems, but spyware is one of the most common causes.
Some spyware might not have any noticeable symptoms, but it still might compromise
private information. For best results, run Windows Defender real-time protection with daily
quick scans.
Best Practices for Using Windows Defender
To receive the security benefits of Windows Defender while minimizing the costs, follow these
best practices:
n
Teach users how malware works and the problems that malware can cause. In particular,
focus on teaching users to avoid being tricked into installing malware by social engi-
neering attacks.
n
Before deploying Windows 7, test all applications with Windows Defender enabled to
ensure that Windows Defender does not alert users to normal changes the application
might make. If a legitimate application does cause warnings, add the application to the
Windows Defender allowed list.
n
Change the scheduled scan time to meet the needs of your business. By default,
Windows Defender scans at 2 A.M. If third-shift staff uses computers overnight, you
might want to find a better time to perform the scan. If users turn off their computers
when they are not in the office, you should schedule the scan to occur during the day.
Although the automatic quick scan can slow computer performance, it typically takes
fewer than 10 minutes, and users can continue working. Any performance cost typically
is outweighed by the security benefits.
n

Use WSUS to manage and distribute signature updates.
n
Use antivirus software with Windows Defender. Alternatively, you might disable Windows
Defender completely and use client security software that provides both antispyware
and antivirus functionality.
n
Do not deploy Windows Defender in enterprises. Instead, use Microsoft Forefront or
a third-party client security suite that can be managed more easily in enterprise
environments.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 24 Managing Client Protection
1158
How to Troubleshoot Problems with Unwanted Software
A spyware infection is rarely a single application; most successful malware infections automat-
ically install several, even dozens, of additional applications. Some of those applications might
be straightforward to remove. However, if even a single malicious application remains, that
remaining malware application might continue to install other malware applications.
If you detect a problem related to spyware and other potentially unwanted software, follow
these steps to troubleshoot it:
1.
Perform a quick scan and remove any potentially unwanted applications. Then, imme-
diately perform a full scan and remove any additional potentially malicious software.
The full scan can take many hours to run. Windows Defender will probably need to
restart Windows.
2.
If the software has made changes to Internet Explorer, such as adding unwanted add-
ons or changing the home page, refer to Chapter 20 for troubleshooting information.
3.
Run antivirus scans on your computer, such as that available from .
Often, spyware might install software that is classified as a virus, or the vulnerability

exploited by spyware might also be exploited by a virus. Windows Defender does not
detect or remove viruses. Remove any viruses installed on the computer.
4.
If you still see signs of malware, install an additional antispyware and antivirus applica-
tion from a known and trusted vendor. With complicated infections, a single anti-
malware tool might not be able to remove the infection completely. Your chances of
removing all traces of malware increase by using multiple applications, but you should
not configure multiple applications to provide real-time protection.
5.
If problems persist, shut down the computer and use the Startup Repair tool to per-
form a System Restore. Restore the computer to a date prior to the malware infection.
System Restore will typically remove any startup settings that cause malware applica-
tions to run, but it will not remove the executable files themselves. Use this only as a
last resort: Although System Restore will not remove a user’s personal files, it can cause
problems with recently installed or configured applications. For more information, see
Chapter 29, “Configuring Startup and Troubleshooting Startup Issues.”
These steps will resolve the vast majority of malware problems. However, when malware
has run on a computer, you can never be certain that the software is removed completely. In
particular, malware known as rootkits can install themselves in such a way that they are dif-
ficult to detect on a computer. In these circumstances, if you cannot find a way to confidently
remove the rootkit, you might be forced to reformat the hard disk, reinstall Windows, and
then restore user files using a backup created prior to the infection.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Network Access Protection CHAPTER 24
1159
Network Access Protection
Many organizations have been affected by viruses or worms that entered their private net-
works through a mobile PC and quickly infected computers throughout the organization.
Windows Vista, when connecting to a Windows Server 2008 infrastructure, supports Network
Access Protection (NAP) to reduce the risks of connecting unhealthy computers to private

networks directly or across a VPN. If a NAP client computer lacks current security updates or
virus signatures—or otherwise fails to meet your requirements for computer health—NAP
blocks the computer from having unlimited access to your private network. If a computer fails
to meet the health requirements, it will be connected to a restricted network to download
and install the updates, antivirus signatures, or configuration settings that are required to
comply with current health requirements. Within minutes, a potentially vulnerable computer
can be updated, have its new health state validated, and then be granted unlimited access to
your network.
NAP is not designed to secure a network from malicious users. It is designed to help
administrators maintain the health of the computers on the network, which in turn helps
maintain the network’s overall integrity. For example, if a computer has all the software and
configuration settings that the health requirement policy requires, the computer is consid-
ered compliant, and it will be granted unlimited access to the network. NAP does not prevent
an authorized user with a compliant computer from uploading a malicious program to the
network or engaging in other inappropriate behavior.
NAP has three important and distinct aspects:
n
Network policy validation When a user attempts to connect to the network, the
computer’s health state is validated against the network access policies as defined
by the administrator. Administrators can then choose what to do if a computer is not
compliant. In a monitoring-only environment, all authorized computers are granted
access to the network even if some do not comply with health requirement policies,
but the compliance state of each computer is logged. In an isolation environment,
computers that comply with the health requirement policies are allowed unlimited
access to the network, but computers that do not comply with health requirement
policies or are not compatible with NAP are placed on a restricted network. In both
environments, administrators can define exceptions to the validation process. NAP also
includes migration tools to make it easier for administrators to define exceptions that
best suit their network needs.
n

Health requirement policy compliance Administrators can help ensure compli-
ance with health requirement policies by choosing to automatically update noncom-
pliant computers with the required updates through management software, such as
Microsoft System Center Configuration Manager. In a monitoring-only environment,
computers will have access to the network even before they are updated with required
software or configuration changes. In an isolation environment, computers that do
not comply with health requirement policies have limited access until the software and
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 24 Managing Client Protection
1160
configuration updates are completed. Again, in both environments, the administrator
can define policy exceptions.
n
Limited access for noncompliant computers Administrators can protect network
assets by limiting the access of computers that do not comply with health require-
ment policies. Computers that do not comply will have their network access limited as
defined by the administrator. That access can be limited to a restricted network, to a
single resource, or to no internal resources at all. If an administrator does not configure
health update resources, the limited access will last for the duration of the connection.
If an administrator configures health update resources, the limited access will last only
until the computer is brought into compliance.
NAP is an extensible platform that provides an infrastructure and an application program-
ming interface (API) set for adding features that verify and remediate a computer’s health to
comply with health requirement policies. By itself, NAP does not provide features to verify
or correct a computer’s health. Other features, known as system health agents (SHAs) and
system health validators (SHVs), provide automated system health reporting, validation, and
remediation. Windows Vista, Windows Server 2008, and Windows 7 include an SHA and an
SHV that allow the network administrator to specify health requirements for the services
monitored by the Windows Security Center.
When troubleshooting client-side problems related to NAP, open Event Viewer and browse

the Applications And Services Logs\Microsoft\Windows\Network Access Protection Event
Log. For more information about configuring a NAP infrastructure with Windows Server 2008,
read Chapters 14 through 19 of Windows Server 2008 Networking and Network Access Protec-
tion by Joseph Davies and Tony Northrup (Microsoft Press, 2008).
Forefront
Forefront is enterprise security software that provides protection from malware in addition
to many other threats. Whereas Windows Defender is designed for consumers and small
businesses, Forefront is designed to be deployed and managed efficiently throughout large
networks.
Forefront products are designed to provide defense-in-depth by protecting desktops,
laptops, and server operating systems. Forefront currently consists of the following products:
n
Microsoft Forefront Client Security (FCS)
n
Microsoft Forefront Security for Exchange Server (formerly called Microsoft Antigen for
Exchange)
n
Microsoft Forefront Security for SharePoint (formerly called Antigen for SharePoint)
n
Microsoft Forefront Security for Office Communications Server (formerly called Antigen
for Instant Messaging)
n
Microsoft Intelligent Application Gateway (IAG)
n
Microsoft Forefront Threat Management Gateway (TMG)
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Forefront CHAPTER 24
1161
Of these products, only FCS would be deployed to client computers. The other products
typically would be deployed on servers to protect applications, networks, and infrastructure.

Enterprise management of anti-malware software is useful for:
n
Centralized policy management.
n
Alerting and reporting on malware threats in your environment.
n
Comprehensive insight into the security state of your environment, including security
update status and up-to-date signatures.
Forefront provides a simple user interface for creating policies that you can distribute
automatically to organizational units and security groups by using GPOs. Clients also centrally
report their status so that administrators can view the overall status of client security in the
enterprise.
With Forefront, administrators can view statistics ranging from domain-wide to specific
groups of computers or individual computers to understand the impact of specific threats. In
other words, if malware does infect computers in your organization, you can easily discover
the infection, isolate the affected computers, and then take steps to resolve the problems.
Forefront also provides a client-side user interface. Similar to Windows Defender, Forefront
can warn users if an application attempts to make potentially malicious changes, or if it detects
known malware attempting to run. The key differences between Defender and Forefront are:
n
Forefront is managed centrally Forefront is designed for use in medium-sized
and large networks. Administrators can use the central management console to view
a summary of current threats and vulnerabilities, computers that need to be updated,
and computers that are currently having security problems. Windows Defender is
designed for home computers and small offices only, and threats must be managed on
local computers.
n
Forefront is highly configurable You can configure automated responses to alerts,
and, for example, prevent users from running known malware instead of giving them
the opportunity to override a warning as they can do with Windows Defender.

n
Forefront protects against all types of malware Windows Defender is designed to
protect against spyware. Forefront protects against spyware, viruses, rootkits, worms,
and Trojan horses. If you use Windows Defender, you need another application to
protect against the additional threats.
n
Forefront can protect a wider variety of Windows platforms Forefront is de-
signed to protect computers running Microsoft Windows 2000, Windows XP, Windows
Server 2003, Windows Vista, Windows 7, and Windows Server 2008. Windows Defender
can protect only computers running Windows XP, Windows Vista, and Windows 7.
Like Windows Defender, Forefront supports using Microsoft Update and WSUS to
distribute updated signatures to client computers, but Forefront also supports using
third-party software distribution systems. For more information about Forefront, visit
Also, explore the Microsoft TechNet Virtual Labs at
/>Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 24 Managing Client Protection
1162
note
Microsoft offers a third client security solution: Windows Live OneCare. Windows
Live OneCare is designed to help protect home computers and small businesses with
antivirus protection, antispyware protection, improved firewall software, performance
monitoring, and backup and restore assistance. For more information, visit
/>Summary
Windows 7 is designed to be secure by default, but default settings don’t meet everyone’s
needs. Additionally, the highly secure default settings can cause compatibility problems with
applications not written specifically for Windows 7. For these reasons, it’s important that you
understand the client-security technologies built into Windows 7 and how to configure them.
One of the most significant security features is UAC. By default, both users and administra-
tors are limited to standard user privileges, which reduces the damage that malware could do
if it were to start a process successfully in the user context. If an application needs elevated

privileges, UAC prompts the user to confirm the request or to provide administrator creden-
tials. Because UAC changes the default privileges for applications, it can cause problems with
applications that require administrative rights. To minimize these problems, UAC provides
file and registry virtualization that redirects requests for protected resources to user-specific
locations that won’t impact the entire system.
AppLocker provides similar functionality to Software Restriction Policies available in earlier
versions of Windows. However, AppLocker’s publisher rules provide more flexible control and
enable administrators to create a single rule that allows both current and future versions of an
application without the risks of a path rule. Additionally, AppLocker includes auditing to en-
able administrators to identify applications that require rules and to test rules before enforc-
ing them.
Microsoft also provides Windows Defender for additional protection from spyware and
other potentially unwanted software. Windows Defender uses signature-based and heuristic
antispyware detection. If it finds malware on a computer, it gives the user the opportunity to
prevent it from installing or to remove it if it is already installed. Windows Defender isn’t de-
signed for enterprise use, however. For improved manageability and protection against other
forms of malware (including viruses and rootkits), use Forefront or another similar enterprise
client-security solution.
Additional Resources
These resources contain additional information and tools related to this chapter.
n
Chapter 2, “Security in Windows 7,” includes an overview of malware.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Additional Resources CHAPTER 24
1163
n
Chapter 4, “Planning Deployment,” includes more information about application
compatibility.
n
Chapter 20, “Managing Windows Internet Explorer,” includes more information about

protecting Internet Explorer.
n
Chapter 23, “Managing Software Updates,” includes information about deploying
WSUS.
n
Chapter 26, “Configuring Windows Firewall and IPsec,” includes more information
about Windows Service Hardening.
n
Chapter 29, “Configuring Startup and Troubleshooting Startup Issues,” includes infor-
mation about running System Restore.
n
“Behavioral Modeling of Social Engineering–Based Malicious Software” at
/>8785-689cf6a05c73 includes information about social engineering attacks.
n
“Windows 7 Security Compliance Management Toolkit” at
/fwlink/?LinkId=156033 provides detailed information about how to best configure
Windows 7 security for your organization.
n
“Microsoft Security Intelligence Report” at
/details.aspx?FamilyID=aa6e0660-dc24-4930-affd-e33572ccb91f includes information
about trends in the malicious and potentially unwanted software landscape.
n
“Malware Removal Starter Kit” at
/details.aspx?FamilyID=6cd853ce-f349-4a18-a14f-c99b64adfbea.
n
“Applying the Principle of Least Privilege to User Accounts on Windows XP” at
/>n
“Fundamental Computer Investigation Guide for Windows” at
/downloads/details.aspx?FamilyId=71B986EC-B3F1-4C14-AC70-EC0EB8ED9D57.
n

“Security Compliance Management Toolkit Series” at
/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e.
On the Companion Media
n
DeleteCertificate.ps1
n
FindCertificatesAboutToExpire.ps1
n
FindExpiredCertificates.ps1
n
Get-Certificates.ps1
n
Get-DefenderStatus.ps1
n
Get-ForefrontStatus.ps1
n
InspectCertificate.ps1
n
ListCertificates.ps1
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
PART V
Networking
CHAPTER 25
Configuring Windows Networking 1167
CHAPTER 26
Configuring Windows Firewall and IPsec 1227
CHAPTER 27
Connecting Remote Users and Networks 1293
CHAPTER 28

Deploying IPv6 1371

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
1167
CHAPTER 25
Configuring Windows
Networking
n
Usability Improvements 1167
n
Manageability Improvements 1174
n
Core Networking Improvements 1184
n
Improved APIs 1205
n
How to Configure Wireless Settings 1210
n
How to Configure TCP/IP 1216
n
How to Connect to AD DS Domains 1223
n
Summary 1224
n
Additional Resources 1225
T
he Windows 7 operating system builds on the networking features introduced previ-
ously in Windows Vista and improves them. This chapter discusses how Windows 7
addresses the concerns of a modern network, how you can configure and manage these

new features, and how you can deploy Windows 7 to take advantage of modern, flexible
networking.
Usability Improvements
Improving the usability of Windows 7 helps both users and administrators. Users benefit
because they can get more done in less time, and administrators benefit because users
make fewer support calls.
The sections that follow describe important networking usability improvements
first introduced in Windows Vista and improved in Windows 7, including Network And
Sharing Center, Network Explorer, the Network Map, and the Set Up A Connection Or
Network Wizard. Understanding these features will help you to use them effectively and
guide you through many common network configuration and troubleshooting tasks.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1168
Network And Sharing Center
Improved Network And Sharing Center in Windows 7, shown in Figure 25-1, provides a
clear view of available wireless networks, a Network Map to show the surrounding network
resources on a home or unmanaged network, and easy methods to create or join ad
hoc wireless networks. Diagnostic tools built into Network And Sharing Center simplify
troubleshooting connectivity problems. Users can also browse network resources with the
new Network Explorer, which they can start by clicking the network.
FIGURE 25-1
Network And Sharing Center simplifies network management for users.
If a network connection is not available, such as a failed Internet connection (even if the
link connected to the computer is functioning), Network And Sharing Center detects this
failure and displays it graphically on the abbreviated version of the Network Map, shown in
Figure 25-2. Users can troubleshoot the problem simply by clicking the failed portion of the
Network Map to start Windows Network Diagnostics. For more information, read Chapter 31,
“Troubleshooting Network Issues.”
FIGURE 25-2

Network And Sharing Center automatically detects problems and can assist users with
diagnosis and troubleshooting.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Usability Improvements CHAPTER 25
1169
To open Network And Sharing Center, click the network icon in the notification area and
then click Open Network And Sharing Center. Alternatively, you can open Control Panel, click
Network And Internet, and then click Network And Sharing Center.
Network Explorer
Like My Network Places in Windows XP, Network Explorer (also known as the Network folder)
allows users to browse resources on the local network. However, Network Explorer is more
powerful than My Network Places, largely because of the Network Discovery support built
into Windows Vista and Windows 7 (described later in this section).
To open Network Explorer, click a network from within Network And Sharing Center. As
shown in Figure 25-3, Network Explorer displays other visible computers and network devices.
Users can access network resources simply by double-clicking them.
FIGURE 25-3
Network Explorer allows users to browse local resources.
The following sections discuss how different aspects of Network Explorer function, includ-
ing Network Discovery and the Network Map.
How Windows Finds Network Resources
Versions of Windows prior to Windows Vista use NetBIOS broadcasts to announce their
presence on the network to facilitate finding shared resources in workgroup environments.
Windows Vista and Windows 7 expand this capability with a feature called Network
Discovery, also known as Function Discovery (FD). Network Discovery’s primary purpose is to
simplify configuring and connecting network devices in home and small office environments.
For example, Network Discovery can enable the Media Center feature to detect a Media
Center Extender device (such as an Xbox 360) when it is connected to the network.
Network Discovery can be enabled or disabled separately for different network location
types. For example, Network Discovery is enabled by default on networks with the private

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1170
location type, but it is disabled on networks with the public or domain location types. By
properly configuring network location types (described later in this chapter), computers
running Windows Vista and Windows 7 in your environment can take advantage of Network
Discovery when connected to your internal networks but minimize security risks by disabling
Network Discovery when connected to other networks, such as the Internet. You might want
to leave Network Discovery enabled for some network location types so that users can more
easily find network resources on your intranet that aren’t listed in Active Directory Domain
Services (AD DS) and so that users with mobile PCs can configure network devices more
easily on their home networks or when traveling.
Although Network Discovery is preferred, Windows Vista and Windows 7 continue to use
the Computer Browser service and NetBIOS broadcasts to find earlier versions of Windows
computers on the network. In addition, Windows Vista and Windows 7 use the Function
Discovery Provider Host service and Web Services Dynamic Discovery (WS-Discovery) to find
other Windows Vista and Windows 7 computers and use Universal Plug and Play (UPnP)/
Simple Service Discovery Protocol (SSDP) to find networked devices that support the proto-
cols. Therefore, enabling Network Discovery creates exceptions for each of these protocols
through Windows Firewall.
WS-Discovery is a multicast discovery protocol developed by Microsoft, BEA, Canon, Intel,
and webMethods to provide a method for locating services on a network. To find network
resources, computers running Windows Vista and Windows 7 send a multicast request for
one or more target services, such as shared folders and printers. Then, any computers on the
local network with shared resources that match the request use WS-Discovery to respond to
the message. To minimize the need for clients to regularly send requests to find new resources,
newly published resources announce themselves on the network, as described in the next
section.
WS-Discovery uses Simple Object Access Protocol (SOAP) over UDP port 3702. The multi-
cast address is 239.255.255.250 for IPv4 and FF2::C for IPv6.

How Windows Publishes Network Resources
When you share a network resource, such as a folder or printer, Windows communicates
using several protocols to make other computers on the network aware of the resource. To
communicate with versions of Windows prior to Windows Vista, the Server service notifies
the Computer Browser service when new shares are created or deleted, and the Computer
Browser service sends the announcements over NetBIOS.
To announce resources to other computers running Windows Vista and Windows 7 using
WS-Discovery, Windows 7 uses the Function Discovery Resource Publication (FDRP) service.
Although FD is responsible for discovering shared resources on a network when the computer
is acting as a client, FDRP is responsible for announcing resources when the computer is acting
as a server. The primary functions are:
n
Sends a HELLO message for each registered resource on service startup.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Usability Improvements CHAPTER 25
1171
n
Sends a HELLO message whenever a new resource is registered. Responds to network
probes for resources matching one of the registered resources by type.
n
Resolves network requests for resources matching one of the registered resources by
name.
n
Sends a BYE message whenever a resource is unregistered.
n
Sends a BYE message for each registered resource on service shutdown.
The HELLO message includes the following information:
n
Name
n

Description
n
Whether the computer is part of a workgroup or domain
n
Computer type, such as desktop, laptop, tablet, Media Center, or server
n
Whether Remote Desktop is enabled and allowed through Windows Firewall
n
Folder and printer shares with at least Read access for Everyone if file sharing is en-
abled and allowed through Windows Firewall. Specifically, administrative shares are not
announced. For each share, the following information is included:
•
Path
•
If applicable, the folder type (such as documents, pictures, music, or videos)
•
The share permissions assigned to the Everyone special group
FDRP is primarily intended for home networks, where ease of use is typically a requirement
and networks are unmanaged. In corporate computing environments, where there can be
a large number of computers on a single subnet and the network is managed, FDRP is not
recommended because the traffic might become a nuisance. By default, FDRP is enabled in a
workgroup and disabled in a domain environment.
How Windows Creates the Network Map
Windows creates the Network Map in part by using the Link Layer Topology Discovery
(LLTD) protocol. As the name suggests, LLTD functions at Layer 2 (the layer devices use to
communicate on a LAN) and enables network devices to identify each other, learn about
the network (including bandwidth capabilities), and establish communications (even if
devices are not yet configured with IP addresses). Typically, you do not need to manage LLTD
directly. However, you can configure two Group Policy settings located within Computer
Configuration\Policies\Administrative Templates\Network

\Link Layer Topology Discovery:
n
Turn on Responder (RSPNDR) Driver This setting enables computers to be
discovered on a network and to participate in Quality of Service (QoS) activities, such
as bandwidth estimation and network health analysis. You can choose to enable the
responder driver while connected to networks of the domain, public, or private
location type. Windows enables the responder driver for all networks by default.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 25 Configuring Windows Networking
1172
n
Turn on Mapper I/O (LLTDIO) Driver This setting enables a computer to discover
the topology of the local network and to initiate QoS requests. You can choose to en-
able the mapper driver while connected to networks of the domain, public, or private
location type. This option is enabled for all networks by default. Windows enables the
mapper driver for all networks by default.
Figure 25-4 illustrates how the LLTD responder and mapper relate to other networking
components.
Network Map
Function Discovery Mapper Service
IP
LLTD
Responder
Driver
LLTD
Mapper
Driver
NDIS
FIGURE 25-4
LLTD is implemented as a low-level mapper and responder.

note
Windows Vista and Windows 7 include an LLTD responder, but earlier versions of
Windows do not. To find out how to download an LLTD responder that you can add to
Windows XP, read Microsoft Knowledge Base article 992120 at
/kb/922120. This will enable computers running Windows XP to appear on the Network
Maps in Windows 7, but they still cannot generate the maps.
LLTD is not a secure protocol, and there is no guarantee that the Network Map is accurate.
It is possible for devices on the network to send false announcements, adding bogus items to
the map.
Because each user can have his own set of network profiles, Windows creates Network
Maps on a per-user basis. For each network profile that a user creates, Windows actually
generates two maps: the current map and a copy of the last functional map (similar to the
Last Known Good recovery option). When displaying the Network Map to the user, Windows
combines these two maps.
Network Map
The Network Map, shown in Figure 25-5, makes it simpler to visually examine how a computer
is connected to one or more networks and to other computers on your intranet. Although
the tool is primarily intended to simplify networking for users, it is also a useful tool for
administrators. A user can click the name of her computer to view her computer’s properties,
click a local network to view network resources with Network Explorer, or click the Internet
icon to browse the Web.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.