To access this snap-in directly from a Windows XP client, complete the following steps:


Click Start and then Run.


Type secpol.msc, then click OK.

A detailed explanation of all the setting possibilities is beyond the scope of this guide. However, the article "Using Software Restriction Policies to Protect Against Unauthorized Software" on TechNet at: will provide you with step-by-step guidance on using this powerful feature of the Windows XP Professional operating system.

Warning: Group Policy is an extremely powerful technology that requires careful configuration and a detailed understanding to implement successfully. Do not attempt to change these settings directly until you are confident you are familiar with the policy settings and have tested the results on a non-production system.

Client Application Antivirus Settings

The following sections provide guidelines for configuring specific client applications that malware may target.

E-mail Clients

If malware does manage to make it past your antivirus defenses at the network and e-mail server levels, there may be a few settings that you can configure to provide additional protection for the e-mail client.

Generally, the ability of a user to open e-mail attachments directly from an e-mail message provides one of the major ways for malware to propagate on the client. If possible, consider restricting this ability in your organization’s e-mail systems. If this is not possible, some e-mail clients allow you to configure additional steps that users will have to perform before they can open an attachment. For example, in Microsoft Outlook and Outlook Express you have the ability to:

Use Internet Explorer security zones to disable active content in HTML e-mail messages.

Enable a setting so that users may only view e-mail messages in plain text.

Prevent programs from sending e-mail messages without specific user approval.

Block unsafe e-mail message attachments.

For information on how to configure these features, see the Microsoft Knowledge Base article "291387 – OLEXP: Using Virus Protection features in Outlook Express 6" at:

Additionally Windows XP Service Pack 2 has added extra security focused functionality to Outlook Express. For information on how Windows XP Service Pack 2 has changed the functionality of Outlook Express, see the Changes to Functionality in Microsoft Windows XP Service Pack 2 Part 4: E-mail Handling Technologies page on TechNet at:

Microsoft Outlook 2003 includes additional features to protect against malware and junk (or spam) e-mail messages. You will find information about configuring these features on the Customizing Outlook 2003 to Help Prevent Viruses page on at:

Desktop Applications

As desktop office applications have become more powerful they have also become targets for malware. Macro viruses use files created by the word processor, spreadsheet, or other macro-enabled applications to replicate themselves.

You should take steps wherever possible to ensure that the most appropriate security settings are enabled on all applications in your environment that handle these files. For information about securing Microsoft Office 2003 applications, see the Best practices for protection from viruses page on at:

Instant Messaging Applications

The instant messaging phenomenon has helped improve user communications across the world. Unfortunately, it has also provided another application with the potential to allow malware to enter your system. Although text messages do not pose a direct malware threat, most instant messenger clients provide additional file transfer capabilities to enhance the users’ communication abilities. Allowing file transfers provides a direct route into an organization’s network for potential malware attacks.

Network firewalls can block these file transfers by simply filtering the ports used for this communication. For example, Microsoft Windows and MSN Messenger clients use a range of TCP ports between 6891 and 6900 for to transfer files, so if the perimeter firewall blocks these ports, file transfer via Instant Messenger cannot take place. However, mobile client computers will only be protected while they are on the organization’s network. For this reason, you might want to configure the host-based firewall on your clients to block these ports, as well to provide protection for the mobile clients in your organization when they are outside of your network defenses.

If your organization cannot block these ports because other required applications use them or because file transfer is required, you should ensure all files are scanned for malware before being transferred. If your client workstations are not using a real-time antivirus scanner, you should configure the Instant Messaging application to automatically pass transferred files to an antivirus application for scanning as soon as the file has been received. For example, you can configure MSN Messenger to automatically scan transferred files. The following steps demonstrate how to enable this security feature:

Note: The Windows Messenger application that shipped with Windows XP does not support this feature. A real-time antivirus scanner should be used for this application.

To scan files transferred by MSN Messenger


In the main MSN Messenger window, click the Tools menu, and then click Options.


Click the Messages tab.


Under File Transfer, select the Scan for viruses using check box.


Click Browse, select the antivirus scanning software that you are using, and then click OK.

Note: Finding the correct executable file to use and the command parameter to include here may require additional input from your antivirus scanning software vendor.

Once you have completed these steps, your antivirus software will automatically scan all files received via MSN Messenger on the client.

Note: Your antivirus scanning tool may require additional setup steps. Check the instructions for with your antivirus scanning software for more information.

Web Browsers

Before you download or execute code from the Internet, you want to ensure that you know that it is from a known, reliable source. Your users should not just rely on site appearance or the address of the site because both Web pages and addresses can be faked.

There are a number of different techniques and technologies that have been developed to help a user’s Web browser application determine the reliability of the Web site he or she is browsing. For example, Microsoft Internet Explorer uses Microsoft Authenticode technology to verify the identity of downloaded code. The Authenticode technology verifies that the code has a valid certificate, that the identity of the software publisher matches the certificate, and that the certificate is still valid. If all these tests pass, the chances of an attacker transferring malicious code to your system will be reduced.

Most major Web browser applications support the ability to restrict the level of automated access that is available to code that is executed from a Web server. Internet Explorer uses security zones to help restrict Web content from performing potentially damaging operations on the client. The security zones are based on the location (zone) of the Web content.

For example, if you are confident that anything downloaded within your organization’s intranet is safe, you might set your clients’ security settings for the local intranet zone to a low level to allow users to download content from your intranet with few or no restrictions. However, if the source of the download is in the Internet zone or the Restricted sites zone, you might want to configure the clients’ security settings to a medium or high level. These settings will cause the client browsers to either prompt users with information about the content’s certificate before they download it or prevent them from downloading it all.

Windows XP Service Pack 2 has added a significant number of security updated and enhancements to aid in the protection of the Web browsing experience for the user. For details of these updates, see the Changes to Functionality in Microsoft Windows XP Service Pack 2 Part 5: Enhanced Browsing Security page on TechNet at:

For more information about security-related issues for Internet Explorer, see the Internet Explorer Security Center page on at:

Peer-to-Peer Applications

The advent of Internet-wide peer-to-peer (P2P) applications has made it easier than ever to find and exchange files with other people. Unfortunately, this situation has led to a number of malware attacks that attempt to use these applications to replicate files to other users’ computers. Worms such as W32.HLLW.Sanker have targeted P2P applications such as Kazaa for replication purposes. There are many more malware examples that attempt to use other peer-to-peer applications, such as Morpheus and Grokster.

The security issues surrounding P2P applications have little to do with the client programs themselves. These issues instead have much more to do with the ability of these applications to provide direct routes from one computer to another through which content can be transmitted without the proper security checks.

If possible, Microsoft recommends restricting the number of clients in your organization that use these applications. You can use Windows Software Restriction policies that were discussed earlier in this chapter to help block users from running peer-to-peer applications. If this is not possible in your environment, be sure your antivirus policies take into account the greater risk the clients in your environment are exposed to because of these applications.