Enterprise browser usage is a messy subject. The enterprise is not what it once was; the days of the homogeneous Windows empire are past. Not only are alternative operating systems like Apple's OS X gaining traction in the enterprise, but the desktop is no longer a browser administrator's only concern. The consumerisation of IT …
Microsoft, Internet Explorer and Secure in a sentence?
By cutting off users from updating IE becase they have an older OS (as a way to blackmail users into upgrading which didn't work), MS are probably top of my list for entities that have damaged the Internet at large.
I don't hate MS. They do some great stuff. Unfortunately, they dish out some crap too.
"Windows" and "easily managed" in another.
Bring back the dumb terminal: *that* was easy management!
That's what I said!
And then I took a month to do some really in depth research for this article. And the hell of it is...
...Internet Explorer 8 actually /is/ a really secure browser. IE9 is more so. IE10 even more. Now, default out-of-the-box configuration, IE might as well be trying to protects you from rabid dogs by covering you in rancid meat.
But if you take the time to properly configure the thing, you find that there are a crazy amount of important settings which can in fact make the browser very secure whilst still being actually usable for the end user.
It has come a /very/ long way since the days of IE6. Colour me impressed…and that’s hard to do. Especially with Microsoft. > 2 decades of futzing with their software had me more than a little jaded. But I was pleasantly surprised at how far IE has really come.
Ended up making a whole string of GPO changes in the organisations I manage as a result. Learn something new every day!
RE: Bring back the dumb terminal: *that* was easy management!
Especially if you were to have cut the traces to the SETUP key!
A really secure browser?
@Trevor_Pott: "Internet Explorer 8 actually /is/ a really secure browser .. Ended up making a whole string of GPO changes in the organisations I manage as a result. Learn something new every day!"
The browser can only be as secure as the underlying OS except in the case of Internet Explorer as there is so much of IE embedded in the OS that a vulnerability in the browser is a de-facto vulnerability in the underlying OS.
By far, the majority of active exploits on Windows 7 systems are browser plug-in based. Very few exploit holes in the operating system or browser itself. I think you are clinging to an outdated viewpoint here.
I am no fan of Microsoft's traditionally lax approaches to security...but credit where credit it due. Windows 7 is a good operating system. It has it's flaws, but then again, so do all the competitors. OSX can be pwned by trojans, and gods know Linux sure can.
But all three operating systems suffer from the same two attack vectors: social engineering the user into doing something stupid...or browser plugins running amok. I am certain there /are/ operating-system vulnerabilities for each. There always are. But the point here is that a fully up-to-date Windows can still be made a very safe place to play.
I prefer the heightened awareness that a decade of Microsoft faceplanting has brought to security on PCs. People are /wary/ of things when they use Windows. They expect that behind every link is a boogyman, that every attachment will nom their system.
It's better than the false sense of security you get from Linux or Mac. Hell, the Mac Sandbox is a trap! http://arstechnica.com/apple/news/2011/11/researchers-discover-mac-os-x-has-its-own-sandbox-security-hole.ars
I’m not trying to big up Microsoft here. I use CentOS most of the time, because MS are greedy basrtwards whose VDI licenceing is absurd. I would not be surprised to learn that each line of Microsoft’s VDI lisencing documents are written with the blood of kittens.
But honest credit where credit is due. Windows 7 is not Windows XP. And IE9 is not IE6. IE and Windows have come a long way. They aren’t quite “as secure” as Macs ro Linux in every possible way…but they have an entire industry devoted to helping increase that security, and they don’t pass along a false sense of reassurance that gets their users pwned either.
As far as I can see, it's really six of one, half a dozen of the other. Application availability, compatibility and endpoint management are far more significant concerns to me than the theoretical vulnerability of an oprating system or browser based on unproven assumptions and outdated predjudices.
And now...back to trying to build a CentOS install disc that uses XFCE as the default instead of Gnome...
Bring back the dumb terminal?
Whoa, jeez; don't even say that sarcastically. There are apparently people who want to do that for real. I think maybe that's what The Cloud™ is basically all about.
Just to be sure: We're talking about IE9 here, right ?
Because IE8 is dated (release middle 2009) but not that old and still actively supported.
But you make a valid point here, yet there is something to consider..
Still, I don't think its blackmail at all, I think its the nature of the beast. IE9 comes with heavy ties into the OS and relies on those for some of its features. For example the "Inprivate browsing" feature. So I don't think its blackmail, merely a financial issue: "How smart is it to invest in Windows XP when its EOL'ed soon ?".
In all fairness; you see the same behavior on Linux. At some point certain developers drop support for a specific library version and move on. Often resulting in you being unable to run said program in a native version on an older distribution.
Of course; on Linux you can simply re-compile, that doesn't seem like an option for Explorer ;-)
People lauding Microsoft Security?
"Ten Years of Trustworthy Computing: Lessons Learned"
"...Of course; on Linux you can simply re-compile, that doesn't seem like an option for Explorer ;-)..."
Exactly who can "simply re-compile", really? I am always wary of people saying the you can "simply" do something, it usually means that they can simply do something that most people never stand a chance of doing. I can "simply" setup an enterprise level backup solution running on linux using one of about six different backup packages, I wouldn't suggest that anyone else can do that. Likewise, I've compiled something for Linux exactly once and it was a pain, I wouldn't suggest that it's something that is either simple or open to joe public to do.
"Not only are alternative operating systems like Apple's OS X gaining traction in the enterprise, but the desktop is no longer a browser administrator's only concern."
OS X in the Enterprise??? Really? That would be news to me and my peers. You do understand the term "Enterprise" does not apply to a 2 person ad design company run out of someones Bed-Sit in Surrey.
The Enterprise administrators usual concern is the introduction of iPhones pushed on IT because some VP with no idea of security buys one on impulse and tells the back room lads to make it work on the company servers. Never mind the potential security problems that will arise nor the damage when the phone is lost or stolen with proprietary info on it.
OS X in the Entrerprise - for sure
In this 8000 seat organisation we have a small population of OS-X - the publicity driods whinge endlessly if they aren't allowed it. I'm sure plenty of other substantial orgs do.. If that's what the customer needs to do their job then its our job to give it to them...
Actually yes, 2 of the major corporates I work with now have Macbooks deployed (in small numbers but growing by the month). They are mainly being used in Marketing and Application development (as well as Execs who have them because they are shiny...) but they are there and working outward.
Pint because that's what we all need after dealing with this stuff!
I believe you mean "coloured pencil departments".
@none such re: iDevices in AD/Windows enterprise...
For what it's worth, the IOS devices play just fine in an Exchange environment- the ActiveSync connector works pretty decently. It also appears to support remote wipe as well (did one earlier this week; unfortunately, we obviously don't have the device to determine if it worked or not, and none of the folks that have an iDevice are willing to let me nuke their phones remotely. :D )
As far as MacOS talking to AD? that's a different ball of wax entirely. We used a 3rd party application which acted as an mediator with AD and OSX's authentication and user management code, but I have no idea if it's been kept up to date. I had a quick look around the 'net, and it turns out that there is a way to configure OSX to do LDAP lookups for authentication as well ('cause that's all that AD is, really)
Coloured pencil departments
I actually laughed until I cried. Thank you, sir. Thank you.
I owe you a pint of your favourite.
More to the point ...
... HTTP & associated protocols are toys, and are never a necessity in a work environment. Anyone trying to suggest otherwise has no concept of the term "corporate security".
"HTTP & associated protocols are toys"
The last guy who know how to cable up an Aiken Mark 1 has been discovered in an El Reg web forum!
Welcome to Jakeworld
Twinned with Trollland.
@DAM & AC ...
Not trolling at all ... My businesses run quite comfortably (and profitably) without the overhead required by TheWeb.
Learn to look past Marketing, learn to make a profit :-)
Shouldn't blacklisting and whitelisting be a firewall function?
*one* thing to administer --- then it doesn't matter what browsers on how many desktops.
To an extent, yes, but not entirely, for two reasons.
Firstly, read the article - this is mostly talking about white/blacklisting plugins on the browser, the firewall can't stop those effectively.
Secondly, you may want to drop different settings on different websites; e.g. trust your internal app sites to run flash, Java and so on but deny that functionality to untrusted sites on the internet (e.g. using the "zones" functions in IE). Firewalls are not designed to handle that level of control.
Also, I assume you mean web proxy rather than firewall...
The corporate router isn't the only attack vector.
There's always the idiot who downloads some music of the net and burns it to a CD to play in the office little knowing that the wmv file he downloaded will run as a program in side Windows Media player and will email his password file to an IP address in China.
re: Firwall? - Thats the beauty of Redbook CDs.
There is one thing, and one thing alone that a PC can do when it reads a Redbook CD, is to play it as music. No wmv executable, no mp3 tag poisoning (if that's possible), it will just play the thing. Even JPEG files have their holes too.
Too bad you have to bring a ton of discs to listen for a reasonable amount of time.
Good lord, who had the bright idea to run executable code in a media file? Only MS is able to shoot itself on the foot that many times.
I won't even bother mentioning autorun any further. It is not fixed by default, because some corporate desktops (like mine) won't run Windows Update, (not on my locked out login anyway) and nobody cares.
"Never mind the potential security problems that will arise nor the damage when the phone is lost or stolen with proprietary info on it.:
Yeah, you see... making sure stuff like that doesn't happen, or is mitigated when it does? THAT'S YOUR JOB. Best be able to do it, eh?
Take out "secure"
>> Active Directory's Group Policy Objects (GPOs) and Group Policy Preferences (GPPs) offer administrators a simple, centralised, and secure method to lock down Internet Explorer's (IE's) settings.
Take the word "secure" out of that and you'd have a point, there are many ways to bypass settings pushed down by group policy... You should only consider group policies as pushing out default settings, do not rely on them for security!
A much better solution is to force all outbound web traffic through a proxy, where it can be filtered and logged irrespective of the client configuration.
Another even more secure setup, is to only allow internal browsing direct from workstations and require users to login to another system if they want to access public websites. Even with a browser running remotely, you can make it look and behave just like a local application, only any exploit attempts hit the server and not your workstation.
One such example i've seen, used windows desktops connected to a hardened linux box running chromium, the connection was i believe done using nx and the chromium window looked like it was running on the local machine. A hardened and isolated linux box running chromium is far less risky than a windows workstation for browsing the web.
"force all outbound traffic through a proxy"
What happy fuzzy unicorn-filled love world do you live in where all corporate internet traffic occurs behind the perimiter firewall?
I want to live there.
i agree, a Proxy is a simple way of dealing with it, although the issue of email still comes to mind, where there is a user, there is a problem :)
But there is one flaw with a proxy, if not done correctly its a pain in the arse
Take 700 sites all over the UK all with multiple numbers of computers accessing things at each site during ever day, if said company wont invest what you end up with is a giant cluster fuck an everything grinds to a halt at key times of the day.
Googles a pain in the arse too for getting around proxys, google just hit our naughty step, tut tut google
well my place does, an apart from the seriously lack of investment in it, it works quite well,
No, you dont need access to facebook, you tube or any number of other shite sites taking you away from work.
yeah you get the odd person complaining but we also get a lot less hassle.
If a user has a valid request then its checked an added.
as i said, it would work perfect were it not for the Morning and lunch time clusting fuck, but why spend money fixing an issue when you can save money by making the slow downs someone elses problem!
Its not only IE and Chrome that support configuration policies. Firefox (and Thunderbird) support a centralised configuration service that is O/S independent and as feature rich as its competitors.
The 'Mission Control' feature allows administrators to deploy Firefox to the desktop and have it pick up per user settings from a central service (eg. a CGI script or something similar) at start time.
See https://developer.mozilla.org/en/MCD. All it needs is a locked down local config file in the deployment (Program Files etc shouldn't be world writable anyway).
Hey, wait a goddamn' minute, here...
...believe it or not, I instinctively clicked on this article thinking it was a new BOFH column riffing on browser privacy in an office; I mean, really, I kinda glanced at the title and thought "cool, a new BOFH story!". I was ready for some good cheap laffs involving the PFY swiping the Boss' cookies or a Beancounter's history or something, but instead it was... d'ahhh, never mind.
Seriously, though... even though it's been a while since I worked in an "enterprise" environment -- i.e. a "cubicle job" -- a well-done and informative piece.
Thanks. No, really, seriously.
Coat-getting icon, because I can't believe the abbreviation BOFH duped me into clicking on this article which was not written by Simon T. at all.
"Microsoft makes an excellent mass market browser, but the lack of a browser extension community has harmed its ability to reach out to the growing number of users who need their browser to do something different..."
Y'mean, like... uhh... not doing the WWW equivalent of pantsing me in public?
Netscape made Microsoft do it
Many of the IE issues are caused by the early attempt to make sure Netscape did not work on important sites. Then, the issues were to avoid losing the antitrust suit. [Internet Exploder is too much integrated into Windows to allow shipping Windows with Netscape.]
Hmm, crApple can limit what browser...
...you use but MS ended up in court for bundling IE with Windows...
Hmm, something smells...
Apple only limits what browser you can use on a phone, not on the desktop. MS ended up in court because of its near monopoly in the desktop market. It has never banned any other browser.
Mike, you read the wrong bit ..
'In this 8000 seat organisation '
'Take 700 sites all over the UK all with multiple numbers of computers '
'yeah you get the odd person complaining but we also get a lot less hassle.'
No, really - it is a BOFH article. It's just that the corporate dick-wagglers and jobsworths are hiding in the comments.
Its not a BOFH tale unless a modified cattle prod is at least mentio...ZAP! thud!
IE in the enterprise is wide open to the BOFH
in order to protect your companies data I believe SSL is seethrough so the company can check your bank balance ( and transfer monies) to make sure you are not moving company data off site.
I could be wrong but that's how it was sold to us.
Microsoft makes an excellent mass market browser
I'm sorry, but it's going to take at least two more IE versions and five years of absence of exploits and zero-day news every Monday before I even start thinking of giving any credibility to that kind of remark.
As for Windows 7, since I started using it last year I have been grudgingly forced to accept that it is indeed less of a pile of crap than XP was, and slightly more secure.
But only slightly.
Because my actual security is based on a hardware firewall and my insistence on using Firefox coupled with NoScript and a few other privacy-ensuring addons.
Oh, and my refusal to use Outlook, or to blindly click on any damn popup that tries to make me think it is important.
There is some tension in the article between lauding the IE9 + Active Directory combination vs. saying that Active Directory is being irrelevant. Yes, no? What do?
I the Mozilla freaks^^H^H^H^H^HHdevelopers would just get over their shiny shiny fetishism and do something staid and serious for once.
@Destroy All Monsters
IE9 + Active Directory makes for a beautifully manageable browser. I love it to bits.
But the world doesn't use grandpa computers for everything anymore. We've moved into a world in which heterogeneous computing is no longer something for closeted Linux nerds and the aforementioned "coloured pencil department."
So yes, IE9 + AD? Grand. But that doesn’t help me with Android, iOS, OS X, CentOS...
Thus the only path for the foreseeable future is multiple management tools. And that really, really sucks.
To my knowledge, Opera supports a master settings override file, which may be stored in a universal location with read-only access. It prevents individual users from messing with any settings you don't want them to be able to touch.
In similar fashion, it is possible to place a blocklist on the network and force all user profiles to obey its rules.