Enterprise browser usage is a messy subject. The enterprise is not what it once was; the days of the homogeneous Windows empire are past. Not only are alternative operating systems like Apple's OS X gaining traction in the enterprise, but the desktop is no longer a browser administrator's only concern. The consumerisation of …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Wednesday 16th November 2011 13:13 GMT Andy Fletcher

Microsoft, Internet Explorer and Secure in a sentence?

By cutting off users from updating IE becase they have an older OS (as a way to blackmail users into upgrading which didn't work), MS are probably top of my list for entities that have damaged the Internet at large.

I don't hate MS. They do some great stuff. Unfortunately, they dish out some crap too.

9 3
1. Wednesday 16th November 2011 15:54 GMT Anonymous Coward
  
  "Windows" and "easily managed" in another.
  
  Bring back the dumb terminal: *that* was easy management!
  
  2 2
  1. Wednesday 16th November 2011 20:27 GMT Fatman
    
    RE: Bring back the dumb terminal: *that* was easy management!
    
    Especially if you were to have cut the traces to the SETUP key!
    
    0 0
  2. Thursday 17th November 2011 00:14 GMT Mike Flugennock
    
    Bring back the dumb terminal?
    
    Whoa, jeez; don't even say that sarcastically. There are apparently people who want to do that for real. I think maybe that's what The Cloud™ is basically all about.
    
    0 0
2. Wednesday 16th November 2011 18:14 GMT Trevor_Pott
  
  That's what I said!
  
  And then I took a month to do some really in depth research for this article. And the hell of it is...
  
  ...Internet Explorer 8 actually /is/ a really secure browser. IE9 is more so. IE10 even more. Now, default out-of-the-box configuration, IE might as well be trying to protects you from rabid dogs by covering you in rancid meat.
  
  But if you take the time to properly configure the thing, you find that there are a crazy amount of important settings which can in fact make the browser very secure whilst still being actually usable for the end user.
  
  It has come a /very/ long way since the days of IE6. Colour me impressed…and that’s hard to do. Especially with Microsoft. > 2 decades of futzing with their software had me more than a little jaded. But I was pleasantly surprised at how far IE has really come.
  
  Ended up making a whole string of GPO changes in the organisations I manage as a result. Learn something new every day!
  
  4 0
  1. Wednesday 16th November 2011 20:28 GMT Microphage
    
    A really secure browser?
    
    @Trevor_Pott: "Internet Explorer 8 actually /is/ a really secure browser .. Ended up making a whole string of GPO changes in the organisations I manage as a result. Learn something new every day!"
    
    The browser can only be as secure as the underlying OS except in the case of Internet Explorer as there is so much of IE embedded in the OS that a vulnerability in the browser is a de-facto vulnerability in the underlying OS.
    
    3 4
    1. Wednesday 16th November 2011 21:21 GMT Trevor_Pott
      
      @Microphage
      
      By far, the majority of active exploits on Windows 7 systems are browser plug-in based. Very few exploit holes in the operating system or browser itself. I think you are clinging to an outdated viewpoint here.
      
      I am no fan of Microsoft's traditionally lax approaches to security...but credit where credit it due. Windows 7 is a good operating system. It has it's flaws, but then again, so do all the competitors. OSX can be pwned by trojans, and gods know Linux sure can.
      
      But all three operating systems suffer from the same two attack vectors: social engineering the user into doing something stupid...or browser plugins running amok. I am certain there /are/ operating-system vulnerabilities for each. There always are. But the point here is that a fully up-to-date Windows can still be made a very safe place to play.
      
      I prefer the heightened awareness that a decade of Microsoft faceplanting has brought to security on PCs. People are /wary/ of things when they use Windows. They expect that behind every link is a boogyman, that every attachment will nom their system.
      
      It's better than the false sense of security you get from Linux or Mac. Hell, the Mac Sandbox is a trap! http://arstechnica.com/apple/news/2011/11/researchers-discover-mac-os-x-has-its-own-sandbox-security-hole.ars
      
      I’m not trying to big up Microsoft here. I use CentOS most of the time, because MS are greedy basrtwards whose VDI licenceing is absurd. I would not be surprised to learn that each line of Microsoft’s VDI lisencing documents are written with the blood of kittens.
      
      But honest credit where credit is due. Windows 7 is not Windows XP. And IE9 is not IE6. IE and Windows have come a long way. They aren’t quite “as secure” as Macs ro Linux in every possible way…but they have an entire industry devoted to helping increase that security, and they don’t pass along a false sense of reassurance that gets their users pwned either.
      
      As far as I can see, it's really six of one, half a dozen of the other. Application availability, compatibility and endpoint management are far more significant concerns to me than the theoretical vulnerability of an oprating system or browser based on unproven assumptions and outdated predjudices.
      
      And now...back to trying to build a CentOS install disc that uses XFCE as the default instead of Gnome...
      
      5 0
3. Thursday 17th November 2011 10:55 GMT Anonymous Coward
  
  @Andy
  
  Just to be sure: We're talking about IE9 here, right ?
  
  Because IE8 is dated (release middle 2009) but not that old and still actively supported.
  
  But you make a valid point here, yet there is something to consider..
  
  Still, I don't think its blackmail at all, I think its the nature of the beast. IE9 comes with heavy ties into the OS and relies on those for some of its features. For example the "Inprivate browsing" feature. So I don't think its blackmail, merely a financial issue: "How smart is it to invest in Windows XP when its EOL'ed soon ?".
  
  In all fairness; you see the same behavior on Linux. At some point certain developers drop support for a specific library version and move on. Often resulting in you being unable to run said program in a native version on an older distribution.
  
  Of course; on Linux you can simply re-compile, that doesn't seem like an option for Explorer ;-)
  
  0 0
  1. Thursday 17th November 2011 20:25 GMT Anonymous Coward
    
    Err?
    
    "...Of course; on Linux you can simply re-compile, that doesn't seem like an option for Explorer ;-)..."
    
    Exactly who can "simply re-compile", really? I am always wary of people saying the you can "simply" do something, it usually means that they can simply do something that most people never stand a chance of doing. I can "simply" setup an enterprise level backup solution running on linux using one of about six different backup packages, I wouldn't suggest that anyone else can do that. Likewise, I've compiled something for Linux exactly once and it was a pain, I wouldn't suggest that it's something that is either simple or open to joe public to do.
    
    0 0
4. Thursday 17th November 2011 19:07 GMT Destroy All Monsters
  
  People lauding Microsoft Security?
  
  Why, yes:
  
  "Ten Years of Trustworthy Computing: Lessons Learned"
  
  http://www.computer.org/csdl/mags/sp/2011/05/msp2011050003.html
  
  0 0
Wednesday 16th November 2011 14:53 GMT NoneSuch

"Not only are alternative operating systems like Apple's OS X gaining traction in the enterprise, but the desktop is no longer a browser administrator's only concern."

OS X in the Enterprise??? Really? That would be news to me and my peers. You do understand the term "Enterprise" does not apply to a 2 person ad design company run out of someones Bed-Sit in Surrey.

The Enterprise administrators usual concern is the introduction of iPhones pushed on IT because some VP with no idea of security buys one on impulse and tells the back room lads to make it work on the company servers. Never mind the potential security problems that will arise nor the damage when the phone is lost or stolen with proprietary info on it.

2 4
1. Wednesday 16th November 2011 16:08 GMT JimC
  
  OS X in the Entrerprise - for sure
  
  In this 8000 seat organisation we have a small population of OS-X - the publicity driods whinge endlessly if they aren't allowed it. I'm sure plenty of other substantial orgs do.. If that's what the customer needs to do their job then its our job to give it to them...
  
  8 0
2. Wednesday 16th November 2011 16:10 GMT Tempest 3K
  
  Actually yes, 2 of the major corporates I work with now have Macbooks deployed (in small numbers but growing by the month). They are mainly being used in Marketing and Application development (as well as Execs who have them because they are shiny...) but they are there and working outward.
  
  Pint because that's what we all need after dealing with this stuff!
  
  0 0
  1. Wednesday 16th November 2011 18:30 GMT Yet Another Commentard
    
    BOFH
    
    I believe you mean "coloured pencil departments".
    
    6 0
    1. Wednesday 16th November 2011 19:00 GMT Trevor_Pott
      
      Coloured pencil departments
      
      I actually laughed until I cried. Thank you, sir. Thank you.
      
      I owe you a pint of your favourite.
      
      1 0
      1. Thursday 17th November 2011 19:09 GMT Jacqui
        
        @BOFH
        
        s/pencil/crayon/
        
        0 0
3. Wednesday 16th November 2011 19:00 GMT J. Cook
  
  @none such re: iDevices in AD/Windows enterprise...
  
  For what it's worth, the IOS devices play just fine in an Exchange environment- the ActiveSync connector works pretty decently. It also appears to support remote wipe as well (did one earlier this week; unfortunately, we obviously don't have the device to determine if it worked or not, and none of the folks that have an iDevice are willing to let me nuke their phones remotely. :D )
  
  As far as MacOS talking to AD? that's a different ball of wax entirely. We used a 3rd party application which acted as an mediator with AD and OSX's authentication and user management code, but I have no idea if it's been kept up to date. I had a quick look around the 'net, and it turns out that there is a way to configure OSX to do LDAP lookups for authentication as well ('cause that's all that AD is, really)
  
  0 0
Wednesday 16th November 2011 14:56 GMT jake

More to the point ...

... HTTP & associated protocols are toys, and are never a necessity in a work environment. Anyone trying to suggest otherwise has no concept of the term "corporate security".

1 10
1. Thursday 17th November 2011 19:09 GMT Destroy All Monsters
  
  "HTTP & associated protocols are toys"
  
  The last guy who know how to cable up an Aiken Mark 1 has been discovered in an El Reg web forum!
  
  1 0
  1. Sunday 20th November 2011 17:12 GMT jake
    
    @DAM & AC ...
    
    Not trolling at all ... My businesses run quite comfortably (and profitably) without the overhead required by TheWeb.
    
    Learn to look past Marketing, learn to make a profit :-)
    
    0 1
2. Thursday 17th November 2011 20:25 GMT Anonymous Coward
  
  Welcome to Jakeworld
  
  Twinned with Trollland.
  
  1 0
Wednesday 16th November 2011 15:55 GMT Anonymous Coward

Firewall?

Shouldn't blacklisting and whitelisting be a firewall function?

*one* thing to administer --- then it doesn't matter what browsers on how many desktops.

1 1
1. Wednesday 16th November 2011 17:36 GMT John Riddoch
  
  To an extent, yes, but not entirely, for two reasons.
  
  Firstly, read the article - this is mostly talking about white/blacklisting plugins on the browser, the firewall can't stop those effectively.
  
  Secondly, you may want to drop different settings on different websites; e.g. trust your internal app sites to run flash, Java and so on but deny that functionality to untrusted sites on the internet (e.g. using the "zones" functions in IE). Firewalls are not designed to handle that level of control.
  
  Also, I assume you mean web proxy rather than firewall...
  
  1 0
2. Wednesday 16th November 2011 18:12 GMT John G Imrie
  
  Firwall?
  
  The corporate router isn't the only attack vector.
  
  There's always the idiot who downloads some music of the net and burns it to a CD to play in the office little knowing that the wmv file he downloaded will run as a program in side Windows Media player and will email his password file to an IP address in China.
  
  1 0
  1. Thursday 17th November 2011 12:47 GMT Anonymous Coward
    
    re: Firwall? - Thats the beauty of Redbook CDs.
    
    There is one thing, and one thing alone that a PC can do when it reads a Redbook CD, is to play it as music. No wmv executable, no mp3 tag poisoning (if that's possible), it will just play the thing. Even JPEG files have their holes too.
    
    Too bad you have to bring a ton of discs to listen for a reasonable amount of time.
    
    Good lord, who had the bright idea to run executable code in a media file? Only MS is able to shoot itself on the foot that many times.
    
    I won't even bother mentioning autorun any further. It is not fixed by default, because some corporate desktops (like mine) won't run Windows Update, (not on my locked out login anyway) and nobody cares.
    
    0 0
Wednesday 16th November 2011 16:01 GMT Jonathan White

"Never mind the potential security problems that will arise nor the damage when the phone is lost or stolen with proprietary info on it.:

Yeah, you see... making sure stuff like that doesn't happen, or is mitigated when it does? THAT'S YOUR JOB. Best be able to do it, eh?

2 1
Wednesday 16th November 2011 16:55 GMT Joe Montana

Take out "secure"

>> Active Directory's Group Policy Objects (GPOs) and Group Policy Preferences (GPPs) offer administrators a simple, centralised, and secure method to lock down Internet Explorer's (IE's) settings.

Take the word "secure" out of that and you'd have a point, there are many ways to bypass settings pushed down by group policy... You should only consider group policies as pushing out default settings, do not rely on them for security!

A much better solution is to force all outbound web traffic through a proxy, where it can be filtered and logged irrespective of the client configuration.

Another even more secure setup, is to only allow internal browsing direct from workstations and require users to login to another system if they want to access public websites. Even with a browser running remotely, you can make it look and behave just like a local application, only any exploit attempts hit the server and not your workstation.

One such example i've seen, used windows desktops connected to a hardened linux box running chromium, the connection was i believe done using nx and the chromium window looked like it was running on the local machine. A hardened and isolated linux box running chromium is far less risky than a windows workstation for browsing the web.

1 0
1. Wednesday 16th November 2011 18:14 GMT Trevor_Pott
  
  "force all outbound traffic through a proxy"
  
  What happy fuzzy unicorn-filled love world do you live in where all corporate internet traffic occurs behind the perimiter firewall?
  
  I want to live there.
  
  4 0
  1. Wednesday 16th November 2011 23:46 GMT Anonymous Coward
    
    proxy 2
    
    well my place does, an apart from the seriously lack of investment in it, it works quite well,
    
    No, you dont need access to facebook, you tube or any number of other shite sites taking you away from work.
    
    yeah you get the odd person complaining but we also get a lot less hassle.
    
    If a user has a valid request then its checked an added.
    
    as i said, it would work perfect were it not for the Morning and lunch time clusting fuck, but why spend money fixing an issue when you can save money by making the slow downs someone elses problem!
    
    0 0
2. Wednesday 16th November 2011 23:46 GMT Anonymous Coward
  
  proxy
  
  i agree, a Proxy is a simple way of dealing with it, although the issue of email still comes to mind, where there is a user, there is a problem :)
  
  But there is one flaw with a proxy, if not done correctly its a pain in the arse
  
  Take 700 sites all over the UK all with multiple numbers of computers accessing things at each site during ever day, if said company wont invest what you end up with is a giant cluster fuck an everything grinds to a halt at key times of the day.
  
  Googles a pain in the arse too for getting around proxys, google just hit our naughty step, tut tut google
  
  1 0
Wednesday 16th November 2011 23:48 GMT jake_the_snake

Firefox policies

Its not only IE and Chrome that support configuration policies. Firefox (and Thunderbird) support a centralised configuration service that is O/S independent and as feature rich as its competitors.

The 'Mission Control' feature allows administrators to deploy Firefox to the desktop and have it pick up per user settings from a central service (eg. a CGI script or something similar) at start time.

See https://developer.mozilla.org/en/MCD. All it needs is a locked down local config file in the deployment (Program Files etc shouldn't be world writable anyway).

J>

0 0
Thursday 17th November 2011 00:03 GMT Mike Flugennock

Hey, wait a goddamn' minute, here...

...believe it or not, I instinctively clicked on this article thinking it was a new BOFH column riffing on browser privacy in an office; I mean, really, I kinda glanced at the title and thought "cool, a new BOFH story!". I was ready for some good cheap laffs involving the PFY swiping the Boss' cookies or a Beancounter's history or something, but instead it was... d'ahhh, never mind.

Seriously, though... even though it's been a while since I worked in an "enterprise" environment -- i.e. a "cubicle job" -- a well-done and informative piece.

Thanks. No, really, seriously.

Coat-getting icon, because I can't believe the abbreviation BOFH duped me into clicking on this article which was not written by Simon T. at all.

0 0
Thursday 17th November 2011 00:03 GMT Mike Flugennock

Pantsing?

"Microsoft makes an excellent mass market browser, but the lack of a browser extension community has harmed its ability to reach out to the growing number of users who need their browser to do something different..."

Y'mean, like... uhh... not doing the WWW equivalent of pantsing me in public?

0 0
Thursday 17th November 2011 08:18 GMT Tree

Netscape made Microsoft do it

Many of the IE issues are caused by the early attempt to make sure Netscape did not work on important sites. Then, the issues were to avoid losing the antitrust suit. [Internet Exploder is too much integrated into Windows to allow shipping Windows with Netscape.]

0 0
Thursday 17th November 2011 10:50 GMT Anonymous Coward

Hmm, crApple can limit what browser...

...you use but MS ended up in court for bundling IE with Windows...

Hmm, something smells...

0 0
1. Thursday 17th November 2011 13:44 GMT John I'm only dancing
  
  Duh.
  
  Apple only limits what browser you can use on a phone, not on the desktop. MS ended up in court because of its near monopoly in the desktop market. It has never banned any other browser.
  
  0 0
Thursday 17th November 2011 10:50 GMT Adrian 4

@Mike Flugennock

Mike, you read the wrong bit ..

'In this 8000 seat organisation '

'Take 700 sites all over the UK all with multiple numbers of computers '

'yeah you get the odd person complaining but we also get a lot less hassle.'

No, really - it is a BOFH article. It's just that the corporate dick-wagglers and jobsworths are hiding in the comments.

0 1
Thursday 17th November 2011 20:04 GMT Jacqui

Cattle prod

Its not a BOFH tale unless a modified cattle prod is at least mentio...ZAP! thud!

^C

NO CARRIER

0 0
Thursday 17th November 2011 20:05 GMT Tom 7

IE in the enterprise is wide open to the BOFH

in order to protect your companies data I believe SSL is seethrough so the company can check your bank balance ( and transfer monies) to make sure you are not moving company data off site.

I could be wrong but that's how it was sold to us.

0 0
Thursday 17th November 2011 20:10 GMT Pascal Monett

Microsoft makes an excellent mass market browser

I'm sorry, but it's going to take at least two more IE versions and five years of absence of exploits and zero-day news every Monday before I even start thinking of giving any credibility to that kind of remark.

As for Windows 7, since I started using it last year I have been grudgingly forced to accept that it is indeed less of a pile of crap than XP was, and slightly more secure.

But only slightly.

Because my actual security is based on a hardware firewall and my insistence on using Firefox coupled with NoScript and a few other privacy-ensuring addons.

Oh, and my refusal to use Outlook, or to blindly click on any damn popup that tries to make me think it is important.

0 0
Thursday 17th November 2011 20:15 GMT Destroy All Monsters

Hmmm...

There is some tension in the article between lauding the IE9 + Active Directory combination vs. saying that Active Directory is being irrelevant. Yes, no? What do?

I the Mozilla freaks^^H^H^H^H^HHdevelopers would just get over their shiny shiny fetishism and do something staid and serious for once.

0 0
1. Thursday 17th November 2011 21:13 GMT Trevor_Pott
  
  @Destroy All Monsters
  
  IE9 + Active Directory makes for a beautifully manageable browser. I love it to bits.
  
  But the world doesn't use grandpa computers for everything anymore. We've moved into a world in which heterogeneous computing is no longer something for closeted Linux nerds and the aforementioned "coloured pencil department."
  
  So yes, IE9 + AD? Grand. But that doesn’t help me with Android, iOS, OS X, CentOS...
  
  Thus the only path for the foreseeable future is multiple management tools. And that really, really sucks.
  
  0 0
Sunday 20th November 2011 11:13 GMT Relgoshan

Zoicks

To my knowledge, Opera supports a master settings override file, which may be stored in a universal location with read-only access. It prevents individual users from messing with any settings you don't want them to be able to touch.

In similar fashion, it is possible to place a blocklist on the network and force all user profiles to obey its rules.

0 0