Like TechNet UK on Facebook
In this world concerned with consumerised IT where almost everyone is familiar with using a browser of some description and many are bombarded by messages about how “fast” the internet can be if you use browser X, it really is important to keep a clear idea of what matters most to your business. Without a doubt you need a browser that’s fast enough to use the modern web, renders web pages quickly and accurately and that enables the use of java script web-based applications that run as the designer intended.
It’s very important though to remember that whilst getting all this is fantastic you also have a responsibility to ensure the security and manageability of your browsing environment, at the same time as giving users the flexibility they need to do their jobs and keeping maintenance costs down. Browsers that are fast but follow sporadic update cycles present a risk where those updates aren’t managed within your deployment environment, which can lead to a patchy experience for users and a confusing and costly state for your helpdesk services.
Unfortunately not all browsers are created equally and some do better at things than others. IE9 however seems to be doing the best at most things at the moment. There might not be the buzz that exists around using browser X or Y but IE9 has far more to offer in the security and management space than most. Internet Explorer 9 has been noted by NSS Labs to perform better, far better, than any other browser when it comes to detecting and preventing socially engineered malware. To put things into perspective IE9 fails in just 3.2% of cases tested where other browsers fail to detect and prevent around the 86% numbers.
Good security starts with making sure that you don’t have too many open doors into your organisation and with making sure that those doors you do have open are selective enough to only let the right things through. Kind of like having a good security guard on the door. Lots of people suggest that having a service that puts good sites on an allow list and deny lists all others, or that deny lists bad sites and allows all others is enough protection. Hands down they’re wrong, that is only part of the story and you don’t have to look far to find a site that has been hacked, infected with malware and or redirected to a more salubrious destination. This includes high profile newspapers and even IT news outlets, and if they are on your white list and that’s all the protection you think you need then someone just found a hole in your security.
Security at depth
The truth is that you need layers of security in order to ensure you have a secure environment, because you need many levels of security to catch a risk should something penetrate one layer. Allow and block listing are a part of that but so is the ability to detect, highlight and prevent attacks that appear in a more dynamic, on-the-fly, approach. One of the approaches that’s essential to delivering that dynamism and ability to respond to known attacks is a powerful patching mechanism.
This is another of those areas where Internet Explorer 9 excels. Patching is built into the operating system and whilst some feel that patches are pain of management they are in fact a mechanism to respond to a threat and one that is easily managed. Under almost all circumstances Microsoft release patches on the 2nd Tuesday of the month (a.k.a. patch Tuesday) and for those who remember what life was like before patch Tuesday it’s a joy. Imagine the scenario where critical patches are released every other day. Keeping up with that cycle leads to an administrative overhead that takes you down the path of missing the odd update and missing the odd update can come at the cost of something bad happening. I know because I’ve replaced patch solutions in organisations where it has – much of which I had to hand crank with VBScript, but we won’t go there!
What baffles me is why any IT Pro would want to deploy patches on an irregular basis or just leave them to chance when they can be managed in a simple singular way. No other browser has the update capabilities of Internet Explorer and some are so lacking that entire version updates with changes in capabilities can be deployed without any prior understanding of those responsible for support, IT.
Group policy support built in, not bolted on
Management is of course something that we all need to keep an eye on in our estates and sometimes we find that something has to be changed. Sometimes a homepage URL needs changing en masse, sometimes we have to tweak security settings and again Internet Explorer is a tour-de-force in this area with over 1500 settings that can be controlled with Group Policy. The nearest competitor has a shiny 87 or so, which granted are generally good but don’t include the ability to stop the browser “phoning home”, whilst other solutions try to out-fox IT by requiring you to buy additional management software. This disregard for the unique nature of doing business is disappointing at best.
Of course management starts earlier than the on going use of a browser so we have to think about how we deploy the browser in the first place. For this and to enable some highly customised deployments with very flexible requirements we have the IEAK or Internet Explorer Administration Kit that enables the repacking of Internet Explorer for custom circumstances. You can, for example, bake in a set of configurations so that upon first install everyone gets the settings you intend – perfect in a consumerised environment – but as I’ve already written we need more flexibility. For that reason just about every setting that you can alter in the IEAK can be changed through group policy.
For XP users
If you aren’t yet migrated to Windows 7, and millions are, then you are probably running Windows XP. Here the best advice is to be running IE8 because Windows XP cannot support IE9. IE8 might not have all the HTML5 bells and whistles, ultimate speed, compatibility and shear beauty of IE9, it does allow you to do all the management I’ve mentioned above. But why would you want IE8 over IE6? Well the main reason is that IE6 is old. It was released 10 years ago and the web has changed dramatically in those 10 years. Sites we take for granted, Facebook, BBC iPlayer, YouTube and thousands more didn’t exist back then and what people expect to be able to do has moved on. There are still people stuck using IE6, especially in Government in the UK, but there are not really any solid technical reasons for doing so.
Migration to IE8 from IE6 is a smooth process now, it’s a well trodden path and we have ways to circumnavigate most compatibility issues – many for free. If you have a web application that requires IE6 the first thing is to see if it’s just a header issue, where the page stops itself rendering on anything other than IE6. Test the site in IE8 without such a header, get a user to see if everything works OK and test to see if one of the compatibility modes overcomes the issue. There is nothing wrong with using compatibility mode and, you’ll never guess, you can tell your whole estate to use a compatibility mode with a simple group policy setting, still at no additional cost.
Next you can try virtualisation, either with MED-V which is part of MDOP or with P2V for Software Assurance. These two options are going to cost you something if you don’t have Software Assurance in place but the cost is usually small (for example adding SA to a Windows Intune subscription is just 60p per PC per month). The final option is to use RD RemoteApp to provide a remote desktop connection to a browser running on a Windows XP VDI Virtual Machine, hosted in Windows Server 2008 R2 Remote Desktop services or with a product from Quest or Citrix. Here the costs rise dependant upon the complexity you need but it’s time to start weighing in the fact that when XP goes out of support so does IE – so no more patches.
Hopefully this has given you some food for though about your move to IE9, if you are on Windows 7 it’s a total no brainer. If you’re on XP you should think about moving to IE8 and also about getting off of Windows XP within a year.
For the full NSS labs report on socaially engineered malware just follow this link and to learn about deploying Windows 7 and Internet Explorer 9 go complete the relevant sections of the Deployment Learning Portal – you’ll probably find you’ll be rewarded instantly for doing so. Also take a look at these Top 9 reasons enterprises should deploy IE9.