By Benjamin Vigil, Site Editor
One can argue that Internet Explorer is the single most difficult application for an administrator to secure. There are multiple reasons for IE vulnerabilities and because of them, there are multiple layers of security needed to properly secure IE.
So why is IE security such a headache for administrators? In my opinion, these are the reasons:
- IE wasn't built with security in mind. It was built to have better features than Netscape. That was ten years ago, but it's taken Microsoft that long to re-engineer the product. This has led to other ongoing issues.
- Re-engineering the product happens one patch at time. Even though there have been five versions of Internet Explorer since IE 3.01, there's been only one version for the last four years, with a few service packs, hotfixes and critical updates thrown in.
- IE won the "Browser Wars." Its successful defeat of Netscape in the "Browser Wars" has made it the biggest target on the Internet. Firefox, on the other hand, becomes more secure by being overlooked as a target.
- The Internet has become a very untrustworthy place. The Internet of the mid-'90s was not nearly the dangerous place it is now. Microsoft created a browser that was able to download advanced code that made the Internet more interactive. If it hadn't had that goal in mind, the Internet, arguably, would hardly be the marketplace it has become. But running code locally has led to many of the malware problems we see today.
- The browser is tightly integrated with the operating system. One could claim that this is the other reason IE is so ubiquitous, and because there have been court cases related to this subject, I will leave it at that.
- Users have administrative control through Web browsing. Users can be prompted and can accept the download of malicious content that will imbed itself directly into the operating system. Non-Windows administrators find this to be one of the most dangerous quirks of IE and Windows.
So, it is not really surprising that IE security is such a headache for administrators -- there are all these reasons why it would be. Just as there are many reasons this is a problem, administrators must remember that there are multiple layers of security needed to counter the security flaws.
- Patch, patch and patch. Until Microsoft releases a product that is conceived with security in mind, patching will be a fact of life for administrators. By the way, if you tire of visiting Microsoft for alerts, check out US-CERT's alerts. (Note: The early indications are that IE 7 will be more security focused and at least will have more ways for administrators to enhance the security setup through Group Policy).
- Use firewalls. This is the best way to counteract the Internet's inherent untrustworthiness, but it really has limited effect on IE security. It is more of a perimeter defense and, like the above recommendation, it's probably something administrators are already doing. I mention it, though, because firewalls need to be extended to remote users. Personal firewalls can be difficult to configure, but with all the port scanning bots and worms out there, it is worth the trouble.
- Increase security settings. Most administrators know it already, but you can disable many IE features to increase security by simply altering IE's default settings. If you are not already administering this aspect of IE, take a look at the IE maintenance extension technical reference. It explains how to change settings in IE through Group Policy. For power users, check out this guide on disabling active scripting and instructions for managing add-ons at Microsoft.
- User education. This concept gets overlooked the most often. A lot of times, administrators take user security knowledge for granted. From an administrator's point of view, avoiding unknown Web sites and not allowing unknown downloads is obvious, but many of your users may not agree or may not know why it's dangerous. Educating users is difficult, and most administrators do not have the knowledge or resources to do it effectively. One simple option is to point users to Microsoft's Security at Home Web site. There are quizzes and videos that explain security concepts that are a good baseline of knowledge for general users.
I hope this article provided a bit of advice or new resources to help secure your most problematic applications. Don't worry if you come up short with regard to the final layer -- all this month we will be focusing content on involving the user in security.
About the author: Benjamin Vigil is the site editor for SearchWindowsSecurity.com.