Enterprise-wide Browser Upgrades, IE, and Patching?

newkid asks: "Our company needs to upgrade its standard browser, a difficult decision when we factor security, compatibility and the logistics of actually doing it. For compatibility, Internet Explorer is required by internal applications like IBM Tivoli Storage Manager, so we have to keep it. On the security front, expert bulletins keep ranting every week about the latest gaping holes in IE but nobody really seems concerned: for example, many on-line banking services only work in IE, and they don't check for patches. Meanwhile, users do not care, as a large portion of the traffic still comes from IE 5.5, a version discontinued by Microsoft. As for logistics,the software distribution technology and the cost of patching both make the project much larger than we can undertake this year. Our two options are: roll-out IE without patching, or roll-out IE and Netscape, but lock IE so it can only surf on intranet sites, and update NS with rsync or Ant. What is your company doing? What is your strategy? How serious are the security threats? What are the documented security breach caused by IE? We need a reality check."

The obvious..

We need a reality check

No Sh*t.

Thats is were a consultant comes in, not /.

Many go unpatched anyways

[dpete4552]

http://www.pivx.com/larholm/unpatched/

Mozilla

[Cokelee]

Why can't you install Mozilla on a couple of shares and update them. It doesn't have to be on a local machine, and most internal networks remain fairly idle. (The other 60+mbps not being using by an external source.)

On a very different note: these machines are running Windows, right? Why the security concern over IE?

Quick and dirty...

[dnight]

Send an anonymous email with the Microsoft IE download link to the entire corporation, the day before you take a vacation. If your helpdesk is up to snuff, it should be all set when you get back.

Oh, and look for snakes in your office when you get back.

Re:Quick and dirty...

[spectral]

Ok, this can be done and (mostly) automated if you have your network set up properly. It requires a bit of knowledge with batch scripts (that I don't have), or just write a little program to do it for you. Requirements: windows file sharing enabled (and that you know the computer names or IP addresses. Can run a sniffer for these), desktops running an NT based operating system, preferrably all the same, and hopefully 2k+.

Look for something called 'pstools', it is half of what you need. the others are available in other places, but the primary ones are also available in the 'fastpush' package to put VNC on computers remotely. You don't need to do that, but it can also help from a support point of view.

the pstools let you do a lot of things remotely. The other ones that come with fastpush (Specifically regini) also help with this.

From there, it's a simple matter of making a bat file to copy over all the files you need, and shoving something in the 'run once' registry key, then doing a reboot on them (regini for reg editing, psshutdown for rebooting them). Obviously best to do this if no one's on the computer (or just send them a message telling them to reboot their computer if there's a risk of this. Or hell, use VNC and do it the hard way). Then loop through all your computer names.

I'm assuming you're competent enough to know about the $ shares, net use, some batch scripting, etc., and foolish enough to think this'll work well. :) Automated upgrades of this magnitude seem to break a lot of things. Do a lot of testing on your scripts first!

This way you can copy the files over to each computer automatically, at least. By putting it in to the run once, they'll run without you having to go to each computer. Hopefully you're smart enough to set up install scripts for IE and stuff, so you won't have to do that all too.

Windows remote administration isn't all THAT difficult, provided the right tools..

Of course, you'll want to test this before you do it to the entire corporation. Breaking everything remotely will make it so you have to go to each one, one by one, and getting shit from everywhere else about hwo they can't do anything.

Or, take the lazy route and do as the parent suggests. It's less work for you, and will get most every computer in the place, since people are stupid. ;)

As an aside: Does anyone know equivalents of these tools for linux? (psexec, regini, etc.).. they'd make it so much easier for me, not having to reboot all the time in to windows to use them. Yes, VMWare, etc. etc. Not an option.

Re:Quick and dirty...

Hmm you sound like some of those crackers that have been putting firedaemon and vnc using pstools on some machines I know of.....

You arent using a Canadian ISP are you?

Re:Quick and dirty...

[spectral]

nope. Living in Japan at the moment, going to uni. The reverse lookup will be our firewall, with a .jp address, so not me. :)

We have both.

[zulux]

We've put Phoenix on the desktop, and quick launch bars.

We hid explorer in the Programs->Accessories->System Tools.

And of course, you get Konqouror and Phoenix when you log into our VNC server.

But as far as risk is concerned:

Lthe largest risk is Outlook and Outlook Express - they use the core of IE to do their mail previews. Most of our users don't visit odd websites - but they sure could be sent a virus now and then.

Easy

[4of12]

MyCorp finally decided that IE 6 was an improvement over NS 4.7 for our Windows machines. Despite disliking the borglike tactics of MS, the decision made sense locally. It's almost easier to just let Windows have its way and use IE by default. But I would insure the security patches are up to date. Use SMS to update them.

Our migration to IE was decided before Mozilla was as good as it is now. Also, Opera ain't bad, nor Konqueror/Safari. Check `em all out and keep your internal sites W3C standards compliant so you have options in the future instead of handcuffs.

Re:Easy

[J_DarkElf]

Well, IE6 *is* an improvement over NS 4.x

But then again, so is every other browser which does not lie about its CSS support, and can render standards-compliant pages.

The main problem with IE is that it accepts garbage, so people keep using garbage, saying 'it works in IE'...

Re:Easy

[shaitand]

actually IE 6 does NOT always render standards compliant code correctly.

Course you don't think I'll make a statement like this without giving a couple examples off the top of my head do you?

IE will not get rid of the borders on frames without an attribute in the frameset tag, it ignores frameborder="0" in frame tags. The standard defines them in the frame tags and no border related attribute in the frameset tag.

(I should note, while not the same attribute in the frameset, netscape also suffers from this glitch? wtf intentionally make your browser interpret invalid html only... especially invalid html that reduces flexibility for no apparent reason?)

IE 6 sp1 (it did not do this in prior versions) now centers the contents of the cells in a table if the table is contained within a or a good old . Why this is broken by the standard requires an understanding of block and inline elements... why it makes life impossible is left difficult to see... half the time you use a table it's to line the contents up in nice even left aligned rows but you may want the entire "spread" to be centered on your page.

Re:Easy

[oliverthered]

try

div > table {
background:red;
}

with

<html>
<body>
<div >
<table><tr><td>hello</td></tr></table>
</div>
</body>
</html>

try

<div style="left-margin:20px;right-margin:30px:overflow :auto;height:100">
<div style="position:fixed;width:100%">
this test should be fixed
</div>
<pre>
this
is
some
text
that
should
make
the
div
scrolable
</pre>
</div>

Are you sure you *need* IE?

[aoteoroa]

You mentioned that tivoli's storage manager requires IE but a quick look at their product info page indicats that they support HP/UX,linux,Solaris and other clients and if that is the case then their web software must work with other web clients.

I do all my banking, and the company's with Mozilla with no problems. A friend of mine also uses Moz for his banking. That's three separate banks that have no problem with Mozilla.

There are probably more good choices in web browsers right now than there ever was. It is a good time for change.

Re:Are you sure you *need* IE?

[mbogosian]

You mentioned that tivoli's storage manager requires IE but a quick look at their product info page [ibm.com] indicats that they support HP/UX,linux,Solaris and other clients and if that is the case then their web software must work with other web clients.

Be wary of any application which requires a certain browser for an interface (IE, Mozilla or otherwise).

Browser-specific sites are bad, but apps are worse.

Re:Are you sure you *need* IE?

[shaitand]

This is true, especially since the entire point of using an html based interface on a local app is portability...

Re:Are you sure you *need* IE?

[thempstead]

I agree, I've run the TSM admin gui under Konqueror on KDE 3.1 without issues. I'd have thought that any browser with the appropriate level of Java support should work ....?

Tim

Re:Are you sure you *need* IE?

[prnd_ndrd]

FWIW, I regularly use four sites to move money around (mainly to pay what I owe:). Mozilla works flawlessly on all of them. The site "searscard.com" used to require IE for part of the process, but no longer (I presume something was updated in Mozilla).

Re:Are you sure you *need* IE?

[DavidpFitz]

This is true, especially since the entire point of using an html based interface on a local app is portability...

It may be for someone, but not me. I am on a team which is developing an application which will be tested against IE6 *only* because this is the supported browser of the company who will use our product. We are not using a browser based interface for portability, we are using it so we can easily rollout changes without having to touch a single machine on of the 40,000 users will access our application with.

It's called NetCentric computing, it needs browsers, but it's got nowt to do with portability. I'm sure portability helps some people, but not when you've got a known userbase who you *know* use IE.

Re:Are you sure you *need* IE?

[shaitand]

No it's called bad programming. First you write standard html. Second it takes 5 minute to load it in a couple other browsers to make sure there are no quirks across them. The company your writing the app for will undoubtedly want to upgrade their browsers eventually and then your app will be broken. This is what alot of bad software companies do, some intentionally so the purchaser must spend more money down the road, some out of stupidity.

Re:Are you sure you *need* IE?

[shaitand]

On another note, if you never deploy that app for anyone else, you still may want to use code/libraries from it (at least if your programming choices aren't this poor in every other area of the app as well) the reusability of your sweat is directly proportional to the portability of the code you wrote the first time around.

Re:Are you sure you *need* IE?

[DavidpFitz]

No, it's nothing to do with that. Out HTML is written to standards, and checked for that. A product test must be done using the target platform -- this is extremely costly for a system which has a massive number of "pages" a user can see. Having to test this in multiple browsers on multiple platforms woudl cost hundreds of thousands and take lots of time.

We have to certify against IE6, and nothing else since it is the target platform. If the client wants to use another browser, at very least they will have to do another usability test and possibly raise a change request for any arising defects. Although I'm sure things would work with other browsers, contractually this is not an obligation... and thus it does not make sense to test against anything other than the target platform -- in this case, IE.

Re:Are you sure you *need* IE?

[shaitand]

In that light it makes more sense. As long as your writing code to w3c standards then you've definately done your part I agree. That's what I've always loved about standards... if you code to them you can say the platform is broken not your code with a straight face.

My $0.02

[benjamindees]

1) Performance will be an issue if you upgrade from 4.x to a current version of Netscape. Phoenix might be a better solution. There's Opera, too. What kind of processors/OS are you running?

2) Banking sites can usually be tricked with a simple change in the Useragent string in Mozilla/Netscape. Are you sure you need IE?

Switch to Windows Server 2003

[RzUpAnmsCwrds]

Although this is a somewhat lame answer, consider switching to Windows Server 2003. It has an "enhanced" lock-down mode that eliminates most of the holes in it's default configuration.

Now, it makes some pages break, but that's the price.

Re:Switch to Windows Server 2003

[Stargoat]

This isn't flamebait, this is a very viable option. According to MS, Server 2003 is capable of rolling out patches to workstations in a manner similar to Symantec Corporate Edition rolling out virus updates over a network. This could indeed solve the problem. It's not the best option, may not even be viable, but it is a way of solving the problem.

In other words, switching to Server 2003 is an option. Dogs and cats living together! Mass hysteria!

Re:Switch to Windows Server 2003

You can do this without Server 2003. M$ now has their Systems Management Server(SMS) that allows you to set up an internal server that automatically pulls updates from Microsoft. The admin can then review the updates and even select which ones will get delivered to the workstations (which have their auto update set to look at the internal server instead of windowsupdate). There are two versions - one that costs lots of money and a (very limited) free version. Check 'em out here. I haven't actually loaded WinSrv2003 yet, but my guess is the limited version is what it uses.

Whose has the final say?

[heldlikesound]

I mean for places like the trasporter room, you really do need the latest and greatest, to be sure you're not shooting people into a Cardasian ship or something, but for officers lounges where Explorer is just being used for browsing the web,etc, it doesn't seem like that big of a deal...

By the way, this joke was a bit of a stretch for me as I don't really like Star Trek.

Save Millions of $$ !!

[benjamindees]

That's a solution for retarded admins.
He needs a solution for retarded software.
More retarded software is not going to work.

IE 5.5 still supported by MS

[vjl]

Just FYI, but IE 5.5sp2 is still being updated and maintained by MS. You can no longer download it, as of March 31, 2003, but until December 31, 2003, MS will continue to patch it as needed. After December 31, 2003, MS will no longer release security updates for IE 5.5.

We keep NS 7.0.2 and IE 5.5sp2 on our users' desktops, as IE6 had issues with Office 2000 on a Win2ksp3 workstation [go figure - all 3 packages are made by MS!].

Only problem is that the MS Update w3 site always wants the users to upgrade to IE6sp1 [but they can't since they're all non-admin users].

/vjl/

Wait. Just a little...

[bluephone]

Netscape is going to be leaunching the latest version of the Netscape 7.x browser line (probably 7.5) in the next few months. Now that Mozilla/mozilla.org is closing in on 1.4 final, the NEtscape folks will go into hugh gear for the commercial release to be based on 1.4 final, instead of the 1.0.x branch like NS 7.02 is. This will be the best commercial browser on the market, possibly ever. I'd suggest you wait until the release (final probably late this summer) before you roll out. You'll be far more secure, have a cross platform standard, and with IBM's work on their products, possibly be looking at accessing many apps that are currently IE only from other browsers.

Patch management

[mbstone]

You have to apply the latest Microsoft patches right away, or hackers will come along and break your system. But the patches themselves will break your system once you apply them. You might as well give up now, and krazy-glue the ctrl-alt-and del keys to the bottom of you keyboard.

________________________________________________
If it doesn't fit, file it. But it gets dirty and you can't clean it. So you have to THORW IT AWAY!!

Tivoli?

[Dausha]

That's odd, we're an all Unix shop and so our Tivoli storage manager is viewed on Netscape (4.79). So, I'm a bit surprised to see that you need to maintain connectivity with the Tivoli system. Also surprised since IBM has a Linix port (previous Slashdot article).

Accepting garbage.

[Inoshiro]

Applications are supposed to be permissive in what they take is input. Granted, you shouldn't hide that it's wrong (IE needs to have popups for malformed pages), and it shouldn't make its own decisions for you (for example, its overzealous mime typing), but making the best logical render of something that's broken is just good software design.

Writting programs that spew un-RFC compliant crap, like IIS or Outlook -- that's poor software design. Always be exacting in what you output, as much as you are permissive with your input.

At least give MS a go properly.

[swmccracken]

Install a copy of Software Update Services and then use group policies to configure your workstations to use and automatically install the patches.

It's a partial solution, while it doesn't upgrade Internet Explorer itself, it *does* apply all relevant patches to IE and the OS.

You do use Group Policies, right? This is one managment area where Windows 2000 out-of-the-box beats any Linux managment system hands down.

Generally.. the patches aren't that important, but notable exceptions exist. (Such as Outlook Express opening certain mime types automatically! - virus writers were quick to take advantage of *that* one..) The problem is that you never quite know which ones are going to be important.

Re:At least give MS a go properly.

[SuiteSisterMary]

Use IEAK to build a custom version of IE.

Use Intellimirror if you're on an all Win2k+ network, to roll out, well, any software you want, really.

Use SMS if you're not on an all Win2K network, to, well, roll out any software you want, really.

Block the windowsupdate sites at your proxy.

Do NOT let users have admin access to their own machines.

Re:At least give MS a go properly.

configure your workstations to use and automatically install the patches.

YIKES!!

Not a good idea.

Yesterday, I was at a customer's site, as his windows network had stopped working (he could still surf and check his mail, but he couldn't see the company file server anymore.)

Seems that the "auto-update" feature had toasted his network settings.

At that time, I was very glad that he was the only one using auto-update. I can only imagine the horror if everybody was using it.

Re:At least give MS a go properly.

[swmccracken]

Like I said, use software update services. :-)

Oh, and subscribe to NTBUGTRAQ. That's pretty much an abosoulte must - heads up as to which patches (like MS 03-010) it might be a good idea to hold off on.

SUS lets the admin specify which patches the workstations are to download and install. It uses the same (more or less) client software as the standard windows auto-update, but you use Group Policies to connect to your own, internal, controlled, server.

And, yes, you *do* need to automatically install the patches, because there's no way several hundred (or more) users are going to install the patches themselves. The Admin just has to test them (or at least, wait for NTBUGTRAQ posts) before setting the server to distribute them.

Secondly... sounds awfully odd on that network.

Block IE at Proxy

[maol]

My company blocks IE at the proxy (and doesn't allow direct connections not using the proxy of course).
As for upgrading Netscape 7, Mozilla or Opera: you really don't have a software distribution system installed? How do you update other software? How many clients?

IEAK

[Student_Tech]

What about the Internet Explorer Administration Kit. It lets you set the options for a customized distrobiution of IE for w/in your company. You can set it up so it installs in the background and reboots the computer when done. You would still need someway of pushing it to the desktops but it would be one download from MS for what ever version of the browser and then it just gets distributed w/in your company.

Re:IEAK

[benhaha]

Mod parent up!

How on earth did he get into a stupid situation where "Roll out IE without patches" was ever any kind of option?

It's
a) dangerous not to patch and
b) easy to patch.

You just have to know what you are doing, which that dork obviously doesn't.

IEAK

[omega9]

There's a neat little took called IEAK, which stands for Internet Explorer Administration Kit. It lets you download IE and create your own custom set of installation files with only the options you want. You can even make the installation non-interactive to make sure it only does what it's told. Anyone who's done a major IE rollout has at least heard of IEAK. Since you didn't even mention it I'll guess you've either never done an IE rollout or you've got SARS and it made you forget about it.

You also didn't mention your network setup. However, you're considering IE so I'm going to guess most of your clients are running Windows. Also, if you're really entering into a rollout your network must be on the larger side (else it would just be you installing something on a few machines). So if you've got a a)large b)Windows network there's a good chance you've got some kind of domain model there. Or at least something that provides login scripts. Go fix yourself up a custom IE install with IEAK and launch the setup from the login script. Heck, if you're running AD on a Win2K server whip up an MSI and push it out to the clients. But if you can't do enough research on you own to discover IEAK, then you probably won't even be able to spell MSI.

If you've never heard of IEAK, got a large Windows network, and aren't using some sort of login script functionality, then the SARS has truely taken over and a browser rollout is the least of your troubles.

DISCLAIMER: no SARS were injured during the creation of this reply

Darn

I was hoping you'd say something like:

"...the then SARS have already won."

standard config..

[martin]

well if you have a big enough organisation where desktop software management is a real issues (which prob means you've got more then 10 machines;-) then you need to look at software like Intel Landesk (or whatever it's called this week).

It gives you the technology to to have a 'golden host' on which you base every desktop. You then download the chnages automatically once a day (or when you hit the button for emergency updates!).

Turbo Linux has a similar product which has been recently bought by a Californian company (name escapes me), and there's lots of other products out there that do the same.

But whatever you choose for windows it ain't gonna be cheap.

If you've got Linux/*nix on the desktop theres ways of doing it here if the the Landesk (or equivalent) doesn;t support iut, but many seem to be distribution dependant or still in development and miss many of features you really need. YMMV as the last time I looked at this was 6 months ago..

A reasonable idea

[mnmn]

In some browsers like opera, you can change the Client string so it looks like IE6. I did that with the opera browsers on some public Pentium2 computers and the clients have been happy to my knowledge. Opera is also more robust, low on resources and fast.

I'm tempted to think something like cygwin rsync would work on windows machines to update opera. Of course, if you dont have apps that require win32, you can move to linux completely, possibly using xpde for naive clients.

Re:A reasonable idea

[Lxy]

There a difference between functionality problems and sites that do browser checking.

Having to deal with many, MANY web apps, I can tell you that this doesn't always work. Some apps are so heavily built with IE-only components that there's no other browser that works with it. PERIOD.

Mozilla and Opera are wonderful web browsers, and could easily kill IE if developers would stop writing web apps that only work in IE.

If using Active Directory, try MSI packages

[UnrefinedLayman]

You're apparently using Windows, hence IE being installed. I imagine your users are in a domain, but if not, disregard the following.

Group Policy in Windows 2000 allows you to create MSI packages that can be rolled out to multiple clients and that will be installed when the user starts up the computer. If you check the Windows 2000 Server CD, you'll find the light version of WinInstall, called WinInstall LE (winstally around here). This will let you scan a computer, then you can run any updates (for example, patching IE, or installing Mozilla), then rescan the computer to find out what has changed. If you have moderately homogenous desktops, this shouldn't be a problem, even across hardware platforms.

Unfortunately, group policies can only be applied to Windows 2000 clients and above, but if that's what you have, then you're in luck.

You shouldn't have too much trouble rolling the package together, and it can come in handy when you have multiple clients to update.

And to the best of my knowledge, use of WinInstall LE is free no matter how you're using it, but you might want to read their documentation on the CD first.

Is "enterprise" now a synonym for "organization"?

[cyberkreiger]

Just walk up to a computer terminal and say: "Computer, conduct a complete ship-wide level 1 browser upgrade, security override 'Picard Omega Three'."

1/2 of our virus infections are a'la IE

[scorp1us]

1/2 of our virus infections are a'la IE and browsing email sites, like yahoo and hotmail. We had to block them for that reason.

IE + CSS ummm.....

[oliverthered]

I've just been converting all some web sites over to using CSS.

When you start using CSS (or anything vaguely complicated) you start to see just how much IE sucks. sure Mozilla and Opera arn't perfect IE just isn't.

Browser Fear

[bahamat]

It's been my experience that browser advocates come in one of two flavors. Those who worship Bill and constantly mutter under their breath "I hate netscape", and those (us) fringers that use an alternative browser (mozilla, phoenix, opera, icab, etc).

People that used to love Netscape have pretty much turned to IE due to the NS4 line's stagnation and the netscape branch of mozilla being inadequate (I'm highly looking forward to a branch of the 1.4 trunk). They don't complain or they'll get laughed at.

The last group of people I find are people who don't understand why some people's Internet is a big E and some people's is a wheel, and some are a lighthouse.

I work for a huge megacorp that you have heard of. We're worldwide. The official policy is Netscape 4.78 is the mandatory web browser. I only found that by digging for several hours on our Intranet. But our IT staff is to afraid to tell anybody which browser to run, and we've got the most ugly assortment of browsers you can imagine.

Think of any flaw available for IE and send it to my company and you're going to destroy most people here.

The problem I think is that to most people (especially those of us who remember the browser war vividly) browser choice has become one of those things like religion or politics. You've got one side that's rational, logical and informed about their choice, and the other who have the attitude "don't bother me with facts because I've made up my mind" (which in turn causes a heated response from the first group) and the whole thing gets ugly. Another major problem is that on all currently available versions of Windows there's no way to remove IE, even if you wanted to standardize on a non MS browser you can't, because the bugger will always be there.

The question isn't which browser to use it's how does one combat the demons of stupidity so that it actually does get used.

Re:Browser Fear

[zzyp]

Of course you can delete IE *completely* using this free utility, it doesn't work for SP2 and above on Windows 2000.

http://www.litepc.com/ier_lic.html

Re: We GAVE MS a go properly.

[TropicalHotDogNight]

Properly? According to..? There are (at least) 101 things Mozilla does that IE does not, listed here: http://www.xulplanet.com/ndeakin/arts/reasons.html
And that's with Mozilla 1.2, back in January!
I started using Mozilla 1.0 when SP1 for IE6 rendered IE unable to render all the graphics of many web pages. Refreshing would sometimes show more of them, sometimes less. I tried Mozilla out of necessity, my first use of open source software. Then I uninstalled SP1 & was thrown back to IE 5.5 (isn't that special?)--had to re-upgrade to IE6 & apply all those patches EXCEPT SP1). Now I love Mozilla, altho it does lack a couple minor niceties which IE has (saving a web page as a single file). And my local (small) credit union has no problem with Mozilla.
Now I carry mozilla-win32-1.3-installer.exe (12MB) on my USB flash drive & install Mozilla on anyone's PC when they aren't looking, make it the default browser, homepage: Slashdot. (The homepage for IE becomes the 101 things list.)
There is no need to wait for Netscrape 1.4--it won't have the integrated pop-up blocker, since they're in bed with that industry.
I'm not an IT manager (or even pro); I'm a Windoze consumer struggling to migrate to Linux (& Mac if $ allows) because M$ has not even TRIED to fix some of the pathetic defects in their OS, & XP is the most pervasive spyware product ever foisted on the modern world. And they've caused me so much inexcusable personal grief, I am permanently biased (not prejudiced) or at least suffer Post Traumatic Stress Disorder (seriously). I am prejudiced against liars--they suck shit.
Now I always have a KNOPPIX CD ready to give anyone looking to purchase Windows at a computer store. I also voted for John Hinkley in '84 (at least he *tried* to knock off Reagan).

"If the Nuremberg laws were applied today, then every Post-War American president would have to be hanged." --MIT Prof Noam Chomsky