Slashdot Mirror

← Back to Stories (view on slashdot.org)

Enterprise-wide Browser Upgrades, IE, and Patching?

Posted by Cliff on from the between-a-rock-and-a-hard-place dept.

newkid asks: "Our company needs to upgrade its standard browser, a difficult decision when we factor security, compatibility and the logistics of actually doing it. For compatibility, Internet Explorer is required by internal applications like IBM Tivoli Storage Manager, so we have to keep it. On the security front, expert bulletins keep ranting every week about the latest gaping holes in IE but nobody really seems concerned: for example, many on-line banking services only work in IE, and they don't check for patches. Meanwhile, users do not care, as a large portion of the traffic still comes from IE 5.5, a version discontinued by Microsoft. As for logistics,the software distribution technology and the cost of patching both make the project much larger than we can undertake this year. Our two options are: roll-out IE without patching, or roll-out IE and Netscape, but lock IE so it can only surf on intranet sites, and update NS with rsync or Ant. What is your company doing? What is your strategy? How serious are the security threats? What are the documented security breach caused by IE? We need a reality check."

7 of 53 comments (clear)

  1. The obvious.. by Anonymous Coward · · Score: 0, Informative

    We need a reality check

    No Sh*t.

    Thats is were a consultant comes in, not /.

  2. Many go unpatched anyways by dpete4552 · · Score: 5, Informative

    http://www.pivx.com/larholm/unpatched/

    --
    http://www.archive.org/details/ThePowerOfNightmares
  3. At least give MS a go properly. by swmccracken · · Score: 5, Informative

    Install a copy of Software Update Services and then use group policies to configure your workstations to use and automatically install the patches.

    It's a partial solution, while it doesn't upgrade Internet Explorer itself, it *does* apply all relevant patches to IE and the OS.

    You do use Group Policies, right? This is one managment area where Windows 2000 out-of-the-box beats any Linux managment system hands down.

    Generally.. the patches aren't that important, but notable exceptions exist. (Such as Outlook Express opening certain mime types automatically! - virus writers were quick to take advantage of *that* one..) The problem is that you never quite know which ones are going to be important.

    1. Re:At least give MS a go properly. by SuiteSisterMary · · Score: 2, Informative

      Use IEAK to build a custom version of IE.

      Use Intellimirror if you're on an all Win2k+ network, to roll out, well, any software you want, really.

      Use SMS if you're not on an all Win2K network, to, well, roll out any software you want, really.

      Block the windowsupdate sites at your proxy.

      Do NOT let users have admin access to their own machines.

      --
      Vintage computer games and RPG books available. Email me if you're interested.
  4. IEAK by omega9 · · Score: 5, Informative

    There's a neat little took called IEAK, which stands for Internet Explorer Administration Kit. It lets you download IE and create your own custom set of installation files with only the options you want. You can even make the installation non-interactive to make sure it only does what it's told. Anyone who's done a major IE rollout has at least heard of IEAK. Since you didn't even mention it I'll guess you've either never done an IE rollout or you've got SARS and it made you forget about it.

    You also didn't mention your network setup. However, you're considering IE so I'm going to guess most of your clients are running Windows. Also, if you're really entering into a rollout your network must be on the larger side (else it would just be you installing something on a few machines). So if you've got a a)large b)Windows network there's a good chance you've got some kind of domain model there. Or at least something that provides login scripts. Go fix yourself up a custom IE install with IEAK and launch the setup from the login script. Heck, if you're running AD on a Win2K server whip up an MSI and push it out to the clients. But if you can't do enough research on you own to discover IEAK, then you probably won't even be able to spell MSI.

    If you've never heard of IEAK, got a large Windows network, and aren't using some sort of login script functionality, then the SARS has truely taken over and a browser rollout is the least of your troubles.

    DISCLAIMER: no SARS were injured during the creation of this reply

    --
    I'm against picketing, but I don't know how to show it.
  5. A reasonable idea by mnmn · · Score: 2, Informative


    In some browsers like opera, you can change the Client string so it looks like IE6. I did that with the opera browsers on some public Pentium2 computers and the clients have been happy to my knowledge. Opera is also more robust, low on resources and fast.

    I'm tempted to think something like cygwin rsync would work on windows machines to update opera. Of course, if you dont have apps that require win32, you can move to linux completely, possibly using xpde for naive clients.

    --
    "Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
  6. Re:Browser Fear by zzyp · · Score: 2, Informative

    Of course you can delete IE *completely* using this free utility, it doesn't work for SP2 and above on Windows 2000.

    http://www.litepc.com/ier_lic.html