Slashdot Mirror
Enterprise-wide Browser Upgrades, IE, and Patching?
newkid asks: "Our company needs to upgrade its standard browser, a difficult decision when we factor security, compatibility and the logistics of actually doing it. For compatibility, Internet Explorer is required by internal applications like IBM Tivoli Storage Manager, so we have to keep it. On the security front, expert bulletins keep ranting every week about the latest gaping holes in IE but nobody really seems concerned: for example, many on-line banking services only work in IE, and they don't check for patches. Meanwhile, users do not care, as a large portion of the traffic still comes from IE 5.5, a version discontinued by Microsoft.
As for logistics,the software distribution technology and the cost of patching both make the project much larger than we can undertake this year.
Our two options are: roll-out IE without patching, or roll-out IE and Netscape, but lock IE so it can only surf on intranet sites, and update NS with rsync or Ant. What is your company doing? What is your strategy? How serious are the security threats? What are the documented security breach caused by IE? We need a reality check."
http://www.pivx.com/larholm/unpatched/
http://www.archive.org/details/ThePowerOfNightmares
Why can't you install Mozilla on a couple of shares and update them. It doesn't have to be on a local machine, and most internal networks remain fairly idle. (The other 60+mbps not being using by an external source.)
On a very different note: these machines are running Windows, right? Why the security concern over IE?
Send an anonymous email with the Microsoft IE download link to the entire corporation, the day before you take a vacation. If your helpdesk is up to snuff, it should be all set when you get back.
Oh, and look for snakes in your office when you get back.
We've put Phoenix on the desktop, and quick launch bars.
We hid explorer in the Programs->Accessories->System Tools.
And of course, you get Konqouror and Phoenix when you log into our VNC server.
But as far as risk is concerned:
Lthe largest risk is Outlook and Outlook Express - they use the core of IE to do their mail previews. Most of our users don't visit odd websites - but they sure could be sent a virus now and then.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
MyCorp finally decided that IE 6 was an improvement over NS 4.7 for our Windows machines. Despite disliking the borglike tactics of MS, the decision made sense locally. It's almost easier to just let Windows have its way and use IE by default. But I would insure the security patches are up to date. Use SMS to update them.
Our migration to IE was decided before Mozilla was as good as it is now. Also, Opera ain't bad, nor Konqueror/Safari. Check `em all out and keep your internal sites W3C standards compliant so you have options in the future instead of handcuffs.
"Provided by the management for your protection."
You mentioned that tivoli's storage manager requires IE but a quick look at their product info page indicats that they support HP/UX,linux,Solaris and other clients and if that is the case then their web software must work with other web clients.
I do all my banking, and the company's with Mozilla with no problems. A friend of mine also uses Moz for his banking. That's three separate banks that have no problem with Mozilla.
There are probably more good choices in web browsers right now than there ever was. It is a good time for change.
1) Performance will be an issue if you upgrade from 4.x to a current version of Netscape. Phoenix might be a better solution. There's Opera, too. What kind of processors/OS are you running?
2) Banking sites can usually be tricked with a simple change in the Useragent string in Mozilla/Netscape. Are you sure you need IE?
"I assumed blithely that there were no elves out there in the darkness"
Netscape is going to be leaunching the latest version of the Netscape 7.x browser line (probably 7.5) in the next few months. Now that Mozilla/mozilla.org is closing in on 1.4 final, the NEtscape folks will go into hugh gear for the commercial release to be based on 1.4 final, instead of the 1.0.x branch like NS 7.02 is. This will be the best commercial browser on the market, possibly ever. I'd suggest you wait until the release (final probably late this summer) before you roll out. You'll be far more secure, have a cross platform standard, and with IBM's work on their products, possibly be looking at accessing many apps that are currently IE only from other browsers.
jX [ Make everything as simple as possible, but no simpler. - Einstein ]
You have to apply the latest Microsoft patches right away, or hackers will come along and break your system. But the patches themselves will break your system once you apply them. You might as well give up now, and krazy-glue the ctrl-alt-and del keys to the bottom of you keyboard.
_
_______________________________________________
If it doesn't fit, file it. But it gets dirty and you can't clean it. So you have to THORW IT AWAY!!
That's odd, we're an all Unix shop and so our Tivoli storage manager is viewed on Netscape (4.79). So, I'm a bit surprised to see that you need to maintain connectivity with the Tivoli system. Also surprised since IBM has a Linix port (previous Slashdot article).
What those who want activist courts fear is rule by the people.
Install a copy of Software Update Services and then use group policies to configure your workstations to use and automatically install the patches.
It's a partial solution, while it doesn't upgrade Internet Explorer itself, it *does* apply all relevant patches to IE and the OS.
You do use Group Policies, right? This is one managment area where Windows 2000 out-of-the-box beats any Linux managment system hands down.
Generally.. the patches aren't that important, but notable exceptions exist. (Such as Outlook Express opening certain mime types automatically! - virus writers were quick to take advantage of *that* one..) The problem is that you never quite know which ones are going to be important.
There's a neat little took called IEAK, which stands for Internet Explorer Administration Kit. It lets you download IE and create your own custom set of installation files with only the options you want. You can even make the installation non-interactive to make sure it only does what it's told. Anyone who's done a major IE rollout has at least heard of IEAK. Since you didn't even mention it I'll guess you've either never done an IE rollout or you've got SARS and it made you forget about it.
You also didn't mention your network setup. However, you're considering IE so I'm going to guess most of your clients are running Windows. Also, if you're really entering into a rollout your network must be on the larger side (else it would just be you installing something on a few machines). So if you've got a a)large b)Windows network there's a good chance you've got some kind of domain model there. Or at least something that provides login scripts. Go fix yourself up a custom IE install with IEAK and launch the setup from the login script. Heck, if you're running AD on a Win2K server whip up an MSI and push it out to the clients. But if you can't do enough research on you own to discover IEAK, then you probably won't even be able to spell MSI.
If you've never heard of IEAK, got a large Windows network, and aren't using some sort of login script functionality, then the SARS has truely taken over and a browser rollout is the least of your troubles.
DISCLAIMER: no SARS were injured during the creation of this reply
I'm against picketing, but I don't know how to show it.
In some browsers like opera, you can change the Client string so it looks like IE6. I did that with the opera browsers on some public Pentium2 computers and the clients have been happy to my knowledge. Opera is also more robust, low on resources and fast.
I'm tempted to think something like cygwin rsync would work on windows machines to update opera. Of course, if you dont have apps that require win32, you can move to linux completely, possibly using xpde for naive clients.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Of course you can delete IE *completely* using this free utility, it doesn't work for SP2 and above on Windows 2000.
http://www.litepc.com/ier_lic.html