Controlling your employees’ choice of web browser

How much control do you have over the web browsers used by the staff in your company?

I ask the question because on more and more occasions I’m hearing from system administrators and technical support staff about the problems they have of users running a variety of different web browsers, or different versions of the same web browser.

Issues of concern include:

1) Is the browser’s security strong enough to defend against malware/phishing? 

A regular theme on this blog and elsewhere is the growing threat from the web.

Malware authors compromise legitimate websites, inserting malicious content that redirects your browser to a site hosting malware. This malware is then installed using a variety of exploits, usually targeting the browser. 

Phishers can also take advantage of vulnerabilities and security weaknesses in web browsers to try and fool you into thinking you are on a legitimate site when, in fact, you are on a criminally-motivated replica.

2) Does your company have an infrastructure for rolling out updates in a timely fashion to the browser that your workers are using?

If a potpourri of different web browsers are in use inside your company, is it feasible to keep them all up-to-date and properly secured?

3) Do the websites and intranets that your users need to access actually properly support the web browser that your users have installed?

If you don’t know precisely which version of what browser your users are running, how can you hope to properly support them during their working day?  Some websites and web-based tools clearly work better on some browsers than on others.

Here’s an example, for instance, of what happens if you access Facebook via Internet Explorer 6.02:

upgrade-browser

Obviously, the correct approach is for enterprises to set down a policy which defines a standard web browser for employees to use, and then ensure it is being kept up-to-date with the latest patches.

Users – the ultimate vulnerability

The challenge comes when that ultimate vulnerability in your organisation (the user) decides, that they prefer some other browser.  For instance, maybe the corporate standard is Internet Explorer, but users decide to install and run Firefox instead. Even harder is when the standard is Firefox, but because Internet Explorer is installed as part of the operating system, it’s always going to be available to users.

Similar concerns surround Apple’s Safari browser that was controversially rolled out to Windows users with iTunes.  Concerns about how well Safari defended users against potential phishing sites made when headline news when it was reported that PayPal’s security chief recommended users didn’t use their service with Safari.

Ensuring that all the standard applications are fully patched is a hard enough task for administrators, without the additional headache of trying to keep on top of non-standard applications installed without permission by users. This is where application control steps in.

How Application Control can enforce a policy as to which version of which browser is used in your company

The principle is very straightforward, anti-virus scanning is invoked whenever an application tries to run.  The executable is matched against characteristics and if a match occurs the application is identified as malware and prevented from running. Application control is an extension of this, but instead of looking for malware, we match legitimate applications, such as the browser – and if the administrator has decided to block it, the application is stopped from executing. Simple really.

We’ve recently updated the list of applications that we control to include a number of different browsers, so if your corporate standard is Firefox, you can prevent anyone from running IE (or vice versa of course) and in the case of Safari, you can decide to block iTunes as well as Safari.  Maybe you are trying to enforce that people use Firefox or Internet Explorer 7, but not Internet Explorer 6.  Well, Application Control can do that too.

That way, you can focus on ensuring the web browser you have chosen for your users is being kept up-to-date, rather than worrying about all the others.