Reply
Occasional Visitor
michaelargast
Posts: 1
Registered: ‎Wed 02-Dec-2009

How to block older versions of Internet Explorer (IE6, etc) with App Control

There has been a lot of talk in the security press lately about the need to upgrade your Internet Explorer due to exploits, things like the Operation Aurora attacks and general security principles.

 

Once you've updated your browsers, you may want to take steps to ensure nobody is accidentally using older versions of Internet Explorer, so I thought I'd post a 5-minute how-to on how to use Sophos Application Control to prevent these older versions from running.

 

First, edit the Application Control policy for the appropriate groups in Sophos Enterprise Console:

View/Edit Policy

 

Ensure that the 'on-access' or 'on-demand and scheduled scanning' options are chosen as appropriate (I recommend on-access - this will prevent the browser from being run). Next click on the 'Authorizations' tab:

 

Under the Authorization tab you need to select 'Internet Browsers' from the list:

 

And chose the browsers you want to Block. Move them from the 'Allowed' side to the 'Blocked' side by selecting the browser and clicking the '>' button.

 

Once you've hit okay, SEC will alert you to which groups this policy will apply to. Naturally, you need to be considerate of older servers running old OSes which may not be able to run current IEs, etc.

 

 

While you're blocking older versions of Internet Explorer, you might consider locking down other browsers which you don't have patch strategies for, inability to centrally control and configure secure web gateways for, etc. After all, generally speaking, fewer browsers (and other unnecessary applications) reduce the surface area of risk related to browsing vulnerabilities.

 

Safe surfing!

 

Michael Argast

Moderator
sandy
Posts: 1,082
Registered: ‎Mon 16-Nov-2009
0

Re: How to block older versions of Internet Explorer (IE6, etc) with App Control

Good advice, Thanks Michael.


Sandy.

Communities Moderator, Sophos
Knowledgebase  |  @SophosSupport  |  Video tutorials
If a post solves your question use the Accept as Solution button and award kudos.
Frequent Advisor
humungo6
Posts: 37
Registered: ‎Wed 09-Dec-2009
0

Re: How to block older versions of Internet Explorer (IE6, etc) with App Control

Thanks for that Michael, I've just changed the app control settings and immediately 2 computers have been flagged with IE6, despite having IE7 rolled out across the network! The thought of blocking an "old", yet legitimate program hadn't even entered my mind, so really appreciate the thought!

David Hughes
ICT Service Desk Technician
The Woodlands School & Sports College
Executive VIP
QC
Posts: 4,539
Registered: ‎Mon 23-Nov-2009
0

Re: How to block older versions of Internet Explorer (IE6, etc) with App Control

Nice how-to, Michael.

There is one problem though: you can't "monitor" some applications while blocking others (since Detect but allow to run is a global flag) - this has already been mentioned (for example here).

 

Christian