Fri 05-Feb-2010 19:07
There has been a lot of talk in the security press lately about the need to upgrade your Internet Explorer due to exploits, things like the Operation Aurora attacks and general security principles.
Once you've updated your browsers, you may want to take steps to ensure nobody is accidentally using older versions of Internet Explorer, so I thought I'd post a 5-minute how-to on how to use Sophos Application Control to prevent these older versions from running.
First, edit the Application Control policy for the appropriate groups in Sophos Enterprise Console:
Ensure that the 'on-access' or 'on-demand and scheduled scanning' options are chosen as appropriate (I recommend on-access - this will prevent the browser from being run). Next click on the 'Authorizations' tab:
Under the Authorization tab you need to select 'Internet Browsers' from the list:
And chose the browsers you want to Block. Move them from the 'Allowed' side to the 'Blocked' side by selecting the browser and clicking the '>' button.
Once you've hit okay, SEC will alert you to which groups this policy will apply to. Naturally, you need to be considerate of older servers running old OSes which may not be able to run current IEs, etc.
While you're blocking older versions of Internet Explorer, you might consider locking down other browsers which you don't have patch strategies for, inability to centrally control and configure secure web gateways for, etc. After all, generally speaking, fewer browsers (and other unnecessary applications) reduce the surface area of risk related to browsing vulnerabilities.
Mon 08-Feb-2010 09:28
Mon 08-Feb-2010 10:29
Thanks for that Michael, I've just changed the app control settings and immediately 2 computers have been flagged with IE6, despite having IE7 rolled out across the network! The thought of blocking an "old", yet legitimate program hadn't even entered my mind, so really appreciate the thought!
Mon 08-Feb-2010 11:38
Nice how-to, Michael.
There is one problem though: you can't "monitor" some applications while blocking others (since Detect but allow to run is a global flag) - this has already been mentioned (for example here).