Sophos EndUser Protection

Reply
Topic Options
michaelargast
Occasional Visitor
michaelargast
Posts: 1
Registered: ‎Wed 02-Dec-2009

How to block older versions of Internet Explorer (IE6, etc) with App Control

Options

‎Fri 05-Feb-2010 19:07

There has been a lot of talk in the security press lately about the need to upgrade your Internet Explorer due to exploits, things like the Operation Aurora attacks and general security principles.

 

Once you've updated your browsers, you may want to take steps to ensure nobody is accidentally using older versions of Internet Explorer, so I thought I'd post a 5-minute how-to on how to use Sophos Application Control to prevent these older versions from running.

 

First, edit the Application Control policy for the appropriate groups in Sophos Enterprise Console:

View/Edit Policy

 

Ensure that the 'on-access' or 'on-demand and scheduled scanning' options are chosen as appropriate (I recommend on-access - this will prevent the browser from being run). Next click on the 'Authorizations' tab:

 

Under the Authorization tab you need to select 'Internet Browsers' from the list:

 

And chose the browsers you want to Block. Move them from the 'Allowed' side to the 'Blocked' side by selecting the browser and clicking the '>' button.

 

Once you've hit okay, SEC will alert you to which groups this policy will apply to. Naturally, you need to be considerate of older servers running old OSes which may not be able to run current IEs, etc.

 

 

While you're blocking older versions of Internet Explorer, you might consider locking down other browsers which you don't have patch strategies for, inability to centrally control and configure secure web gateways for, etc. After all, generally speaking, fewer browsers (and other unnecessary applications) reduce the surface area of risk related to browsing vulnerabilities.

 

Safe surfing!

 

Michael Argast

Report Inappropriate Content
Message 1 of 4 (4,830 Views)
 
Reply
Moderator
Moderator
sandy
Posts: 782
Registered: ‎Mon 16-Nov-2009
0

Re: How to block older versions of Internet Explorer (IE6, etc) with App Control

Options

‎Mon 08-Feb-2010 09:28

Good advice, Thanks Michael.


Sandy.

Communities Moderator.
Sophos, Abingdon, UK

Follow us on Twitter @sophossupport

If a response provided a solution, please mark your question as solved. If others are helpful, show your appreciation by giving them Kudos.

----------------------------------------------------------------------------------------------------------


For our other self-service and peer-to-peer online support systems:
Report Inappropriate Content
Message 2 of 4 (4,778 Views)
 
Reply
humungo6
Frequent Advisor
humungo6
Posts: 37
Registered: ‎Wed 09-Dec-2009
0

Re: How to block older versions of Internet Explorer (IE6, etc) with App Control

Options

‎Mon 08-Feb-2010 10:29

Thanks for that Michael, I've just changed the app control settings and immediately 2 computers have been flagged with IE6, despite having IE7 rolled out across the network! The thought of blocking an "old", yet legitimate program hadn't even entered my mind, so really appreciate the thought!

David Hughes
ICT Service Desk Technician
The Woodlands School & Sports College
Report Inappropriate Content
Message 3 of 4 (4,774 Views)
 
Reply
Executive VIP
QC
Posts: 3,330
Registered: ‎Mon 23-Nov-2009
0

Re: How to block older versions of Internet Explorer (IE6, etc) with App Control

Options

‎Mon 08-Feb-2010 11:38

Nice how-to, Michael.

There is one problem though: you can't "monitor" some applications while blocking others (since Detect but allow to run is a global flag) - this has already been mentioned (for example here).

 

Christian

Report Inappropriate Content
Message 4 of 4 (4,762 Views)
 
Reply