There has been a lot of talk in the security press lately about the need to upgrade your Internet Explorer due to exploits, things like the Operation Aurora attacks and general security principles.
Once you've updated your browsers, you may want to take steps to ensure nobody is accidentally using older versions of Internet Explorer, so I thought I'd post a 5-minute how-to on how to use Sophos Application Control to prevent these older versions from running.
First, edit the Application Control policy for the appropriate groups in Sophos Enterprise Console:
Ensure that the 'on-access' or 'on-demand and scheduled scanning' options are chosen as appropriate (I recommend on-access - this will prevent the browser from being run). Next click on the 'Authorizations' tab:
Under the Authorization tab you need to select 'Internet Browsers' from the list:
And chose the browsers you want to Block. Move them from the 'Allowed' side to the 'Blocked' side by selecting the browser and clicking the '>' button.
Once you've hit okay, SEC will alert you to which groups this policy will apply to. Naturally, you need to be considerate of older servers running old OSes which may not be able to run current IEs, etc.
While you're blocking older versions of Internet Explorer, you might consider locking down other browsers which you don't have patch strategies for, inability to centrally control and configure secure web gateways for, etc. After all, generally speaking, fewer browsers (and other unnecessary applications) reduce the surface area of risk related to browsing vulnerabilities.
Safe surfing!
Michael Argast
This thread was automatically locked due to age.
