Surf's up! Ride IE 7.0's secure wave
Microsoft Internet Explorer (IE) 7.0 is a core component of Windows Vista and is available for the latest versions of Windows XP and Windows Server 2003. This newest version of IE includes several cool new features, such as a streamlined interface, improved search integration, tabbed browsing, RSS feed compatibility, and advanced printing capabilities (e.g., IE 7.0 reformats printed output to match the paper size rather than just cutting off text). But one of the biggest improvements is IE 7.0's enhanced security. The browser offers ActiveX component restrictions, phishing protection to help determine when a Web site might be trying to obtain personal information, and improved security status highlighting that changes the address bar to green for high-assurance Web sites.
These security enhancements make IE 7.0 valuable in most environments. Therefore Microsoft is pushing the browser as a high-priority update. So if your organization lets clients automatically update programs, you might not need to deploy IE 7.0. During the automatic update, the end user sees the dialog box that Figure 1 shows. The user must click Ask Me Later, Don't Install, or Install. If the user chooses to not install the update, you can manually deploy it later. (For information about preventing automatic updates, see the sidebar "Preventing Internet Explorer 7.0 Automatic Deployment".)
Deploying Internet Explorer 7.0
If IE 7.0 isn't automatically deployed in your organization, you can download the browser from Microsoft's Web site (http://www.microsoft.com/windows/ie/downloads/default.mspx). IE 7.0 is available for Windows XP Professional x64 Edition, Windows XP SP2, and various versions of Windows Server 2003 (e.g., Service Pack 1—SP1, x64, IA-64). Several installation methods are available. The end user or administrator can click a link, you can run a script from the downloaded file or a customized package, or you can use Windows Server Update Services (WSUS) or Microsoft Systems Management Server (SMS) 2003 to deploy the browser. In addition, users can manually install IE 7.0 from a network share or CD-ROM.
The IE 7.0 deployment file for 32-bit XP environments (i.e., IE7-WindowsXP-x86-enu.exe) has two switches that are useful for automated deployments. The -passive switch shows the progress of the IE 7.0 installation but doesn't prompt the user for any information. The -quiet switch doesn't display any dialog boxes.
For organizations that use WSUS, IE 7.0 appears as a 15MB update rollup option. You can use standard WSUS procedures to configure IE 7.0 deployment. The browser will then deploy automatically and users can decide whether to install, not install, or postpone installation.
If your organization uses SMS, the Inventory Tool for Microsoft Updates (ITMU) makes IE 7.0 available as part of the standard Microsoft Software Update Services (SUS) functionality. You can use SMS's reboot features to control the deployment's system restart requirements rather than using the IE 7.0 installation options. You can also build a package of the downloaded IE 7.0 executable file with various switches to create a silent installation. Alternatively, you can use the Internet Explorer Administration Kit (IEAK) to create a customized IE 7.0 package for a more controlled deployment.
Internet Explorer Administration Kit. The IEAK 7.0 is available from http://www.microsoft.com/technet/prodtechnol/ie/ieak7/default.mspx and comprises two main components, the Internet Explorer Customization Wizard and the IEAK Profile Manager. During installation you're prompted for how you plan to use the tool (e.g., in a corporate environment, as an ISP). For the purposes of this article, let's assume a corporate environment.
To use the IEAK to create a customized IE 7.0 installation file, start the Internet Explorer Customization Wizard. From the Start menu, select Programs, Microsoft IEAK 7, Internet Explorer Customization Wizard. The first step is to gather the required information related to deploying IE 7.0; click Next in the wizard's introduction dialog box to get started. In the File Locations dialog box that opens, browse to the folder where you want to create the deployment build. By default, this location is C:\builds\todays date. The Advanced Options button that Figure 2 shows lets you configure automatic downloading of components and specify where to download components during the build process. After you set these options, click Next.
A drop-down list displays that lets you select the target client platform, which controls the version of IE you need to deploy (e.g., Vista—x86-based, XP SP2). Next, select the language to use (the default is English). The next dialog box that opens lets you choose the destination media type for the customization: a file, an autorun CD-ROM, or the configuration-only information to use for clients that are already running IE 7.0. (The configuration-only option is for environments that don't use Active Directory—AD—and therefore can't use Group Policy.)
The wizard then displays a list of features that require customization, as Figure 3 shows. If you'll use Group Policy, you need to select only a few features. Select the features you want to customize, and click Next.
Now you must select where to download components from. Click Next in the introduction dialog box. The wizard will connect to Microsoft's Web site and check the latest version available. If you've previously run the IEAK and already have a downloaded build, the wizard will also show the version on your machine. If you don't have a local build, or a newer version exists, click Synchronize to download the latest version to your machine, then click Next.
You can add as many as 10 custom components to include with an IE 7.0 deployment. You can configure these components to run before IE installation, after installation, or when the system restarts after installation. After you add the custom components you want, click Next.
The next step in creating a customized installation is to configure the malicious software removal tool to run before IE 7.0 installation and to allow the updates to install. You also need to enable the option to let users configure the default browser behavior. Finally, you need to specify whether to store uninstallation data on the client machines (which uses valuable disk space).
Depending on the selected options for the features to be customized, you might need to configure whether the user is prompted for input during installation and whether the system reboots automatically. Additional customization options include program settings for add-ins and HTML editing programs. Some of the options that are configurable as part of Group Policy are also available as settings. Note that these preferences are set during installation configuration and aren't reapplied if the user modifies them, which is an advantage of using Group Policy for customization.
After you configure all the options to create your customized package, you can use SMS or a third-party solution to deploy the package to clients. Depending on the options you selected, users might see IE updates downloading and might need to click to accept various validation screens. After you use the Internet Explorer Customization Wizard to create a package, you can use the IEAK Profile Manager to edit the package's .ins file to modify settings and create new profiles as necessary, as Figure 4 shows.
Configuring Internet Explorer 7.0
Deploying IE 7.0 to users is only half the battle. You also must ensure that users know how to use the browser and that your administrative configurations create an optimal end-user experience. The IEAK is useful for creating a deployment package with initial settings and a degree of lockdown. However, the IEAK doesn't let you make configuration changes after the browser deploys. In an environment that doesn't use AD, using the IEAK for initial configuration is acceptable—with later changes made through local policy pushes or registry changes. But in environments that use AD, Group Policy is preferable for configuration management.
An updated Group Policy template for IE 7.0 is installed automatically during IE 7.0 installation. The IE Client Side Extension (CSE) that's responsible for processing Group Policy settings related to the browser refreshes constantly and corrects changes that conflict with Group Policy. IE 7.0 settings that were previously preferences (i.e., registry value settings that aren't in standard Group Policy areas and are considered tattooed on the client computer) are now true policies.
Perhaps you don't want to install IE 7.0 on your servers to obtain the updated IE configuration file (i.e., inetres.adm). Two alternatives are available. You can copy the file from the C:\Windows\inf folder on a client with IE 7.0 installed to the C:\Windows\inf folder on the server, or you can edit Group Policy from an XP workstation that has IE 7.0 installed.
To see new Group Policy settings for IE 7.0, open the file in Notepad or another text editing application and search for the text !!SUPPORTED_IE7. You'll also notice some !!SUPPORTED_IE7Vista entries; these settings are for IE 7.0 running on Vista and relate to protected-mode operation, which stops elevation-of-privilege type attacks.
When you view a policy in the Group Policy Object Editor window, which Figure 5 shows, the description text shows whether the policy is IE 7.0 or above. You might want to spend some time familiarizing yourself with the Group Policy areas so that you understand how IE 7.0's new functionality will affect your organization. You need to know which policies are available to configure and control new areas, and you need to be aware of improved methods for controlling existing functionality.
One of the new functionality areas is RSS Feeds. You can use Group Policy to configure how feeds are discovered, which stops IE from highlighting and advertising whether an RSS feed is available on a Web page. In addition, you can restrict users from subscribing to or unsubscribing from feeds, as well as block users from downloading enclosures (i.e., files attached as part of a feed). Finally, several core features have a Group Policy entry on the IE administrative template. For example, you can enable phishing protection to highlight Web sites that might be trying to fraudulently obtain information.
IE 7.0 has many security perks and useful features that make the browser valuable for most organizations. Unless your enterprise subscribes to Microsoft's automatic updates, you need to plan for IE 7.0 deployment. However, simply deploying the browser isn't enough. To take full advantage of IE 7.0's features, you also must plan for its long-term configuration and management.
DIFFICULTY: 2 out of 5