There are probably as many holes in Windows' and Internet Explorer's security infrastructure than there once were in the poorly maintained roads of legend in Blackburn, Lancashire (4,000, according to a 1967 U.K. Daily Mail news story famously paraphrased by John Lennon).

One of the things I like about Windows XP is its ability to heal thyself, using Auto Update to download and apply patches to fill those holes as Microsoft deems necessary. Unfortunately, it needs to do that way too often. That is very likely to become a problem when Microsoft releases Internet Explorer 7.

It's one thing to have Auto Update enabled for your PC at home, but turn it on in an enterprise environment with thousands of computers, and you've got trouble, my friend. The issue is that on systems with administrator access and Auto Update enabled, IE 7 will be downloaded, whether you like it or not. Fortunately, there's a way to throw up a roadblock, something you'll almost certainly want your customers to do until they've tested IE 7 for compatibility with custom applications, scripts, XML code, and a whole truckload more.

Here's where the problem starts. According to Microsoft, "to help our customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 7 as a high-priority update via Automatic Updates for Windows XP and Windows Server 2003 soon after the final version of the browser is released (planned for fourth quarter 2006)."

Well, gee, that's really swell. The fact is, IE 7 is an enormous improvement. Its ability to open multiple Web sites as tabs in a single window, rather than as multiple instances of IE, makes the update worthwhile. IE 7 is also much better at identifying fraudulent phishing sites. I've been using it for nearly a year on a non-production PC, and I like it a lot.

But a corporate environment is different. Willy-nilly deployment is not a good thing. Thank goodness there's a way to prevent this from taking place.

"Microsoft is making a non-expiring Blocker Toolkit available for those organizations that would like to block automatic delivery of Internet Explorer 7 to machines in environments where Automatic Updates is enabled."

The key phrase there is "non-expiring." Run the blocker and IE 7 is kept away until you or your customers' IT departments decide its ok. This is very similar to the blocker toolkit that was made available to prevent download and installation of XP's Service Pack 2. The toolkit contains both an executable blocker script and a Group Policy Administrative Template (.ADM file).

According to Microsoft, the blocker toolkit need not be deployed in environments managed with an update management solution such as Windows Server Update Services or Systems Management Server 2003. "Organizations can use those products to fully manage deployment of updates released through Windows Update and Microsoft Update, including Internet Explorer 7, within their environment."

That's fine for enterprises that have these tools deployed. Of course, they need to be configured to intercept IE 7. Unfortunately, many small and medium businesses don't have these tools, either for lack of budget, staff, or expertise. For them, installing the blocker toolkit is the way to go.

You can find the toolkit and supporting documentation here.

I've talked to a couple of integrators who plan to deploy the blocker, recommending that customers skip the initial release IE 7. Of course, since we don't know when IE 7 will be released, we certainly have no idea when a service pack will appear.

By the way, about those pothole-riddled English roads. Though the holes were rather small they chose to count them all. Legend has it that Lennon and a friend joked about the amount of patching material needed to repair all 4,000, apparently concluding it might be roughly equal to the interior cubic volume of a famous London concert venue. And that's how they came to know how many holes it takes to fill the Albert Hall.

ITworld.com

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine