October 01, 2006, 9:49 PM —
My intent in this week's column is to review the top ways to harden a web-browsing environment, and not cover the entire breadth of browser security. Moreover, I'm sidestepping the argument about what browser is more secure by suggesting that you look more programmatically at what we can do to protect users regardless of browser choice. So here goes ...
#1. Enable only the browser technologies you need. If you don't need Active X, Java or the like, configure the browser or web gateways to turn them off. If someone must go to WhizBangActiveXsite.com, they can either do so on their own systems at home; you could build a few web-browsing kiosks on a separate network segment, or use something like a Live CD environment for them. Then, users can visit the web sites that they "need" without endangering the organization. However, be careful with doing this for key technologies like Javascript as it may break things that you really need.
#2. Install up-to-date anti-virus and anti-spyware on every system (servers too). I know this is about browser security, but these components are the critical additional layers of defense against browser attacks. Put them on servers, because administrators have been known to browse from a server in "urgent situations". This might be forbidden by policy, but trust me, during penetration tests, we have compromised more than a few servers by the admins surfing to a client exploit site. It happens, so guard against it.
#3. Prevent users from loading arbitrary browser plugins and enhancements. Each new plugin and enhancement brings some form of risk. It could be malware code disguised as a plugin, or it could be a plugin technology that later turns out to be exploitable. I know this seems to minimize the user experience, but minimization is required to secure their working environment. If they want, or "need", to use some plugin - make the decision carefully. Lab test them before you agree to let them in the enterprise.
#4. Keep browsers up to date. Just like the OS, you must keep them patched. Users should be taught how to do this, or it should be automatic. Make sure this happens often enough to really be useful in protecting against threats. Once a month is likely not often enough. Once a week or so, may be more likely to be truly helpful. Test browser versions occasionally and spot check them by log reviewing your web gateways. Help the offenders understand the risk and bring them back into the fold by reinforcing to them how and why their browsers must be up to date. Be vigilant.
#5. Teach your users to make better web-browsing choices. Hold lunch and learns and explain the threats, the common solutions and how to better secure and use a web-browser. They can apply these skills at work, and at home. Both will pay off for them and your organization since they will better protect your data - no matter it is used. Don't just do the training once, try and have an ongoing program of awareness that reinforces security concepts and focuses on things like browser security and client-side attacks. The smarter they get about security, the better.
That's the top five. There are certainly more technical things you can do, but it would take a book to explain all of the options. Check out the browser vendor sites for more tips. Each browser vendor has tips for hardening their browser and increasing web-browser security. Familiarize yourself with them and then help users apply the changes you deem useable. In the meantime, patch against the current issues and pay attention to the alert mechanisms you follow. Browser vulnerabilities are coming fast and furious these days, and it looks like the issue is here to stay.
