Internet Explorer 7

1
Internet Explorer 7

• Advice for the NHS using NPfIT Applications
• September 2006

2
Agenda

• Summary Advice for the NHS
• IE7 Upgrade Process Options
• IE7 Security Features

3
Summary Advice for the NHS

• If you use NPfIT applications provided by an LSP
  or NASP
• Dont install IE7 yet
• Install the Blocker to prevent WU automatically
  upgrading systems to IE7
• Test all your own critical applications with the
  latest version of IE7 available
• Wait until your LSP confirms that all NCRS/NPfIT
  applications are compatible
• If you dont yet use NPfIT applications provided
  by an LSP or NASP
• Dont install IE7 yet
• Install the Blocker to prevent WU automatically
  upgrading systems to IE7
• Test all critical applications with the latest
  version of IE7 available

4
IE7 Upgrade Process Options
5
Upgrade to IE7?
Minus
Plus

• New Features
• Tabbed browser
• RSS
• Page zoom
• More Manageable
• Group Policy settings
• Enhanced Security

• Only available on
• Windows XP SP2
• Windows Server 2003 SP1
• IE7 Beta known to break some NCRS applications

6
Other Windows Versions

• All versions of Windows prior to XP SP2 should
  continue to run IE6

7
IE7 Automatic Upgrade

• Microsoft treating IE7 as a Hot Fix to IE6
• When released IE7 will be a High Priority Update
  on Windows Update (WSUS)
• It will be automatically installed on clients
  using Windows Update (WSUS)
• Some NCRS/NPfIT applications are known not to
  work with IE7 beta
• How do we prevent the automatic install of IE7?

8
Preventing the Upgrade

• If using WSUS, SUS or SMS to deploy updates
• Do not approve the IE7 update
• If manually using Windows Update (from Start
  menu)
• Tools available to prevent the IE7 update being
  applied
• Download from Microsoft Web site as a toolkit
  from
• http//go.microsoft.com/fwlink/?linkid65788
• Where users have Local Administrator rights
• Either remove those rights (unlikely) or provide
  advice guidance

9
Disabling Delivery of IE7

• Will prevent machines receiving IE7 as a
  high-priority update via Automatic Updates and
  the Express install option on the Windows
  Update and Microsoft Update sites.
• The Blocker Toolkit will not expire
• Will NOT prevent manual installations of IE7 as a
  Recommended Update from the Windows Update or
  Microsoft Update sites, from the Microsoft
  Download Center (sic), or from external media.
• Erroneous IE7 installations can be uninstalled
  using Add/Remove Programs

10
How the Toolkit works

• Blocker script sets a registry setting on a
  computer
• Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsof
  t\Internet Explorer\Setup\7.0
• Key value name DoNotAllowIE70
• Value set to 1 to block install
• Script run asIE70Blocker.cmd ltmachine namegt
  /B /U /H
• Group Policy template ADM file also supplied

11
New Features of IE 7
12
IE7 Security Features

• Protect the machine
• Protect the user against misleading downloads
  and websites

13
Protect the Machine

• Unified URL parsing
• URLs passed as strings may be parsed
  inconsistently through the stack
• Special characters complicate URL parsing
• http//www.good.com_at_bad.com
• Cross-domain security enhancements
• Limit scripts on web pages from interacting with
  content from other domains or windows
• Code quality improvements to reduce buffer
  overruns

14
Protect the Machine

• ActiveX Opt-in
• IE6 blocked signed ActiveX controls with the
  Information bar,but pre-installed controls would
  run silently
• IE7 blocks pre-installed ActiveX controls with
  the Information bar on first run (or via Add-on
  Manager)
• Protected Mode (Microsoft Windows Vista only)
• IE7 runs in isolation from other applications
• Cannot write beyond Temporary Internet Files
  without user consent

15
Protect the User

• Download scanning with Windows Defender
• Phishing Filter
• High-assurance SSL and address bar
• Address bar shown in all windows
• Colour of address bar indicates potential threat

16
Protect the User

• Dangerous settings notification
• "Fix My Settings" feature warns when your
  Internet settings may be unsafe and resets them
• Secure defaults for IDN (International Domain
  Names)
• Warns when visually similar characters in URL are
  not in same language
• Parental controls (Windows Vista only)
• Can restrict access
• Logs sites browsed

17
Resources further information

• http//www.microsoft.com/windows/ie/ie7/about/feat
  ures/default.mspx
• http//blogs.msdn.com/ie
• Toolkit to block upgrade to IE7
• http//go.microsoft.com/fwlink/?linkid65788