There’s a fine line between protecting a business’ network and sending end users into a help desk-haranguing rampage. A customer service representative does his taxes between calls. A saleswoman plays an occasional game of Internet backgammon during the day. The office manager spends time surfing the Web, looking for just the right pair of shoes.
Those scenarios may be disturbing enough to company executives—after all, it does cut down on productivity—but that should be the least of their worries. More worrisome, by far, is the possibility that in visiting one of those sites, an employee downloads an infected piece of code or invites spyware onto the corporate network.
Neither vendors nor end users are taking the danger lightly. Microsoft has embedded what it calls a Phishing Filter in Windows Internet Explorer 7 for Windows XP Service Pack 2 and Windows Vista. The filter scans Web addresses and Web pages for characteristics associated with known online Web fraud or phishing scams. Similarly, Mozilla has announced that the next version of Firefox will include protection against malicious downloads from Web sites.
But organizations shouldn’t let browser safeguards lull them into a false sense of security, said Tim Hickernell, lead analyst at Info-Tech Research Group, of London, Ontario, given that such features don’t constitute business-strength security.
“Don’t think that just because browsers have more security features, that it’s a good enough defense. It’s not really meant for companies; it’s more for consumers. You have to take more measures,” he said.
Monitoring and restricting users to safe Web sites is critical to a company’s security, but it can also be quite restrictive. If, for example, a company chooses to fully lock down users’ browsers—not allowing them to change any settings or install any software—it’s likely that the IT staff will be bombarded with requests from users to install software or a plug-in needed for a certain task. On the other hand, if users are given free reign, problems are likely to ensue.
So how do you decide how far to go? That depends on many factors, from the company’s mission and industry, to management’s tolerance, to the IT staff’s capability and size, to the needs of specific user groups.
For some environments, such as those in highly secure industries or administrative staff, it can make sense to lock down the browser as much as possible. It’s fairly easy to do, both at the network and PC level.
At the network level, IT staff can choose to lock down access to specific Internet protocols and Web sites. Also possible at the network level is segmenting users by IP addresses, fully locking down browsers for some segments and having less restrictive controls for others, depending on job function.
At the user level, the IT staff can configure PCs, via a free tool from Microsoft called IEAK (Internet Explorer Administration Kit), to prohibit administrative privileges and maintain appropriate browser settings. Both approaches can provide a full lockdown—no way to change settings, and no way to download software.
The full lockdown approach is extremely restrictive, and many companies are hesitant to use it. If there is a legitimate business need to allow users to install software, another option is to define a set of applications from trusted publishers and allow downloads only from that list. That can be done cheaply and easily through browser settings, with help from commercial software like McAfee Total Protection, Symantec’s Norton 360 or Microsoft Forefront.
A less restrictive level is allowing users to install virtually anything they want, but reserving the right to deny installation via a host-based intrusion prevention system, such as Cisco Security Agent, Symantec LiveState Recovery Desktop Suite or McAfee Total Protection.
Still another option is to use an off-the-shelf system that provides behavior blocking—software that monitors the executable actions of potentially malicious software. Examples include McAfee SiteAdvisor, Symantec Endpoint Protection, Sophos Anti-Virus and Sophos Enterprise Console, and Finjan’s Application-Level Behavior Blocking and URL filtering.
“If a browser plug-in tries to delete a hard drive or starts sending things out over the Internet, this type of software would stop that,” said John Pescatore, an analyst at Gartner. “These take more work than other options, but you can apply more custom policies, depending on the type of user, the environment and the situation.”
It’s a good option, but not a cheap one, with prices averaging about $50 per user.
“Sometimes, for smaller companies, it’s an issue of $50 per desktop multiplied by 100 users, and that’s $5,000 you don’t have,” Pescatore said.
But nothing is truly free. “Other options seem to be free or close to free, but they aren’t,” Pescatore said. “Users tend to keep calling the IT department and asking them to take time to check out a piece of software or install the software they need. You have to factor that in.”
Making sure to address browser security at the desktop/notebook level as well as the network level is critical—especially when mobile users are involved, Hickernell said.
“When machines are taken out of your network and will connect to a network that isn’t yours—such as public WiFi in an airport—before they connect to your secure VPN, you’ve got security issues,” he said. “Software definitely helps, but some companies go so far as to tell employees never to access the VPN through a public WiFi site.”
No matter what method you choose, it’s critical to put corporate policies in place. If you choose the full lock-down approach, the policy is simple: Users can’t load their own software. With the second option, the policy should stress that employees can only load software for business use. With the third, less restrictive option, the policy might say that downloading software is permissible, but the company reserves the right to make sure it’s not compromising the integrity of its system. Policies also should detail how to spot a potentially troubling Web site, or whether it is acceptable to access the corporate VPN via a public WiFi site when using a notebook.
In the end, the lock-down method you choose depends on many factors, from line of business, to company tolerance, to user needs, to price. But there is one more very important factor, Pescatore said—employee tolerance.
“Companies are beginning to recognize the Gen X/Gen Y problem, where the newer work force is used to blending their work life and personal life, and using technology to do it,” he said. “[It’s] a fine line. You have to think carefully; you don’t want to alienate your employees.”
/ 3 
