Internet Explorer 7 - Microsoft Home Page | Devices and Services
Internet Explorer 7
description
Transcript of Internet Explorer 7
Internet Explorer 7
Updated Advice for the NHS04 February 2008
Version 1.3
Agenda
• Summary Advice for the NHS
•IE7 Update February 2008 – WSUS
•IE7 And Windows XP Service Pack 3
•IE7 Upgrade Process Options
• IE7 Security Features
Summary Advice for the NHSIf you use Windows Server Update Services (WSUS)• Follow the advice below.
• Then follow the advice on the next page (IE7 Update February 2008).
If you use NPfIT applications provided by an LSP or NASP• Don’t install IE7 yet
• Install the Blocker to prevent Windows Update (WU) automatically upgrading systems to IE7
• Follow the advice to prevent automatic update if you are using Windows Server Update Services (WSUS)
• Test all your own critical applications with the latest version of IE7 available
• Wait until your LSP confirms that all NCRS/NPfIT applications you use are compatible
If you don’t yet use NPfIT applications provided by an LSP or NASP• Don’t install IE7 yet
• Install the Blocker to prevent WU automatically upgrading systems to IE7
• Follow the advice to prevent automatic update if you are using Windows Server Update Services (WSUS)
• Test all critical applications with the latest version of IE7 available
IE7 Update February 2008
WSUS IE7 UpdateWindows Server Update Services (WSUS)• Windows Internet Explorer 7 will be distributed via Windows Server Update Services
(WSUS) from 12 February 2008 and may require administrator action to prevent the rollout.
• If you have auto-approve enabled within WSUS, then IE 7 will be distributed to your desktops without further approval.
• The blocker toolkit referred to in this document does not block IE7 from being installed through WSUS.
• To prevent the installation of IE7 using WSUS, you need to ensure that you have not enabled the automatic approval of Update Rollups before 12th February.
• It is Best Practice not to enable automatic approval of updates.
• Please review this knowledge article for further information: KB 946202 at http://support.microsoft.com/default.aspx?scid=kb;EN-US;946202
• The original advice for blocking Windows Update is included in this document.
IE7 And Windows XP Service Pack 3
IE7 And Windows XP SP3Windows XP Service Pack 3• Windows XP Service Pack 3 will be released during 1H/2008.
• Microsoft have confirmed the following details on IE7 and Windows XP SP 3:• Service Pack 3 will not force the installation of IE7.• If IE6 is installed, then Service Pack 3 will update IE6 but will not force an
upgrade to IE7.• If IE7 is installed, then Service Pack 3 will update IE7.
• Windows XP SP3 includes updates to both IE6 and IE7, and will update whichever version is installed on the computer.
IE7 Upgrade Process Options
Upgrade to IE7?
• New Features• Tabbed browser
• RSS
• Page zoom
• More Manageable• Group Policy settings
• Enhanced Security
• Only available on• Windows XP SP2
• Windows Server 2003 SP1
• IE7 Beta known to break some NCRS applications
Plus Minus
Other Windows Versions
All versions of Windows prior to XP SP2 should continue to run IE6
IE7 Automatic Upgrade
• Microsoft treating IE7 as a “Hot Fix” to IE6• When released IE7 will be a High Priority Update on
Windows Update (WU)
• It will be automatically installed on clients using Windows Server Update Services (WSUS) if auto-approve is enabled
• Some NCRS/NPfIT applications are known not to work with IE7
How do we prevent the automatic install of IE7?
Preventing the Upgrade
• If using WSUS, SUS or SMS to deploy updates• Do not auto approve the IE7 update
• Refer to the section above “IE7 Update February 2008”
• If manually using Windows Update (from Start menu)• Tools available to prevent the IE7 update being applied
• Download from Microsoft Web site as a toolkit from
http://go.microsoft.com/fwlink/?linkid=65788
• Where users have Local Administrator rights• Either remove those rights (unlikely) or provide advice & guidance
Disabling Delivery of IE7• Will prevent machines receiving IE7 as a high-priority update
via Automatic Updates and the “Express” install option on the Windows Update and Microsoft Update sites.
• The Blocker Toolkit will not expire
• Will NOT prevent manual installations of IE7 as a Recommended Update from the Windows Update or Microsoft Update sites, from the Microsoft Download Center (sic), or from external media.
• Erroneous IE7 installations can be uninstalled using Add/Remove Programs
• Will NOT prevent update of IE7 through WSUS. See the “IE7 Update February 2008” slide above.
How the Toolkit works
• Blocker script sets a registry setting on a computer
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\7.0
Key value name: DoNotAllowIE70
Value set to 1 to block install
• Script run asIE70Blocker.cmd [<machine name>] [/B] [/U] [/H]
• Group Policy template ADM file also supplied
New Features of IE 7
IE7 Security Features
Protect the machine
Protect the user against misleading downloads and websites
Protect the Machine
• Unified URL parsing• URLs passed as strings may be parsed inconsistently through the stack
• Special characters complicate URL parsing
• http://[email protected]
• Cross-domain security enhancements• Limit scripts on web pages from interacting with content from other domains
or windows
• Code quality improvements to reduce buffer overruns
Protect the Machine• ActiveX Opt-in
• IE6 blocked signed ActiveX controls with the Information bar,but pre-installed controls would run silently
• IE7 blocks pre-installed ActiveX controls with the Information bar on first run (or via Add-on Manager)
• Protected Mode (Microsoft Windows Vista only)• IE7 runs in isolation from other applications
• Cannot write beyond Temporary Internet Files without user consent
Protect the User• Download scanning with Windows Defender
• Phishing Filter
• High-assurance SSL and address bar• Address bar shown in all windows
• Colour of address bar indicates potential threat
Protect the User• Dangerous settings notification
• "Fix My Settings" feature – warns when your Internet settings may be unsafe and resets them
• Secure defaults for IDN (International Domain Names)• Warns when visually similar characters in URL are not in same language
• Parental controls (Windows Vista only)• Can restrict access
• Logs sites browsed
http://www.microsoft.com/windows/ie/ie7/about/features/default.mspx
http://blogs.msdn.com/ie
Toolkit to block upgrade to IE7 via Windows Update
http://go.microsoft.com/fwlink/?linkid=65788
How to block upgrade with WSUS
http://support.microsoft.com/default.aspx?scid=kb;EN-US;946202
Resources & further information