Internet Explorer 7

Updated Advice for the NHS04 February 2008

Version 1.3

Agenda

• Summary Advice for the NHS

•IE7 Update February 2008 – WSUS

•IE7 And Windows XP Service Pack 3

•IE7 Upgrade Process Options

• IE7 Security Features

Summary Advice for the NHSIf you use Windows Server Update Services (WSUS)• Follow the advice below.

• Then follow the advice on the next page (IE7 Update February 2008).

If you use NPfIT applications provided by an LSP or NASP• Don’t install IE7 yet

• Install the Blocker to prevent Windows Update (WU) automatically upgrading systems to IE7

• Follow the advice to prevent automatic update if you are using Windows Server Update Services (WSUS)

• Test all your own critical applications with the latest version of IE7 available

• Wait until your LSP confirms that all NCRS/NPfIT applications you use are compatible

If you don’t yet use NPfIT applications provided by an LSP or NASP• Don’t install IE7 yet

• Install the Blocker to prevent WU automatically upgrading systems to IE7

• Follow the advice to prevent automatic update if you are using Windows Server Update Services (WSUS)

• Test all critical applications with the latest version of IE7 available

IE7 Update February 2008

WSUS IE7 UpdateWindows Server Update Services (WSUS)• Windows Internet Explorer 7 will be distributed via Windows Server Update Services

(WSUS) from 12 February 2008 and may require administrator action to prevent the rollout.

• If you have auto-approve enabled within WSUS, then IE 7 will be distributed to your desktops without further approval.

• The blocker toolkit referred to in this document does not block IE7 from being installed through WSUS.

• To prevent the installation of IE7 using WSUS, you need to ensure that you have not enabled the automatic approval of Update Rollups before 12th February.

• It is Best Practice not to enable automatic approval of updates.

• Please review this knowledge article for further information: KB 946202 at http://support.microsoft.com/default.aspx?scid=kb;EN-US;946202

• The original advice for blocking Windows Update is included in this document.

IE7 And Windows XP Service Pack 3

IE7 And Windows XP SP3Windows XP Service Pack 3• Windows XP Service Pack 3 will be released during 1H/2008.

• Microsoft have confirmed the following details on IE7 and Windows XP SP 3:• Service Pack 3 will not force the installation of IE7.• If IE6 is installed, then Service Pack 3 will update IE6 but will not force an

upgrade to IE7.• If IE7 is installed, then Service Pack 3 will update IE7.

• Windows XP SP3 includes updates to both IE6 and IE7, and will update whichever version is installed on the computer.

IE7 Upgrade Process Options

Upgrade to IE7?

• New Features• Tabbed browser

• RSS

• Page zoom

• More Manageable• Group Policy settings

• Enhanced Security

• Only available on• Windows XP SP2

• Windows Server 2003 SP1

• IE7 Beta known to break some NCRS applications

Plus Minus

Other Windows Versions

All versions of Windows prior to XP SP2 should continue to run IE6

IE7 Automatic Upgrade

• Microsoft treating IE7 as a “Hot Fix” to IE6• When released IE7 will be a High Priority Update on

Windows Update (WU)

• It will be automatically installed on clients using Windows Server Update Services (WSUS) if auto-approve is enabled

• Some NCRS/NPfIT applications are known not to work with IE7

How do we prevent the automatic install of IE7?

Preventing the Upgrade

• If using WSUS, SUS or SMS to deploy updates• Do not auto approve the IE7 update

• Refer to the section above “IE7 Update February 2008”

• If manually using Windows Update (from Start menu)• Tools available to prevent the IE7 update being applied

• Download from Microsoft Web site as a toolkit from

http://go.microsoft.com/fwlink/?linkid=65788

• Where users have Local Administrator rights• Either remove those rights (unlikely) or provide advice & guidance

Disabling Delivery of IE7• Will prevent machines receiving IE7 as a high-priority update

via Automatic Updates and the “Express” install option on the Windows Update and Microsoft Update sites.

• The Blocker Toolkit will not expire

• Will NOT prevent manual installations of IE7 as a Recommended Update from the Windows Update or Microsoft Update sites, from the Microsoft Download Center (sic), or from external media.

• Erroneous IE7 installations can be uninstalled using Add/Remove Programs

• Will NOT prevent update of IE7 through WSUS. See the “IE7 Update February 2008” slide above.

How the Toolkit works

• Blocker script sets a registry setting on a computer

Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\7.0

Key value name: DoNotAllowIE70

Value set to 1 to block install

• Script run asIE70Blocker.cmd [<machine name>] [/B] [/U] [/H]

• Group Policy template ADM file also supplied

New Features of IE 7

IE7 Security Features

Protect the machine

Protect the user against misleading downloads and websites

Protect the Machine

• Unified URL parsing• URLs passed as strings may be parsed inconsistently through the stack

• Special characters complicate URL parsing

• http://www.good.com@bad.com

• Cross-domain security enhancements• Limit scripts on web pages from interacting with content from other domains

or windows

• Code quality improvements to reduce buffer overruns

Protect the Machine• ActiveX Opt-in

• IE6 blocked signed ActiveX controls with the Information bar,but pre-installed controls would run silently

• IE7 blocks pre-installed ActiveX controls with the Information bar on first run (or via Add-on Manager)

• Protected Mode (Microsoft Windows Vista only)• IE7 runs in isolation from other applications

• Cannot write beyond Temporary Internet Files without user consent

Protect the User• Download scanning with Windows Defender

• Phishing Filter

• High-assurance SSL and address bar• Address bar shown in all windows

• Colour of address bar indicates potential threat

Protect the User• Dangerous settings notification

• "Fix My Settings" feature – warns when your Internet settings may be unsafe and resets them

• Secure defaults for IDN (International Domain Names)• Warns when visually similar characters in URL are not in same language

• Parental controls (Windows Vista only)• Can restrict access

• Logs sites browsed

http://www.microsoft.com/windows/ie/ie7/about/features/default.mspx

http://blogs.msdn.com/ie

Toolkit to block upgrade to IE7 via Windows Update

http://go.microsoft.com/fwlink/?linkid=65788

How to block upgrade with WSUS

http://support.microsoft.com/default.aspx?scid=kb;EN-US;946202

Resources & further information