by Neil MacDonald | January 21, 2011 | Comments Off on Identifying Browsers and Plugins That Might Represent a Risk
In my kick off post for 2011, I talked about the need for IT to expand the depth and breadth of patching. In the follow-on post, I talked about the need to migrate more users to run with standard user (and not administrative level) privileges.
One of the challenges to both of these actions is getting a handle on the number of browsers in use and the plugins in use in your organization. For example, even though your policy might state that Internet Explorer is the only supported browser the reality is that many browsers may be installed without the official support of enterprise IT.
The same is true of plugins (toolbars, browser helper objects, ActiveX controls and browser extensions). IT may officially support a core set of these (Flash, PDF, Webex, and so on) but aren’t aware of the rest.
Allowing users to choose alternative browsers and customize their work environment isn’t inherently bad. In fact, I coauthored this research note for clients explaining Gartner’s official position that organizations shouldn’t standardize on a single browser and lays out a strategy for this. The risk is that this expanded set of browsers and plugins aren’t kept up to date from a security perspective and present hackers with opportunities to target your users.
A good PC lifecycle management tool should provide the detailed inventory information you are looking for. However, some clients have indicated to me that they were having difficulty identifying plugins.
Last week, Microsoft updated its free Microsoft Assessment and Planning Toolkit. By using credentialed access (thus it doesn’t require an agent), the tool is able to query each machine and obtain inventory information including the browsers in use and the versions (including non-Microsoft browsers):
And, for Internet Explorer, the toolkit identifies all of the plugins:
Part of managing risk is understanding where risk resides.
I was talking to a client yesterday and used this analogy: It’s like when you know you have skeletons in the closet but you don’t quite know how many — so you get a stronger flashlight.
More visibility leads to more informed decision making.
Category: application-security information-security microsoft microsoft-security windows-7
Tags: application-security best-practices browser-security information-security microsoft microsoft-security windows
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.