Everyone in the enterprise loves the web browser when it’s delivering news, email, documentation, and sales leads. With the shift to web apps, it’s arguably the most important installed software on any corporate desktop. But the internet is filled with people who aren’t nice — sometimes even dangerous — and the same browser can also bring viruses, rootkits, and worse. Even if the browser sits on a little-used desktop in a dusty corner with no access to sensitive information, an attacker can use the seemingly unimportant machine as a stepping stone.
Keeping your users’ browsers secure is essential. The browser companies work hard to block the attackers by sealing the back doors, side doors, and cracks in between, but that isn’t always enough. Some useful features have dark sides, and enterprises can increase security dramatically by shutting down or tightly limiting access to these options.
The freedom to download arbitrary files, for instance, is essential for installing new software, but it’s also a dangerous vector for attacks. If the users in your office don’t need to add new software on their own, blocking all downloads is a harsh but simple way to stop many attacks.
Most of the job is making tough decisions about whether the people in the office (and which ones) need access to various features, both their good and bad sides. No one likes to have their freedom curtailed, but the dangers of an attack are so great that locking down the machines and shutting down options is often a prudent decision.
Here are nine important steps that IT can take to keep users’ browsers running smoothly and securely.
1. Learn your way around the enterprise control options
The most important step you can take to protect users’ browsers is to take control of them with corporate policies that govern them. Most of the major browser makers provide enterprise tools for doing just that.
Of course, different machines may need different levels of control. A public computer used by guests should be configured differently than ones used by employees. And certain types of workers, such as programmers, need more flexibility than other employees. In some cases, admins may choose not to centrally control those users’ browsers at all, but most enterprise policy tools do give you the ability to assign different permissions to different groups of employees.
Each combination of browser and operating system uses a slightly different format for providing what are, in essence, a big, long set of switches for turning off features. Mozilla’s Firefox Enterprise, for instance, provides ADM and ADMX (Windows group policy) templates for Windows, a plist (macOS policy management) template for Macs, and a JSON file for Linux. Google offers a variety of cloud and on-premises tools for managing Chrome, including some templates for Windows, Mac, and Linux machines that make a good starting point for locking down Chrome in the enterprise.
Safari is governed by Apple’s device management tools for business, while the current version of the Edge browser is governed by Microsoft Group Policy and Intune. Microsoft says it will replace this version of Edge with a whole new version based on the open-source Chromium engine, upon which Google Chrome is also based, later this year. The company has previewed a catalog of group polices that enterprises can use to govern the new version of Edge on Windows and macOS devices. At some point in the future, admins will be able to configure the Chromium-based Edge through Intune and System Center Configuration Center, Microsoft says.
The list of options available for each browser is too long to explore in detail here, and it includes some obvious options like blocking certain sites as well as many arcane options like disabling outdated plugins. Chrome, for instance, lets you block Flash or JavaScript from running on particular sites. Firefox can be configured to minimize the debugging information sent back to Mozilla in case it might leak information.
The best way to make use of these settings is to wade in and start determining what is best for your office. The templates make a good starting point, but only you can decide what your team needs.
2. Install all patches and updates
The simplest way to prevent trouble is to install the latest version of each browser on all machines that run it as soon as possible. If there’s a patch, install it immediately. If there’s a new version, replace the old one.
You could set your users’ browsers to automatically install new versions as they roll out, but many IT teams like to control the installations. They might want to time them for off-peak hours or test important web apps before updating browsers throughout the organization. For them, “set it and forget it” isn’t an option for browser updates.
This can be tiresome, because the browser companies have increased the pace of updates – new versions of Chrome and Firefox come out every six to eight weeks. Edge and Safari are considered part of their respective OSes, so major updates typically occur just twice a year for Windows 10/Edge and once a year for macOS/Safari, with additional security or bug-fix releases throughout the year. The release pace is expected to pick up for Edge when the new Chromium-based version is released, but Microsoft hasn’t committed to a set schedule.
No matter how frequently they come, keeping up with the updates is essential. Just ask anyone using one of the hundreds of thousands of computers across the globe infected by the WannaCry ransomware in 2017. The exploit took advantage of a flaw in Windows for which Microsoft had released a patch a month prior to the outbreak, but many systems remained unpatched — including those of the UK’s National Health Service, which estimated that the attack cost it £92,000 (approximately $100,000).
Mozilla does offer some relief for companies that don’t want to deploy all updates immediately: Firefox Enterprise is available in two major distributions: the regular six-to-eight-week “rapid release” and an “extended support release” that emerges less often for companies that want to test their internal web applications to make sure everything keeps working. Firefox has also enhanced its profile system to let administrators test different versions on the same machine.
Google offers four different Chrome channels that include increasing amounts of new code. The Canary channel is released as soon as the build finishes but before any rigorous testing. It’s only for teams that need bleeding edge features. The Dev channel gives developers a 9- to 12-week preview of what’s coming so they can test their applications on it. Better choices for the enterprise are the Beta channel and the Stable channel, which are updated every two to six weeks after internal testing.
The upcoming Chromium-based version of Edge will likely follow a similar four-channel approach. Admins will have a number of policies for controlling updates, including the ability to pause new releases for testing.
3. Limit plugins and extensions
Plugins and extensions offer the opportunity to configure and extend browsers to do much more than just load and display web pages. Unfortunately, this feature is easy to abuse, because it offers extension developers almost unfettered access to incoming web pages.
The simplest solution is to ban all plugins and extensions. This isn’t always possible or desirable, though, because some extensions can be essential for business users. The TeamPassword extension, for instance, lets a group share passwords for accounts that they use together. Or groups that must account for their time often choose a standard extension that records their hours, such as TMetric or Clockify.
The browser makers’ policy management tools offer broad options for controlling extensions. Chrome’s templates, for instance, let you add specific extensions to a blocklist or block all extensions that don’t appear on an allowed list.
If you absolutely need to allow an extension, test it thoroughly and scrutinize the source carefully. Many free software packages on the web offer a very useful service while hiding nefarious purposes behind the helpful facade.
4. Watch for new ways to block content and tracking
Browser makers are always enhancing their blocking capabilities to offer more options. Firefox, for instance, introduced a feature in version 67 that lets you stop abusive scripts that try to hijack the cycles on users’ machines to mine for bitcoin.
Read the release notes for each new version that comes out, because it may require you to make a decision about a new blocking option. In many cases, you’ll want to make sure new optional shields are turned on for your users.
5. Block some outside sites (but tread carefully)
One of the biggest challenges in locking down corporate browsers is understanding when to block outside sites. Some decisions are easy (e.g., porn sites), but others are fraught with tradeoffs. Letting everyone read personal email through their browser, for instance, is one of the simplest ways to enable possible attacks where seemingly innocuous content hides malicious code. But blocking outside email forces everyone to find other ways to manage personal issues from families, schools, doctors and more, and this will drive people into the hands of more dangerous options.
Facebook presents a similar conundrum. It can be a dangerous path for targeted attacks and surveillance, but many employees rely upon it to communicate with family members and friends. To help, Mozilla developed a Facebook Container extension for Firefox that runs Facebook in a tightly limited sandbox. The idea is to isolate individuals’ Facebook identities, making it harder for Facebook to track users’ other web activities with third-party cookies. As an IT admin running Firefox Enterprise, you can either force installation of Facebook Container or make it available to users and encourage them to install it.
6. Maintain multiple browsers if necessary
Sometimes not every browser is right for each task, especially when you’re maintaining legacy software that works best with older browsers. With the current version of Edge, Microsoft offers an “Enterprise Mode” that switches between Edge and the older Internet Explorer 11. Edge is more secure than IE, but it can’t display sites that use older technologies like ActiveX controls. So users mainly browse in Edge, but the browser automatically launches an IE window when it comes to designated URLs that require legacy technology.
Google offers a Chrome extension for the same purpose, and various third-party extensions are available for Firefox.
Note that this approach may change. Microsoft says its upcoming Chromium-based Edge will have a new “Internet Explorer mode” that will run legacy sites inside Edge itself. In the meantime, matching the best option to each site means that the best security is running in each instance.
7. Regularly clear browsing data
Most data that’s stored in a browser was put there by a web site with good intentions. Cookies and other private data let everyone log in faster and maintain a customized experience with their local machine.
But there are lots of secrets hidden in users’ browser history and cookies. One example is research about future products or strategic directions for the company. Knowing what a company is researching is very valuable to competitors.
To protect such data, it can be helpful to regularly wipe away the local data of some or even all websites your users have visited or to prevent it from being saved in the first place. The browser makers offer various options for doing so, including Chrome’s “ephemeral mode,” which wipes everything clean when the user session ends.
You could argue that cookies harbor more secrets than browsing history or vice versa, but it’s simpler just to wipe all such data. This can be a bit harsh, especially if it forces users to log in again or wait for more data to be downloaded, but it’s smart security, and it can also be liberating by removing crufty echoes of the past.
8. Use kiosk mode for some machines
An extreme method for locking down browsers is to run them in kiosk mode. This limits what users can do, typically by running the browser in full-screen mode, disabling options like the ability to install add-ons, and preventing users from accessing any apps outside the browser. Some kiosk mode configurations also limit users to viewing just a few designated web pages. Both Chrome and Edge offer kiosk mode options.
The solution is too harsh for the average employee, but it can be a smart choice for machines that are publicly accessible or dedicated to a particular task like tracking inventory or acting as a point-of-sale terminal.
9. Ask for outside help
Installing a browser isn’t hard, but it becomes a lot more complex when you’re configuring, deploying and maintaining browsers on hundreds or thousands of machines. The browser companies offer various support services focused on the challenge of keeping many enterprise machines in synchrony. Google, for instance, offers Enterprise support for Chrome to companies with more than 1,000 users. They will answer questions and offer guidance on customizing the enterprise policy templates that limit what users can do with Chrome.
Mozilla’s support is less extensive, but it offers a small Firefox Enterprise knowledge base and maintains an Enterprise User Working Group mailing list where developers and IT admins discuss solutions. And Microsoft has launched a new Enterprise section of its Edge Insider site with links to documentation about the upcoming Chromium-based Edge and a forum for IT pros and Microsoft engineers to discuss the new browser.