Unlike safer operating systems, Windows has a built-in web browser, Microsoft Internet Explorer, that is unsafe and cannot be removed. Users can’t fix a design error, but it can be mitigated somewhat by locking down the browser.
Microsoft Internet Explorer is widely regarded by security experts as being fundamentally unsafe and should not be used or even installed. Some people are forced to use it, however: some employers require its use, as do some online government services. More fundamentally, it is built in to Windows and the operating system uses it daily even if the user doesn’t. Removal is thus not an option. Windows users can, however, lower the risk by:
- Ensuring it is fully patched and up to date
- Locking it down as tightly as possible, so that the operating system’s use of it becomes less risky
- Using a more secure browser, so your actions don’t put you at risk
Microsoft offers patches to Internet Explorer through Windows Update. Check your Windows Update settings (Control Panel – Windows Update) to ensure that recommended updates are installed automatically; this will ensure that Internet Explorer is kept patched.
Major version updates to Internet Explorer are also offered through Windows Update, but these are not installed automatically and require user intervention to install. Periodically check Windows Update for newer versions of Internet Explorer to install.
You can automate this process by installing a software security audit tool such as Secunia PSI.
LOCK IT DOWN
Tighten Internet Explorer’s security settings as described in this article. (I agree with the article’s advice even though I take exception to its misleading title.)
Some software and web sites that require Internet Explorer will not work with the above settings, so you will have to make exceptions for them. To do this, launch Internet Explorer and open Tools – Internet Options – Security. Select Trusted Sites and press “Sites”. Add the appropriate URL. For example, to allow Secunia PSI to do its job, add “https://psi.secunia.com/”. Press “Close” and then “Accept”.
TODO: Investigate if this has to be done in each user’s account.
Now set the new browser as default. In Windows Vista and later, this is done as administrator in Control Panel – Programs – Default Programs – Configure Access and Default Programs on the Computer – Personalized. In “Select a web browser”, select the new web browser. Unless the end user has a particular need for Internet Explorer, remove user access to it by clearing Internet Explorer’s option “Enable access to this program”.