Thinking of switching everyone from IE to Firefox/Thunderbird

[LuckyTaxi]

I work as a system administrator for a private school with 300+ kids and 70+ faculty member.
Roughly 10 people have an office and they use Microsoft Outlook as their email client.
Just today I ran into the new variant of the mydoom virus! Pain in the freaking a$$!

Anyways, everyone in the school uses IE. I'm tired of patching 100+ desktops, so maybe a change
to Firefox will put less stress on me. Anyways, has anyone deployed Firefox/Thunderbird throughout
their company? If I go about doing this, how can I restrict people from using IE?

 

[shortylickens]

If you try it, I would suggest only a one computer at a time. When you feel comfortable, go with some more.

This may be insulting advice to an administrator, but it had to be said.

I just hooked into SUSE 9.2 with Konqorer 3.3. While it may not be perfect, it gives us all a good clue as to alternatives. If you dont trust your users (I dont trust mine and there's only 12) you may want to look into the world of Open-Source.
I can keep crap out of IE because I know what I do on my home computer.
School Kids and teachers ?!?!?!? Forget it. I'm going with something new one of these days. You may want to also.

BTW: More useful advice might be to look into Tivoli Management or Radia Client/Server software. They allow you to make updates on many computers at once. Usually best during the night when users are gone. Just make sure they reboot once and leave the computer on, not logged in. We only use Win2000 on our network. Not sure if you can mix and match OS's with these programs.

 

[LuckyTaxi]

We use the automated windows update but does that really work? does someone need to be logged in?

Also, we have this other tool from GFI (I forget the exact name) and I can push out the patches. However,
it's kind of tough to do it during the day when people are around! The bad thing about this software is that
I need to download all relevant patches to my workstation before I do the update! It will not seek the
patches for me.

 

[amdskip]

I would do it as you work on them. Don't make it a project to switch them all over at once, just gradually. I am changing everyone's default browser over to firefox in the dorms as I work on the machines. Stops spyware and makes my life a whole lot easier.

 

[LuckyTaxi]

Can you disable IE through Group Policy?

I think I can start by installing it on 14 computers in one of our computer lab.
See how that goes.

People in administration love Outlook so I'm going to wait until Thunderbird hits 1.0 before I
do anything with that. I'm going to force myself to use Firefox for a week before I go ahead
and install it on the other lab.

 

[spyordie007]

Keep in mind that Firefox will need to be patched as well; there have been plenty of pretty serious security issues along the way. Like most modern software projects it will likely continue to need updating and isnt really something that you could just deploy and walk away from altogether. If it's only a patching issue I'd say IE is (generally) easier to keep patched, if nothing else simply because of all the Windows patching tools out there (i.e. SUS).

We use the automated windows update but does that really work? does someone need to be logged in?

Yes it does work, and no it doesnt require anyone to be logged in. Once more it can be managed via. Group Policy (assuming you're running Active Directory). In fact SUS is built ontop of it. Before you spend any more time dealing with Firefox I strongly suggest you get yourself setup with a better patch management solution.

Just today I ran into the new variant of the mydoom virus! Pain in the freaking a$$!

You do run a virus scanner on your mail server dont you? :roll:

Email viruses should be taken care of before they get to the client.

Can you disable IE through Group Policy?

Yes, you can use a GPO to remove access to IE.

I know there was another thread just like this recently so I also suggest you do a search to see if there are other responses that could be useful to you there.

 

[Nothinman]

Yes, you can use a GPO to remove access to IE.

And what happens when I type a HTTP URL into a regular explorer Window?

 

[amdskip]

Do not disable IE completely, just delete all the common shortcuts and the average user will not be able to use it.

 

[scauffiel]

You may also want to consider the "Open in Internet Explorer" extension for certain people for those sites that flat out don't work well in FireFox. My CPA has a few of these that for some reason just don't work properly in FF. I'm considering moving to FF on my work network (with 30+ Lusers) but as has been pointed out, SUS makes patches fairly simple. I also run WebRoot's SpySweeper to help with Ad and Spyware. I prefer FF, but I'm undecided if I want to make it a network-wide change.

Steve

 

[LuckyTaxi]

We have an anti-virus appliance stripper at the gateway and it scans ALL incoming and outgoing traffic on our network.

Now, I know nothing is fool proof but if it will help me with administration by changing to firefox and avoiding IE at all cost, then I'm up for it. I understand I can't completely disable it, but I just want to force the user to use firefox and not IE.

 

[mikecel79]

Now, I know nothing is fool proof but if it will help me with administration by changing to firefox and avoiding IE at all cost, then I'm up for it. I understand I can't completely disable it, but I just want to force the user to use firefox and not IE.

I think your missing what Spyordie said before:

Keep in mind that Firefox will need to be patched as well; there have been plenty of pretty serious security issues along the way. Like most modern software projects it will likely continue to need updating and isnt really something that you could just deploy and walk away from altogether. If it's only a patching issue I'd say IE is (generally) easier to keep patched, if nothing else simply because of all the Windows patching tools out there (i.e. SUS).

Patching large amounts of Windows machines running IE is easy. However patching larges amounts of machines running Firefox is not at this time. If you setup an SUS server and you need to push it out to all the machines, you can do it with a single click. With Firefox you've got to do every machine manually, except if you already have a application deployment program in place. Even then the Firefox installer is not all that great for doing unattended installs.

To me having to patch machines manually is even more administration overhead. If you thinking patching 100+ IE machines is tought wait until you do 100+ Firefox machines.

Oh and BTW GFI Languard is a piece of garbage. It's "patching" is a complete afterthought and gives you no reporting as to if the machine installed the patch correctly or not. Even when it says the patch is installed, I've found it to be wrong almost 30% of the time.

 

[Nothinman]

With Firefox you've got to do every machine manually, except if you already have a application deployment program in place. Even then the Firefox installer is not all that great for doing unattended installs.

Doesn't SUS qualify as an "application deployment program"? And why use the Firefox installer? Just push the updated files manually.

Oh and BTW GFI Languard is a piece of garbage. It's "patching" is a complete afterthought and gives you no reporting as to if the machine installed the patch correctly or not. Even when it says the patch is installed, I've found it to be wrong almost 30% of the time.

Probably because MS patches are really hard to check for, not all of them add any sort of registry key to say they're installed and file versioning is a PITA because different products can install different versions of files at different patch levels.

 

[mikecel79]

Originally posted by: Nothinman

With Firefox you've got to do every machine manually, except if you already have a application deployment program in place. Even then the Firefox installer is not all that great for doing unattended installs.

Doesn't SUS qualify as an "application deployment program"? And why use the Firefox installer? Just push the updated files manually.

SUS only does security patches and critical updates. SMS is Microsoft's application deployment/system managment program. If just copying the same files over will work then fine, but from my experience in the past this doesn't always work.

Oh and BTW GFI Languard is a piece of garbage. It's "patching" is a complete afterthought and gives you no reporting as to if the machine installed the patch correctly or not. Even when it says the patch is installed, I've found it to be wrong almost 30% of the time.

Probably because MS patches are really hard to check for, not all of them add any sort of registry key to say they're installed and file versioning is a PITA because different products can install different versions of files at different patch levels.

Lot of other companies do it with no problems. Novell, Altiris, NetIQ, LanDesk, etc have no problem detecting if a patch is missing. When Microsoft releases a patch they give detailed information on how to check your machine manually if it's installed. GFI's implementation is just poor. I've personally worked with their tech support when we evaluated their product and they even admitted their detection of patches wasn't 100% reliable.

 

[drag]

Stuff like these updates is were Linux has it down.

Say I install 300 debian "sarge" machines. All I would have to do is setup a local ftp mirror of Debian's FTP servers with the packages and such that I am using in the client machines.

Then I setup. thru a cron job, all the machines the check my ftp server every evening and update themselves against it. And that can cron change be done pretty much automaticly from a single workstation using scp and a coherent machine naming policy and a simple bash/perl script.

Then when updates are aviable I test them on a test rig to make sure that everything is fine and I don't get any screw ups, then I pass the changes on to my local .deb repository. Then they update it themselves over the evening.

And if I need to install a application that isn't something that is provided by Debian, then I install it on my test machine and turn it into a debian package file. .deb files are little more then fancy tarballs.

Most Linux distros have this capability and include automatic update features. Fedora has yum and apt-get to choose from. Redhat has it's up2date tools. Even slackware has easy to make software packages and the ability to update using slapt-get or swaret.

For instance when I update my Debian box at home, EVERYTHING gets updated (which can take a while sometimes). Not just the core OS stuff.

-----

Anyways.

If you want you can just turn on Firefox's autoupdate feature. It's one of the new things introduced with the 0.10PR update...

Also it will indicate to the user that a update is aviable... A little white arrow pointing up in a red circle by the little animation that shows that a page is loading.

I just updated my workstations version to 1.0 thru it.

 

[Nothinman]

SUS only does security patches and critical updates. SMS is Microsoft's application deployment/system managment program. If just copying the same files over will work then fine, but from my experience in the past this doesn't always work.

Oh yea, if you want to push other things you have to pay for yet another product, I forgot about that.

The only issue with just copying the files may be in-use files, but if you have a product that's even remotely not dumb it can deal with those like a normal, locally run installer would. It doesn't work with some apps because of shared libraries in stupid places like %WINDIR%\SYSTEM32, but if you're updating your app manually you should know where it puts everything.

 

[tomstevens26]

Originally posted by: mikecel79
GFI's implementation is just poor. I've personally worked with their tech support when we evaluated their product and they even admitted their detection of patches wasn't 100% reliable.

Agreed. We've been messing around with Languard for a while now and have come to the conclusion that it just sucks, at least for us. My favorite issue is how we can install the exact same build of Languard on two machines and then run the exact same report on the same group of servers minutes apart....and the reporting outcome (especially the vulnerability reporting) will differ tremendously.

We've got a web based demo setup from Mobile Automation regarding their Patch Automation product. If anyone has any experience with that please PM me.

Tom

 

[VirtualLarry]

I think that it should be mentioned, several people are working on 3rd-party .MSI based upgrade/install packages for Firefox, those should be much easier to push out to client machines using whatever various client patch-deployment mechanisms that you choose. Search MozillaZine's forums for some of them.

 

[LuckyTaxi]

Isnt MOST vulnerability aimed at IE? If I could just eleviate some of the overhead, then thats better than nothing.

We have CA's virus software on ALL desktop along with the anti-virus appliance. That pretty much covers viruses, but the vulnerabilities that are aimed at IE is where I would like to cut down on.

 

[CTho9305]

Info on MSI installer for Firefox