Problem solve Get help with specific problems with your technologies, process and projects.

How to erase browser history proactively for enterprise security

Attackers often try to access enterprise users’ browsing history. Expert Michael Cobb explains how to erase browser history proactively.

Could you describe some best practices for clearing browser history? Detecting a visitor’s browser history is as...

simple as a few lines of code, and I’m concerned this leaves our employees vulnerable. Besides consistently clearing the browser history, are there any other methods to help protect against access to browsing histories? Are some browsers better than others at clearing history?

The websites and pages you view in your browser are kept in your history until they expire or are manually deleted. All browsers allow this history to be detected by other sites, which can use it in a variety of ways such as serving targeted advertisements. Depending on the level of analysis of the sites a person has visited, access to this type of information could open up the possibility of privacy abuse and attacks. So, although being able to refer to your browsing history is useful, certain users may need to regularly clear their browsing history to prevent it from being misused.

Firefox, Internet Explorer and Google's Chrome browser provide the user with the ability to clear browsing history and cookies, and even to do it automatically when the browser is closed. You can also delete the browsing history, but keep cookies and temporary Internet files for favorite sites so they will load faster. System administrators can manage these settings for enterprise endpoints using Group Policy, but to provide additional protection, I would recommend disabling Flash and other third-party plug-ins, as they can also store user preferences, typed data and information about sites visited.

Browsers all offer some form of private browsing where the browsing session is sandboxed to some degree so information isn’t written and stored on the computer. Internet Explorer calls it InPrivate Browsing, Firefox and Safari call it Private Browsing and Chrome calls it Chrome Incognito Browsing Mode. When private browsing is turned on, the browser doesn't store the pages visited, form and search bar entries, passwords, cookies and cached files.

However, none of these private browsing modes are 100% effective; each of them still leaves some trace of browsing activity, Safari being the worst. All browsers have trouble with Flash cookies due to the way they are created and stored. They do appear to perform better if a user starts the browser and goes directly into private browsing rather than switching between normal and private browsing sessions.

Interestingly, Group Policy has several settings allowing administrators to disable users from using InPrivate Browsing so their activities can be more easily audited. That said, certain users should clear browsing history on a regular basis. Do remember though, the sites they visit will still know their IP address and can still track the pages visited on that site. This information may be shared with other third-parties looking to access browsing history.

There are tools, such as CCleaner Network Edition, you can install that allow the remote cleaning of browsing history and cookies on all the computers on your corporate network. I would thoroughly test any tool first to ensure they clear the information you need from the browsers you use before rolling them out organization-wide.

This was last published in October 2011

Dig Deeper on Web browser security