Manage Learn to apply best practices and optimize your operations.

Managing an IE6 upgrade for browser security without SUS or WSUS

Security expert Michael Cobb explains how to upgrade from IE6 for browser security without using SUS or WSUS.

For a small enterprise, what's the best way to manage an IE6 upgrade process (to improve browser security) on several hundred endpoint machines when SUS/WSUS isn't an option?

You are certainly right to want to upgrade from Internet Explorer 6. Microsoft has issued a standing advisory warning companies and individuals to upgrade to Internet Explorer 8 for improved browser security. What's more, IE6 users won't be able to properly access the upcoming Web versions of Microsoft Office 2010 because Microsoft will only support versions IE7 and upwards. Also as a consequence of the recent attacks against Google -- via vulnerabilities exploited in IE6 -- it has been reported that it will support only IE versions 7 and 8 on its Google Docs service and will start to phase out support for IE6 for Gmail and Google Calendar later this year.

I'm surprised that you don't use WSUS (Windows Server Update Service) to manage the patch management and upgrades of your machines. It's free and centralizes the distribution of updates to computers on your network. Do you use Windows Automatic Update to deploy patches and upgrades instead? Any machines running IE6 on Windows XP, Windows Vista, Windows Server 2003, or Windows Server 2008 will have had a notification through Automatic Update about IE8 as either a "High-Priority" or "Important" update. IE8 will not automatically install on machines, and you may have prevented users from installing IE8 through Automatic Update by using the IE8 Blocker Toolkit using Group Policy.

To upgrade IE6 with or without the use of WSUS or Automatic Update, first test IE8 for compatibility with internal applications and sites. Testing is required because any kind of update can overwrite key files, disrupt existing software or change services or functions on which your system relies. Test computers or a virtualized IT infrastructure to create a test environment may be a luxury you can't afford, but you should at least test the upgrade on a small group of machines before rolling it out to the rest of the company.

Every problem you find on these test machines is one less problem that you will hear about from your end-users. But be sure to have a rollback and restore plan in place! By completing a test upgrade you can ensure a predictable rollout when IE8 is deployed. The rollout, manual or automated, can be used as an additional part of the testing process if it's done in stages. The initial rollout should be to groups of less critical machines, and if they perform as expected, you can continue with the rollout until all machines are updated. I would also check relevant Internet discussion news groups to find out about the issues others encountered when upgrading from IE6 to IE8. You certainly won't be the first administrator to perform such an upgrade, so take the time to learn from the mistakes and experiences of others.

For more information:

This was last published in February 2010

Dig Deeper on Web browser security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.