Friday, July 31, 2009

Group policy extensions, msi installers, and Firefox

As I've mentioned previously, sometimes I blog when I don't understand something, and I use the blogging process to help me understand it.

One thing that I don't understand is some of the internal security workings underneath web browsers. As part of a discussion which I am not at liberty to disclose, two terms were thrown around: "group policy extensions" and "an official msi installer." I figured that I'd better educate myself in these (at least enough so that I can do some damage).

To understand group policy extensions, I need to understand group policy, which has been around for a while:

In Windows 2000 Group Policies define user and computer configurations for groups of users and computers. Group Policy settings are contained in a Group Policy Object (GPO) which is associated with selected Active Directory objects, such as sites, domains or organizational units (OUs).

Wikipedia included a layman's definition:

In other words, group policy in part controls what users can and can't do on a computer system.

So where is such a beast used?

Although group policy is more often seen in use in enterprise environments, it is also common in schools, smaller businesses and other kinds of smaller organizations. Group policy is often used to restrict certain actions that may pose potential security risks, for example: to block access to the Task Manager, restrict access to certain folders, disable the downloading of executable files and so on.

But what about the extension part? This might apply:

When a group policy is being processed on a Windows-based computer, client-side extensions are the components that interpret the stored policy and make the appropriate changes to the environment.

This is probably an appropriate time to explore msi installers. Of course, it would help if I knew what "msi" meant. PC Magazine told me:

(MicroSoft Installer)

More information is provided here:

The installer, which is available in Visual Studio and other stand-alone programs, compresses the application into .MSI "package" files, and the MSIEXEC.EXE program in the Windows PC performs the installation. Transform files (.MST) provide language translation and other dynamic changes at install time.

So how does this affect web browsers? Well, let's take a look at what is offered for Firefox - not from Mozilla, but from FrontMotion:

MSI installers for Mozilla Firefox! Useful for installing Firefox on a single computer for the home user or deploying across thousands of computers automatically with Microsoft's Active Directory. Use Firefox on your corporate computers to decrease virus incidents and increase overall security. Save time and frustration with our installer that is targeted toward the corporate IT administrator with manageability and upgradeability in mind. This is not just a wrapper around the exe installer nor is it another half baked 'captured' install. The files contained in this MSI are the official binaries.

But what about group policy?

FrontMotion Firefox Community Edition is a customized version of Firefox with the ability to lockdown settings through Active Directory using Administrative Templates. Similar to lockdown settings with mozilla.cfg on one computer, you can now use Administrative Templates to enforce settings across your organization. Use Firefox on your corporate computers to decrease virus incidents and increase overall security. Save time and frustration with our installer that is targeted toward the corporate IT administrator with manageability and upgradeability in mind.

Now when you start talking about packages, then you go to FrontMotion's Firefox Packaging Service:

This service is for people who need more functionality than the free Firefox MSI packages (more info). You can use choose a Firefox version, a language and up to ten extensions. Press a button and in a few minutes you can download your customized package ready for deployment. It is fast, easy and inexpensive compared to any other packaging services.

So it sounds like a corporation can use the FrontMotion tools to control the deployment of Firefox throughout the organization. Yes, but some IT managers aren't convinced:

Don't specifically allow or officially support Firefox because it's an administrative nightmare in a large environment. Until there are officially supported GPO templates (supported by Microsoft or at least Mozilla) I won't do it. It's not enough to have some community developed templates, in a corporate environment I need guaranteed, documented support.

In addition, the same thread included concerns about depending upon FrontMotion itself:

FrontMotion looks like a one-man company, and it appears that FrontMotion releases packages anywhere from a few days to a few weeks behind the official mozilla release (compared the firefox wiki page and the FrontMotion front page dates).

I would also worry that something could happen (that one person's interest in the project wanes, they get sick/hit by a bus) and I would have x computers on my network with a version of firefox that has a massive security vulnerability while I would be scrambling to package something myself or find another deployment method.

Someone else posted a list of why FrontMotion wasn't an ideal solution:

1. I need WSUS, so I get IE patching as part of an existing system.

2. No official MSI

3. No official GPOs

4. FrontMotion releases lag way behind the official ones, in some cases they lag so long they miss point releases. They don't even manage to announce every release they make to their own mailing list.

5. I get reports on IE updates via WSUS, but I only have AD deployment for Firefox and get no reports on installation success and so have no oversight of the number of vulnerabilities out there.

6. The FrontMotion GPOs are incapable of setting defaults and not locking them out.

7. Certain Firefox settings are still controlled via .js files which means now including scripting to roll them out, this eliminates the per-user method and this means that it's useless for home workers who never get the computer scripts at startup.

8. And of course, not all the apps we use (either in-house or outside) support anything other than IE.

I'll grant that I don't have the technical knowledge to evaluate these claims - generally, when you just learn what "msi" stands for, you probably don't have the technical knowledge to evaluate these claims - but it sounds like the issues can be boiled down as follows:

  • Finger-pointing. One advantage of Microsoft the near-monopolist is that you only have to go to one entity for support in many cases. If you want to manage Internet Explorer on a Windows network, you should (at least theoretically) just dial up Redmond and get help. Compare this to the people who are using FrontMotion to deploy a Mozilla browser on the Windows operating system; things can potentially get a little sticky.

  • Dealing with a "real company." Now the argument can certainly be made that small firms are more agile than large firms, and that open source software can be better supported than proprietary software, but those arguments may not penetrate the corporate boardroom. I personally have dealt with a one-person company before, and I can attest that problems can occur even if the one person is passionate about what he or she does. There will be many companies that will opt for the less risky Microsoft solution.
So if you're in Dilbert cubicle world, and you're wondering why the idiots in IT won't let you use the latest kewl warez, or even the latest solid tech offerings, the IT people have their reasons.
blog comments powered by Disqus