Do you remember the Microsoft security crisis of 2002-2004? I certainly do. I was an engineer on the Windows & Internet Explorer team at the time. It seemed like every day on my drive into work, I’d hear a new story on the radio about how some flaw in the IE or Windows was being exploited. A key component of Microsoft’s engineering response to the crisis was to deliver Windows XP Service Pack 2, commonly called “XPSP2”, which we shipped in August 2004 and was designed to tighten considerably the security of Microsoft’s flagship product.
During the development of XPSP2, as we came up with new ways to protect our users from hackers, we realized some of our security features would undoubtedly have an impact on web-based application compatibility. The last thing we wanted was for legitimate line of business applications to suffer due to some new security restriction, but the pressure Microsoft was facing from customers, press and governments around the world to deliver a more secure version of Windows (and the browser it included) dictated making some hard choices. Ultimately we shipped the product with a way for customers to opt out of new security features for the sake of compatibility. The security features were turned on by default but through a registry key, customers who needed to could toggle the new secure behavior off. These toggles are called FEATURE CONTROL KEYS, or FCKs for short.
The way Microsoft implemented them, FCKs are global to the IE browser: when you turn one of them on or off, you turn that feature on or off for the browser no matter where the user is browsing. Unfortunately, this means you have to compromise: your old application might now run in the newer browser, but that useful security feature is now OFF even when the user is browsing the Internet.
This is where Ion comes in: we’ve added an explicit way that you can toggle all of Microsoft’s official FCKs on and off, but do so on a per-profile basis. That is to say, you can turn off those features just for your line of business web application and keep it on everywhere else. Once again, Ion provides the best of both worlds: compatibility and security!
There are a surprising number of FCKs available to you: over 50 through IE9 (Microsoft has not yet made any public announcements about what new FCKs may be added in IE10). All of these are available through Ion’s Configuration Manager (via the Feature Control Feature). Here’s a screenshot showing a partial list of all the FCK’s we allow you to manage through Ion:
FCKs are a useful way for your enterprise to achieve compatibility – and with Ion, they’re also a great way to maintain the security you want for your network.
I’ve written a KB article titled “Using the Feature Control Manager in Ion” that walks through what these keys are and how you can manage them in Ion. It’s now live at our Browsium support site.
Finally, FCKs aren’t the only way you can alter IE’s feature set and security profile: there are a variety of other registry settings you can modify to change the way IE works, and Ion exposes those to you too. But more on that in a future blog post.
Thanks for reading,
-Christopher
