SonicAlert: Microsoft Windows OS HTTP User-Agents (1/29/2016)

Microsoft Windows™ OS HTTP User-Agents

This SonicAlert article presents some telemetry data regarding the relative occurrence of the various Microsoft Windows™ operating systems in use behind Dell SonicWALL firewalls.

What is an HTTP User-Agent?

Broadly speaking, a User-Agent is any software client program that makes web requests to a web server using the HTTP Protocol. The HTTP Protocol is a set of guidelines for how clients and servers should communicate. One of the Headers specified by the HTTP Protocol is the User-Agent (UA) string. This is a string sent by the client program to identify itself to the web server. Here is an example screenshot showing the break-down of a web request from a WIN8.1 OS with Internet Explorer 11.0 (IE11.0) to a site called WhatIsMyBrowser.com

Over time various conventions regarding the format of the string have been adopted by web clients which have resulted in unexpected parts. For example most UA strings for Windows begin with “Mozilla”. I am sure there is an interesting story there, but I won’t go into it. There are other interesting aspects to the UA string. Most Microsoft Windows™ web browsers will send along both the version of the operating system, as well as the version of the web browser. This information is useful to the web server so that it can serve web pages using HTML that won’t break the browser. (The history of web browsers is littered with all kinds of browser quirks–intentional, and un-.)

The following image shows what the HTTP Request looks like over HTTP Protocol, as sent from a WIN7 (NT 6.1) OS using IE10.0:

Which version of Microsoft Windows™ is most common?

The data in the chart below is telemetry data from our Dell SonicWALL firewalls. The data shows the relative number of “hits” for different Microsoft Windows™ Operating Systems (OSes) by measuring the occurrences of hits for our various Application Control signatures for “HTTP User-Agent” signatures.

The most obvious observation about this data is that Windows 7 (in purple plot line) appears to be the most common version of Microsoft Windows™ that we see by a huge margin. (This is probably acurate but one caveat to the data. The data counts a “hit” for every web request made by the client program. Some web browsers may be more “chatty” than other versions which will skew the results towards making that version seem more commom.) Other trends you can just make out in the chart are the rise of WIN8 (grey) and WIN8.1 (orange), and the slow long decline of WINXP (blue).

As a Security Admin, Why Should I Care?

With access to a Dell SonicWALL firewall, you as a Security Administrator can use the logging facility to analyze Application Control signatures for “HTTP User-Agent” (application) to make an assessment of which versions of Microsoft Windows™ are active on your network. From this analysis you can identify the presence of older, unsupported versions like WINXP, VISTA, WINNT that are end-of-life, or nearing so, and replace these systems for more secure versions.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.