[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Keeping IE up to date on a Windows Server
- To: petard <petard@xxxxxxxxxxxxxxxx>, Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] Keeping IE up to date on a Windows Server
- From: Jeremiah Cornelius <jeremiah@xxxxxxx>
- Date: Thu, 11 Sep 2003 10:26:46 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 11 September 2003 08:54, petard wrote:
> On Fri, Sep 12, 2003 at 12:05:46AM +1200, Nick FitzGerald wrote:
> > (And, if you cannot trust your admins to not surf the web from your
> > servers (or don't know), why not limit their access to iexplore.exe and
> > audit all changes to this file, its ACLs, etc? After all, it is little
> > more than a window manager providing displays for the output of the
> > various *ML parsers, "security" and script engines, etc, etc that are
> > implemented in a bunch of DLLs and ActiveX controls and whose use by
> > other processes should be unaffected by the permissions set on the IE
> > executable itself...)
>
> That's a useless precaution. Start explorer.exe and type a url
> into the location bar. iexplore.exe is never touched. If you can't
> trust admins not to surf from your servers, suggest to them that
> they need to choose another line of work.
>
IMNSHO, Servers should not be able to connect via arbitrary protocols, to
arbitrary net destinations. To allow this means they are no longer trusted
hosts, and are instead Internet relays. - This is why there is internal
firewalling.
You want updates? Pull 'em once to a staging server, designed for this role -
then push/pull to your trusted machines.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/YLBfJi2cv3XsiSARAhCjAJ4sbNtzzdMCIJ4VVDJ0SNBxKJ3x7QCbB6gC
wOmvPLKUY0pRqmcLfDgXbjM=
=UshP
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html