[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] IE is just as safe as FireFox
- To: joe <mvp@xxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] IE is just as safe as FireFox
- From: Raoul Nakhmanson-Kulish <raoul@xxxxxxxxxxxxx>
- Date: Mon, 22 Nov 2004 12:43:17 +0300
Hello, joe!
Autoconfig script may enumerate hosts which don't require a proxy.
Usually there are a very few intranet servers in corporate network.
You should have prefixed "there are very few... " with one of two things
1. Relative to the internet...
2. In my experience...
I said "usually". What's a habit to pick on words? :(
I have been on several large corporate networks where there are hundreds or
thousands of intranet web servers hosting tens of thousands of sites. Many
large enterprise class companies are moving whole hog to web based apps
internally (even email) and all available content is on the internal web.
IMHO, right policy in this point should be reducing number of intranet
servers to minimally sensible value. This is a simple reason: the
smaller web server amount the easier administration and less security
risks. Clusters is solution of bottleneck problems. I think, 1-3 web
servers (possibly clustered) for territorial subdivision and 3-5 in head
office is enough for all tasks in corpotation which isn't listed in
Forbes Top 500 :)
Anyway, you can specify an unlimited amount of non-proxied servers in
autoconfiguration script. More, you may modify autoconfig rules as
frequently as needed, or even do it automatically.
This is actually the area where IE is so strongly embedded due to its
application interfaces and what MS has been building towards for so long
with it.
Examples? Outlook Web Access works fine with Mozilla, Lotus iNotes too.
Probably, some on-knee-assembled applications using a lot of dubious
ActiveXes will not work, but company-wide Firefox installation is a good
occasion to redesign them or switch to another product.
There are companies whose primary LOB applications internally are on IIS
servers and can only be accessed with IE.
FF/Win32 supports SSPI since 1.0PR, and thus I don't expect big problems
with IIS.
I wouldn't really call that a worm. Worms work without interaction. They are
self-propagating/replicating. Malware that spreads that requires user
interaction would generally just be called a virus.
Any malware suited in Local Intranet zone is more dangerous than in
untrusted zone. Using browser without this "feature" is a good point anyway.
Furthermore, I would suggest you to deny any HTTP access to all LAN
hosts generally, of course, except known intranet servers. This
"feature" doesn't make sense at all and leads only to risks. A correctly
configurated proxy should do it.
--
Best regards,
Raoul Nakhmanson-Kulish
Elfor Soft Ltd.,
ERP Department
http://www.elforsoft.ru/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html