Re: Keeping IE up to date on a Windows Server

[Jeremiah Cornelius <jeremiah () nur net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 11 September 2003 08:54, petard wrote:
> On Fri, Sep 12, 2003 at 12:05:46AM +1200, Nick FitzGerald wrote:
> > (And, if you cannot trust your admins to not surf the web from your
> > servers (or don't know), why not limit their access to iexplore.exe and
> > audit all changes to this file, its ACLs, etc?  After all, it is little
> > more than a window manager providing displays for the output of the
> > various *ML parsers, "security" and script engines, etc, etc that are
> > implemented in a bunch of DLLs and ActiveX controls and whose use by
> > other processes should be unaffected by the permissions set on the IE
> > executable itself...)
>
> That's a useless precaution. Start explorer.exe and type a url
> into the location bar. iexplore.exe is never touched. If you can't
> trust admins not to surf from your servers, suggest to them that
> they need to choose another line of work.

IMNSHO, Servers should not be able to connect via arbitrary protocols, to 
arbitrary net destinations.  To allow this means they are no longer trusted 
hosts, and are instead Internet relays. - This is why there is internal 
firewalling.

You want updates?  Pull 'em once to a staging server, designed for this role - 
then push/pull to your trusted machines.



 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/YLBfJi2cv3XsiSARAhCjAJ4sbNtzzdMCIJ4VVDJ0SNBxKJ3x7QCbB6gC
wOmvPLKUY0pRqmcLfDgXbjM=
=UshP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html