| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jeremiah at nur.net (Jeremiah Cornelius) Subject: Keeping IE up to date on a Windows Server -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 11 September 2003 08:54, petard wrote: > On Fri, Sep 12, 2003 at 12:05:46AM +1200, Nick FitzGerald wrote: > > (And, if you cannot trust your admins to not surf the web from your > > servers (or don't know), why not limit their access to iexplore.exe and > > audit all changes to this file, its ACLs, etc? After all, it is little > > more than a window manager providing displays for the output of the > > various *ML parsers, "security" and script engines, etc, etc that are > > implemented in a bunch of DLLs and ActiveX controls and whose use by > > other processes should be unaffected by the permissions set on the IE > > executable itself...) > > That's a useless precaution. Start explorer.exe and type a url > into the location bar. iexplore.exe is never touched. If you can't > trust admins not to surf from your servers, suggest to them that > they need to choose another line of work. > IMNSHO, Servers should not be able to connect via arbitrary protocols, to arbitrary net destinations. To allow this means they are no longer trusted hosts, and are instead Internet relays. - This is why there is internal firewalling. You want updates? Pull 'em once to a staging server, designed for this role - then push/pull to your trusted machines. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/YLBfJi2cv3XsiSARAhCjAJ4sbNtzzdMCIJ4VVDJ0SNBxKJ3x7QCbB6gC wOmvPLKUY0pRqmcLfDgXbjM= =UshP -----END PGP SIGNATURE-----
Powered by blists - more mailing lists