lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.NEB.4.56.0309112053490.24497@panix2.panix.com>
From: jays at panix.com (Jay Sulzberger)
Subject: Keeping IE up to date on a Windows Server


On Thu, 11 Sep 2003, Jeremiah Cornelius wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thursday 11 September 2003 08:54, petard wrote:
> > On Fri, Sep 12, 2003 at 12:05:46AM +1200, Nick FitzGerald wrote:
> > > (And, if you cannot trust your admins to not surf the web from your
> > > servers (or don't know), why not limit their access to iexplore.exe and
> > > audit all changes to this file, its ACLs, etc?  After all, it is little
> > > more than a window manager providing displays for the output of the
> > > various *ML parsers, "security" and script engines, etc, etc that are
> > > implemented in a bunch of DLLs and ActiveX controls and whose use by
> > > other processes should be unaffected by the permissions set on the IE
> > > executable itself...)
> >
> > That's a useless precaution. Start explorer.exe and type a url
> > into the location bar. iexplore.exe is never touched. If you can't
> > trust admins not to surf from your servers, suggest to them that
> > they need to choose another line of work.
> >
>
> IMNSHO, Servers should not be able to connect via arbitrary protocols, to
> arbitrary net destinations.  To allow this means they are no longer trusted
> hosts, and are instead Internet relays. - This is why there is internal
> firewalling.
>
> You want updates?  Pull 'em once to a staging server, designed for this role -
> then push/pull to your trusted machines.

Yes, of course.  And this is important.

oo--JS.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ