| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jays at panix.com (Jay Sulzberger) Subject: Keeping IE up to date on a Windows Server On Thu, 11 Sep 2003, Jeremiah Cornelius wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thursday 11 September 2003 08:54, petard wrote: > > On Fri, Sep 12, 2003 at 12:05:46AM +1200, Nick FitzGerald wrote: > > > (And, if you cannot trust your admins to not surf the web from your > > > servers (or don't know), why not limit their access to iexplore.exe and > > > audit all changes to this file, its ACLs, etc? After all, it is little > > > more than a window manager providing displays for the output of the > > > various *ML parsers, "security" and script engines, etc, etc that are > > > implemented in a bunch of DLLs and ActiveX controls and whose use by > > > other processes should be unaffected by the permissions set on the IE > > > executable itself...) > > > > That's a useless precaution. Start explorer.exe and type a url > > into the location bar. iexplore.exe is never touched. If you can't > > trust admins not to surf from your servers, suggest to them that > > they need to choose another line of work. > > > > IMNSHO, Servers should not be able to connect via arbitrary protocols, to > arbitrary net destinations. To allow this means they are no longer trusted > hosts, and are instead Internet relays. - This is why there is internal > firewalling. > > You want updates? Pull 'em once to a staging server, designed for this role - > then push/pull to your trusted machines. Yes, of course. And this is important. oo--JS.
Powered by blists - more mailing lists