|
Full Disclosure
mailing list archives
Re: Keeping IE up to date on a Windows Server
From: Jay Sulzberger <jays () panix com>
Date: Thu, 11 Sep 2003 20:54:44 -0400 (EDT)
On Thu, 11 Sep 2003, Jeremiah Cornelius wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 11 September 2003 08:54, petard wrote:
On Fri, Sep 12, 2003 at 12:05:46AM +1200, Nick FitzGerald wrote:
(And, if you cannot trust your admins to not surf the web from your
servers (or don't know), why not limit their access to iexplore.exe and
audit all changes to this file, its ACLs, etc? After all, it is little
more than a window manager providing displays for the output of the
various *ML parsers, "security" and script engines, etc, etc that are
implemented in a bunch of DLLs and ActiveX controls and whose use by
other processes should be unaffected by the permissions set on the IE
executable itself...)
That's a useless precaution. Start explorer.exe and type a url
into the location bar. iexplore.exe is never touched. If you can't
trust admins not to surf from your servers, suggest to them that
they need to choose another line of work.
IMNSHO, Servers should not be able to connect via arbitrary protocols, to
arbitrary net destinations. To allow this means they are no longer trusted
hosts, and are instead Internet relays. - This is why there is internal
firewalling.
You want updates? Pull 'em once to a staging server, designed for this role -
then push/pull to your trusted machines.
Yes, of course. And this is important.
oo--JS.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
|
Intro
