-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 11 September 2003 08:54, petard wrote: > On Fri, Sep 12, 2003 at 12:05:46AM +1200, Nick FitzGerald wrote: > > (And, if you cannot trust your admins to not surf the web from your > > servers (or don't know), why not limit their access to iexplore.exe and > > audit all changes to this file, its ACLs, etc? After all, it is little > > more than a window manager providing displays for the output of the > > various *ML parsers, "security" and script engines, etc, etc that are > > implemented in a bunch of DLLs and ActiveX controls and whose use by > > other processes should be unaffected by the permissions set on the IE > > executable itself...) > > That's a useless precaution. Start explorer.exe and type a url > into the location bar. iexplore.exe is never touched. If you can't > trust admins not to surf from your servers, suggest to them that > they need to choose another line of work. >
IMNSHO, Servers should not be able to connect via arbitrary protocols, to arbitrary net destinations. To allow this means they are no longer trusted hosts, and are instead Internet relays. - This is why there is internal firewalling. You want updates? Pull 'em once to a staging server, designed for this role - then push/pull to your trusted machines. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/YLBfJi2cv3XsiSARAhCjAJ4sbNtzzdMCIJ4VVDJ0SNBxKJ3x7QCbB6gC wOmvPLKUY0pRqmcLfDgXbjM= =UshP -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
