On Thu, 11 Sep 2003, Jeremiah Cornelius wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thursday 11 September 2003 08:54, petard wrote: > > On Fri, Sep 12, 2003 at 12:05:46AM +1200, Nick FitzGerald wrote: > > > (And, if you cannot trust your admins to not surf the web from your > > > servers (or don't know), why not limit their access to iexplore.exe and > > > audit all changes to this file, its ACLs, etc? After all, it is little > > > more than a window manager providing displays for the output of the > > > various *ML parsers, "security" and script engines, etc, etc that are > > > implemented in a bunch of DLLs and ActiveX controls and whose use by > > > other processes should be unaffected by the permissions set on the IE > > > executable itself...) > > > > That's a useless precaution. Start explorer.exe and type a url > > into the location bar. iexplore.exe is never touched. If you can't > > trust admins not to surf from your servers, suggest to them that > > they need to choose another line of work. > > > > IMNSHO, Servers should not be able to connect via arbitrary protocols, to > arbitrary net destinations. To allow this means they are no longer trusted > hosts, and are instead Internet relays. - This is why there is internal > firewalling. > > You want updates? Pull 'em once to a staging server, designed for this role - > then push/pull to your trusted machines. Yes, of course. And this is important. oo--JS. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
