Dude, so right. We have a CSI team now. If you suggest any improvements to them, they go off and get together to decide the idea's fate ... then after they give it the go ahead you can guarantee you'll be rewarded with your fantastic ideas by having to do the work yourself. That's on top of the day job.
________________________________ From: [email protected] [[email protected]] on behalf of John Aubrey [[email protected]] Sent: 11 August 2014 20:39 To: '[email protected]' Subject: RE: [mssms] RE: Internet Explorer & ActiveX Agreed. I interned at a big company. I only did a tiny aspect of IT. Working for a smaller company you really have to figure stuff out. Typically there isn’t a go to person to fall back on. I have learned, if you question it, it is now your project. Most of the time I keep my mouth shut. From: [email protected] [mailto:[email protected]] On Behalf Of Todd Hemsell Sent: Monday, August 11, 2014 3:17 PM To: [email protected] Subject: Re: [mssms] RE: Internet Explorer & ActiveX I love jobs like that, you learn SO much. On Mon, Aug 11, 2014 at 2:00 PM, John Aubrey <[email protected]<mailto:[email protected]>> wrote: Right now I am help desk, application guy, and system admin guy since a few people left and one moved to a different role. Not many other have input in a decision like this. The ones that do don't really care much for anything security related. 5 years ago when I started, there were no windows updates pushed, and everyone had local admin rights. It's been a long uphill fight. After a few incidents that could have been prevented, we have moved more preventive then reactive. We are much safer today then we were before. I think of this as another place to secure up. -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Stephen Murley Sent: Monday, August 11, 2014 2:10 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Internet Explorer & ActiveX The other thing to remember is ... it's not us IT bods that call the shots in every location. If we could just simply keep everything up-to-date we would but when your IT department is stretched, it's hard to prove to the powers that be that you need extra resource to keep on top of something that they don't see any tangible evidence of being a problem. We just need a high profile person to get hacked due to JRE and hey presto we'll find that extra resource!! ________________________________ From: [email protected]<mailto:[email protected]> [[email protected]<mailto:[email protected]>] on behalf of Nash Pherson [[email protected]<mailto:[email protected]>] Sent: 11 August 2014 18:48 To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Internet Explorer & ActiveX > How are you guys going to handle this? Your options are "Patch it or Pitch It<http://krebsonsecurity.com/2014/07/java-update-patch-it-or-pitch-it/>" as Brian Krebs put it. If you can't do either, you need to have some other significant control in place like not allowing these devices to have internet access. If a user needs an outdated Java for one or two apps, give them a link to a Remote Desktop or Remote Presentation instance of a browser with outdated Java, but that remote system must only have access to the website that needed the outdate link. While I'm sure lots of IT admins will have excuses, they are all solvable problems as long as someone starts actual working on them. The GPO option should only ever be used as a last ditch effort to buy time for a fix to be put in place. Don't enable that GPO until there is a clear plan with deadlines on how you will disable it. It's time to stop kicking the can down the road. >We don't have any real business use for Java or flash. Removing it may make users unhappy since there is so much flash content out on the web. You can turn on Flash's auto update so that it does it silently in the background on systems. This means user get what they want, systems stay secure, and you don't have to manage anything. But, don't forget about Shockwave... Shockwave embeds its own version of flash that is up to 18 months out of date<http://krebsonsecurity.com/2014/05/why-you-should-ditch-adobe-shockwave/>. This means there really isn't a secure way to have Shockwave. Luckily, very little web content still uses it and you could likely get away with removing it from the enterprise. If you do have a business need for it, you should consider the same strategy as with Java of using locked down remote desktops or remote presentation to give access to the offending business app. I hope that helps, Nash Nash Pherson Senior Systems Consultant Now Micro [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> Desk: 651-796-1168 Cell: 507-304-0946 [cid:[email protected]<mailto:cid%[email protected]>]<http://www.nowmicro.com/> -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of John Aubrey Sent: Monday, August 11, 2014 12:31 PM To: '[email protected]<mailto:[email protected]>' Subject: [mssms] RE: Internet Explorer & ActiveX How are you guys going to handle this? The two most logical answers are keep java up to date or disable this via GPO. I think I'm going to give it a try to keep everything up to date, but am going to keep the GPO ready as well. We don't have any real business use for Java or flash. -----Original Message----- From: [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Stephen Murley Sent: Saturday, August 9, 2014 2:17 PM To: [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> Subject: [mssms] Internet Explorer & ActiveX Just in case anyone has missed the news: http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx ________________________________ [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ________________________________ [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ________________________________ [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.
