By disabling "ActiveX", you'll be telling your users they can only have a limited experience (HTML, graphics, scripting) with IE. Not completely unsound, but most users will revolt. Disable all ActiveX and then surf. You'll not be able to read most popular web sites. It won't load Flash, RealPlayer, Windows Media Player, or most other plug-ins or Helper Applications. This does decrease your risk of exploitation, but will your users even listen to you?
How will you stop them from loading ActiveX controls? There are ways (IEAK, Software Restriction Policies, registry edits), but it certainly won't be as easy as telling your user's not to do it. They will do it. They don't have an understanding of what ActiveX is or the security risks. It's not like the Flash program (or Adobe Acrobat, etc.) download that they will be prompted to install says, "I'm an ActiveX control, does your almost-all-knowing-demi-god-like network administrator allow you to install ActiveX controls?" And do you really want to limit their the functionality of their browser so they are cussing you all the time? If security is really that essential on your network, remove any browser and any email client off their workstations. Too much risk. Want to use another browser that doesn't accept ActiveX controls? Again, you're be limiting the user's browsing experience, and in any case, malicious scripting is capable of doing many, many things without ActiveX involved at all. Are you going to disable all browser scripting languages and leave them to pure HTML? Since I can send malicious PDF and graphic pictures, you going to disable downloading graphics? And if so, how? What about Java applets? Secure? Nope. Java's been hacked dozens of times. You sound like someone new to this whole process. Unless you have your administrative ducks in a row, you won't be able to stop your users from installing whatever they want. How will you prevent them from install your "illegal" apps? How will you detect when they install them anyways? The point is that you need to support the applications you're users want/need, and then it's your job to secure them to the best of your ability. If you insist on your grand plan, come back in six months and tell me how successful you were...and be honest. Roger **************************************************************************** **** *Roger A. Grimes, Computer Security Consultant *CPA, MCSE (NT/2000), CNE (3/4), A+ *email: [EMAIL PROTECTED] *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode **************************************************************************** ************* ----- Original Message ----- From: "Chris Berry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 30, 2003 6:58 PM Subject: Re: Ten least secure programs > I've since added rsh and activeX. --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
