From: "Roger A. Grimes" <[EMAIL PROTECTED]> By disabling "ActiveX", you'll be telling your users they can only have a limited experience (HTML, graphics, scripting) with IE. Not completely unsound, but most users will revolt.
Then the revolution will be crushed without mercy. Just like when we implemented site restrictions, although that one wasn't my idea.
Disable all ActiveX and then surf. You'll not be able to read most popular web sites.
Ahhum....BullS***
It won't load Flash, RealPlayer, Windows Media Player, or most other plug-ins or Helper
Applications.
Good, 95% of these have no legitimate business application anyways, and if they do I can enable them for that user.
This does decrease your risk of exploitation, but will your users even listen to you?
This isn't an issue, restrictions such as this must be enforced by technology not policy.
How will you stop them from loading ActiveX controls? There are ways (IEAK,
Software Restriction Policies, registry edits), but it certainly won't be as
easy as telling your user's not to do it.
True, but no one said life as an Admin was easy.
If security is really that essential on your network, remove any browser and any email client off their workstations. Too much risk.
Too drastic, will never be approved by management.
Want to use another browser that doesn't accept ActiveX controls?
Too unstandardized, wont' cover all situations.
What about Java applets? Secure? Nope. Java's been hacked dozens of times.
Too pervasive, can't restrict it.
You sound like someone new to this whole process. Unless you have your administrative ducks in a row, you won't be able to stop your users from installing whatever they want. How will you prevent them from install your "illegal" apps? How will you detect when they install them anyways?
Actually it's fairly easy using a combination of ACLs and a network wide software scanning system.
The point is that you need to support the applications you're users want/need,
Need yes, want, only if it fits within the rest of our business model.
and then it's your job to secure them to the best of your ability.
True
If you insist on your grand plan, come back in six months and tell me how successful you were...and be honest.
Been working on it since DEC 2001 when I got hired here. Would you believe they had everyone using the same password and 50% of the employees were in the domain admins group? My policy is to lock it down till they start screaming bloody murder, then back off just a little. You have to do this slowly though or it interferes with business processes, and that's not allowed.
Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates
"Encrypt everything, and ask questions later."
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
