Er, I could be totally off base here, but when I use Mozilla or Firebird on Windows, Unices, or Mac, I have very little difficulty reading most popular websites. I have no trouble loading Flash plugins, listening to real-player (or even Windows Media) streaming audio (if I'm on a system that supports those plug-ins), or using "most other plug-ins".
"If security is really that essential on your network, remove any browser and any email client off their workstations." There's a pretty fine balance, admittedly, between usability and security. The two are very often at odds, and it is up to the SysAdmin (and is, ultimately, a unique decision for each case) on what is the appropriate balance. I would say that when it comes to something like ActiveX (which is not nearly as crucial as you make it sound--I wonder from your comments when the last time you used a browser besides IE was) the very slight usability gained, if any, hardly outweighs the security lost, while when it comes to disabling e-mail or browsing, you disable the entire reason for having the computer to begin with, in a desktop scenario. "You sound like someone new to this whole process." Well, that's not very polite, in my opinion; this isn't quite a flame but you are just a tad more condescending, perhaps, then is required. Especially when you are handing out what amounts to incorrect information. The initial post was, in fact, better informed on this subject than you appear to be, in my opinion. We all have something to learn from each other is the point I am trying to make. Try to keep that in mind. Cheers. On Wed, 2 Jul 2003 15:06:32 -0400 "Roger A. Grimes" <[EMAIL PROTECTED]> wrote: > By disabling "ActiveX", you'll be telling your users they can only have a > limited experience (HTML, graphics, scripting) with IE. Not completely > unsound, but most users will revolt. Disable all ActiveX and then surf. > You'll not be able to read most popular web sites. It won't load Flash, > RealPlayer, Windows Media Player, or most other plug-ins or Helper > Applications. This does decrease your risk of exploitation, but will your > users even listen to you? > > How will you stop them from loading ActiveX controls? There are ways (IEAK, > Software Restriction Policies, registry edits), but it certainly won't be as > easy as telling your user's not to do it. They will do it. They don't have > an understanding of what ActiveX is or the security risks. It's not like > the Flash program (or Adobe Acrobat, etc.) download that they will be > prompted to install says, "I'm an ActiveX control, does your > almost-all-knowing-demi-god-like network administrator allow you to install > ActiveX controls?" > > And do you really want to limit their the functionality of their browser so > they are cussing you all the time? If security is really that essential on > your network, remove any browser and any email client off their > workstations. Too much risk. Want to use another browser that doesn't > accept ActiveX controls? Again, you're be limiting the user's browsing > experience, and in any case, malicious scripting is capable of doing many, > many things without ActiveX involved at all. Are you going to disable all > browser scripting languages and leave them to pure HTML? Since I can send > malicious PDF and graphic pictures, you going to disable downloading > graphics? And if so, how? > > What about Java applets? Secure? Nope. Java's been hacked dozens of > times. > > You sound like someone new to this whole process. Unless you have your > administrative ducks in a row, you won't be able to stop your users from > installing whatever they want. How will you prevent them from install your > "illegal" apps? How will you detect when they install them anyways? > > The point is that you need to support the applications you're users > want/need, and then it's your job to secure them to the best of your > ability. > > If you insist on your grand plan, come back in six months and tell me how > successful you were...and be honest. > > Roger > > **************************************************************************** > **** > *Roger A. Grimes, Computer Security Consultant > *CPA, MCSE (NT/2000), CNE (3/4), A+ > *email: [EMAIL PROTECTED] > *cell: 757-615-3355 > *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly > *http://www.oreilly.com/catalog/malmobcode > **************************************************************************** > ************* > > ----- Original Message ----- > From: "Chris Berry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, June 30, 2003 6:58 PM > Subject: Re: Ten least secure programs > > > > I've since added rsh and activeX. > > > --------------------------------------------------------------------------- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > ---------------------------------------------------------------------------- > > --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
