Re: 2003 Web Server Security Flaw
From: Jeff Cochran (jcochran.nospam_at_naplesgov.com)
Date: 12/29/03
- Next message: Johnny: "IIS still vulnerable"
- Previous message: Karl Levinson [x y] mvp: "Re: 2003 Web Server Security Flaw"
- In reply to: Karl Levinson [x y] mvp: "Re: 2003 Web Server Security Flaw"
- Next in thread: Robert Waite: "Re: 2003 Web Server Security Flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Dec 2003 16:12:35 GMT
On Mon, 29 Dec 2003 10:46:32 -0500, "Karl Levinson [x y] mvp"
<levinson_k@despammed.com> wrote:
>
>"Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message
>news:3ff93b57.608328620@msnews.microsoft.com...
>
>> Not exactly. They may exhibit some client exploits, but in the cases
>> I've seen you'd have to either browse to a web site or download email
>> or a file to exploit any holes. Since you wouldn't normally do any of
>> this on your web server, you're sort of safe.
>
>I think you've just come up with a good slogan for the next ad campaign:
>"Windows 2003: You're sort of safe." Or, "Windows 2003: Don't browse the
>web or check your email." Are we supposed to feel OK that our enterprise
>server farm is "sort of safe?"
Well, I could argue that *all* systems can only qualify as "sort of
safe" since by the very nature of providing access to them we have
opened a potential hole.
>If these products such as OE are so unsafe, we should also be upset about
>them being mandatory and unremovable in workstations as well as server
>products, where "just don't check your email or browse the web" or "just use
>Group Policy" isn't a very workable option. A truly secure OS would give
>you a way to disable unneeded components.
No arguments here. But the caveat to this is that the Windows OS is
so tightly integrated with these functions that they can't be
separated effectively. Windows isn't a modular operating system.
>> Also, you can disable file associations with these programs so even
>> clicking on a file on a web site won't launch them. Especially
>> Netmeeting, where remote desktop is disabled by default anyway.
>
>A software company that is serious about committing security over marketing
>and market share, they would have done so years ago with these and many
>other file associations.
It's not the file associations that are the problem, it's the flaws in
the software associated with them. If we extend the file associations
being disabled argument, we'd have to ensure that no executable can be
launched by other than manual means. While good in a security sense,
it sacrifices usability. Same argument about secure passwords. A 24
character random string makes a pretty secure password, but ine it
can't be remembered it would have to be written down, opening a new
potential exploit hackers would probably call the "looking under the
keyboard" exploit.
You can never be truly secure. You can only be "secure enough". And
what constitutes "secure enough" will vary by organization and even
system.
Jeff
- Next message: Johnny: "IIS still vulnerable"
- Previous message: Karl Levinson [x y] mvp: "Re: 2003 Web Server Security Flaw"
- In reply to: Karl Levinson [x y] mvp: "Re: 2003 Web Server Security Flaw"
- Next in thread: Robert Waite: "Re: 2003 Web Server Security Flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
