Re: Now wait just a dab non minute - this is getting out of hand
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 09/04/03
- Next message: Keith W. McCammon: "Re: Microsoft Firewall"
- Previous message: John McGaw: "Re: undesirable popup windows"
- In reply to: Susan Bradley, CPA aka Ebitz SBS Rocks [MVP]: "Re: Now wait just a dab non minute - this is getting out of hand"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Now wait just a dab non minute - this is getting out of hand"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Now wait just a dab non minute - this is getting out of hand"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 4 Sep 2003 13:54:57 -0400
I can't tell... are you saying that .VBS scripts like viruses run in the
same security zones that IE uses and are thus helped by the hardened IE
configuration? I'm not sure, but I would guess this is not the case. If
I'm right, then the IE configuration won't prevent worms or other compromise
via these script files.
Um, I have a question. Why are Internet Explorer and Outlook Express even
enabled by default at all in Windows Server 2003? A wise administrator
won't be web browsing from a server in the first place and wouldn't want
those components and .dlls sitting on the system, when historically they
tend to require patching. We shouldn't be encouraging that unwise behavior.
I assume there's an easy way to uninstall IE without screwing up your
server, right? Because I would be pretty angry if I was forced to install
update patches to IE for the lifetime of the server and reboot my mission
critical servers after every patch all to update a piece of software that I
didn't even use.
Hardening IE in 2003 would be great, except that most of the more common
security threats I see affecting Windows server have nothing to do with IE
and aren't fixed by those steps. I can't remember the last time I or
someone I helped in the newsgroups was hacked or got a virus through IE.
I think you'd have to admit that Microsoft including IE in the default
install is choosing less security over more functionality and more money for
Microsoft. [My theory is that Microsoft doesn't want to disable IE and WSH
and VBA by default because it still believes those are selling points that
help it to maintain market share and crush competing software, even though
most people only use VBA or WSH when they get a virus.] And who knows,
maybe that was the right choice to make here for IE. But I'm not convinced
yet.
"Susan Bradley, CPA aka Ebitz SBS Rocks [MVP]" <sbradcpa@pacbell.net> wrote
in message news:OhezvErcDHA.1488@TK2MSFTNGP12.phx.gbl...
> But what about the fact that IE is shipped in a locked down state in
Win2k3?
>
>
> "As a best practice, administrators should not use servers to browse the
> Web or download content such as device drivers, service packs, or
> Microsoft® ActiveX® components. These tasks should be performed on
> client computers or on servers when the user is a member of the Users
> group. In the past, enforcing these best practices in an enterprise
> environment has been problematic and often not possible. Now, in
> Microsoft® Windows Server™ 2003, a new, optional component known as
> Internet Explorer Enhanced Security Configuration helps enforce these
> best practices on computers using Microsoft Internet Explorer."
>
> Security level for the Internet zone is set to High. This setting
> disables scripts, ActiveX components, Microsoft virtual machine
> (Microsoft VM) HTML content, and file downloads.
> Automatic detection of intranet sites is disabled. This setting assigns
> all intranet Web sites and all Universal Naming Convention (UNC) paths
> that are not explicitly listed in the Local intranet zone to the
> Internet zone.
> Install on Demand and non-Microsoft browser extensions are disabled.
> This setting prevents Web pages from automatically installing components
> and prevents non-Microsoft extensions from running.
> Multimedia content is disabled. This setting prevents music,
> animations, and video clips from running.
>
> Download details: Managing Internet Explorer Enhanced Security
> Configuration:
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-
99bb-9757f7e9e31b&DisplayLang=en
- Next message: Keith W. McCammon: "Re: Microsoft Firewall"
- Previous message: John McGaw: "Re: undesirable popup windows"
- In reply to: Susan Bradley, CPA aka Ebitz SBS Rocks [MVP]: "Re: Now wait just a dab non minute - this is getting out of hand"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Now wait just a dab non minute - this is getting out of hand"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Now wait just a dab non minute - this is getting out of hand"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
