Re: 2003 Web Server Security flaw
From: Robert Waite (bob2dev_at_tampabay.rr.com)
Date: 12/29/03
- Previous message: Nobody: "Re: 2003 Web Server Security flaw"
- In reply to: Nobody: "Re: 2003 Web Server Security flaw"
- Next in thread: Nobody: "Re: 2003 Web Server Security flaw"
- Reply: Nobody: "Re: 2003 Web Server Security flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 28 Dec 2003 22:28:24 -0500
I agree it is wonderful and I am a strong supporter of it.
My originating post clearly defined the question as applying only to
"Locked-down windows 2003 Web Server used only to host web sites".
It is rational to take Microsoft at their word as meaning WEB server
when they call it WEB server, meaning not intended for Desktops...
earlier replys seemed in the context of "user's workstation".
My question has been answered, but I am curious....
What is your logic/rationale for Media Player being a required install
on a production Web Server?
[By the way, I did a virgin install of Webserver 2003. Immediately
ran Wndows Update. Got may be 10 or so Security patches which
I guess Mcrosoft thought were Critical because they said so.
The Media Player patch was the ONLY that FAILED. Not to
worry, because you say Media Payer can not be a risk on a
Web Server if I don't play Media Player on it, which I certainly won't.]
Probably, I should have cut the WHY (and implied CRITICISM)
from the original post and simply asked "can one uninstall/disable..."
"Nobody" <nobody> wrote in message
news:e$1gCvazDHA.2156@TK2MSFTNGP09.phx.gbl...
> See Comments inline............
>
> "Robert Waite" <bob2dev@tampabay.rr.com> wrote in message
> news:%23U$dfTazDHA.1660@TK2MSFTNGP09.phx.gbl...
> > Moir is right and buried in his last reply was the answer.
> >
> > Too bad it took so much work to get a direct & simple answer to a simple
> > question;
> > but, in my 20 years experience with user groups since Compuserve, such
is
> > par for the course.
>
> When talking about computer security, there are areas that have no such
> direct and simple answers as it depends on the business needs and
> willingness to invest as to how much security is configured.
>
> > At least you two replied, did not flame me, and I appreciate that.
>
> Your welcome!
>
> > A basic principle from security GURUs that I accept is:
> > "Disable all unnecessary services and don't install unnecessary programs
> in
> > order to reduce
> > yet undiscovered attack points by a hacker."
> >
> > Win 2003 acknowledges that principle in a major way, but far from
> > completely.
> > Have you two noticed how many Services, not necessarily used, still are
> > STILL installed
> > BY DEFAULT as Started or Manual. I have Disabled about 20 and my Web
> Server
> > still
> > does it's job. Smaller memory footprint, too!
>
> And as basic security principles go, its up to you and the powers to be
to
> decide what security measures are appropriate for your environment.
However
> I think you may be taking this basic principle a bit too far in regards to
> OE, Media Player, etc. Its one thing to disable or turn off ftp if you
don't
> need ftp services, its quite another when you attempt to lobotomize the OS
> for the sake of a few programs that will never be run.
>
> As far as the services go, it all depends on what the platform is going to
> be used for as to which services are turned off or not installed. What may
> work for you, may not work well for others. So far, I think MS has done a
> wonderful job with Windows 2003.
>
> > Even Admins who pay no attention to security, patches, etc don't allow a
> > user to be at
> > the console running Outlook Express, Netmeeting or Media Player.
>
> I'm not sure where you are going with this statement as quite a few
security
> related incidents were a result of unpatched systems running OE or IE at a
> *user's workstation*. But we are discussing *server* side security not
> desktop.
>
> > So, if you two are right, in the next two years, we will hear on no
> Win2003
> > Web Server sites
> > being compromised because of flaws, buffer over-runs, etc in those three
> > programs. Right?
> >
> <snipped>
>
> Provided those three programs are not running, or have never been used on
> the web server, then I will state in my *opinion* that there will be no
> security incidents where those three programs were the result of a web
> server compromise.
>
>
- Previous message: Nobody: "Re: 2003 Web Server Security flaw"
- In reply to: Nobody: "Re: 2003 Web Server Security flaw"
- Next in thread: Nobody: "Re: 2003 Web Server Security flaw"
- Reply: Nobody: "Re: 2003 Web Server Security flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
