Re: 2003 Web Server Security flaw
From: Nobody (nobody)
Date: 12/29/03
- Next message: Hairy One Kenobi: "Re: Dhcp/dns"
- Previous message: Robert Waite: "Re: 2003 Web Server Security flaw"
- In reply to: Robert Waite: "Re: 2003 Web Server Security flaw"
- Next in thread: Robert Moir: "Re: 2003 Web Server Security flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 28 Dec 2003 23:29:24 -0500
See Comments inline........
"Robert Waite" <bob2dev@tampabay.rr.com> wrote in message
news:%23gdc9tbzDHA.2580@TK2MSFTNGP09.phx.gbl...
> I agree it is wonderful and I am a strong supporter of it.
>
> My originating post clearly defined the question as applying only to
> "Locked-down windows 2003 Web Server used only to host web sites".
Your original post stated
"Media Player, Netmeeting and possibly Outlook Express have no business
being
on a Locked-down windows 2003 Web Server used only to host web sites, yet I
can not figure out how to un-install, or at least cripple, them.
How do I do that?"
As I understood, you were asking how do you uninstall or cripple those
associated programs, yet your Subject poised a different spin citing Windows
2003 had some kind of inherent security flaw. I would not consider those
programs being present as a security flaw in itself.
My post clearly indicated two ways of preventing those programs from being
used or run, however you seem to disagree, misinterpreting your inability to
simply delete all of the program's files somehow means those DLLs must be in
use and therefore automatically loaded in memory.
> It is rational to take Microsoft at their word as meaning WEB server
> when they call it WEB server, meaning not intended for Desktops...
> earlier replys seemed in the context of "user's workstation".
No, I was merely pointing out the fact that most of the security problems
with those programs was because of malicious code downloaded while using
those programs. It's only logical that in a production web server
environment those programs would not be used and therefore mitigate *most*
of the security risks with those programs. The final portion of the equation
would be to prevent those programs from being run at all through group
policies and corporate policies.
> My question has been answered, but I am curious....
>
> What is your logic/rationale for Media Player being a required install
> on a production Web Server?
I don't necessarily agree that any of the aforementioned programs *should*
or *must* be on a webserver, I agree it would make more sense to not have
them on there in the first place and have them set as an optional install.
It was the point that just because those particular programs are on the
webserver does not necessarily equate to an inherent security flaw in the
webserver itself. If that's the case you might as well say the same thing
about NT4 Server and Windows 2000 Server products and those to date have not
been compromised because Media Player, OE, or Netmeeting was installed and
not run.
> [By the way, I did a virgin install of Webserver 2003. Immediately
> ran Wndows Update. Got may be 10 or so Security patches which
> I guess Mcrosoft thought were Critical because they said so.
I guess you don't read the associated information with each patch or check
the security bulletins posted. Not that it would make much difference, but
*most* of the security bulletins for 2003 platform are because of problems
with some *client* applications such as IE.
Yet in order for those exploits to work, a person have to take a certain set
of actions such as web browsing or download some malicious code. Which means
someone would have to run the associated program.
This brings us to the all famous part of the security equation that
technology presently cannot protect us against and that is people. Someone,
somewhere will undoubtedly attempt to use the platform just like they do a
desktop. Group Policies will work wonders here just by denying the right to
run those programs.
> The Media Player patch was the ONLY that FAILED. Not to
> worry, because you say Media Payer can not be a risk on a
> Web Server if I don't play Media Player on it, which I certainly won't.]
I never implied that you can totally forget about security with those
programs, you have to do what you think is best or corporate policy
dictates, but I have a feeling your relatively new to computer security.
It's not a simple yes or no answer, you have to decide whether *someone* ,
not necessarily yourself will attempt to run those programs or not.
> Probably, I should have cut the WHY (and implied CRITICISM)
> from the original post and simply asked "can one uninstall/disable..."
>
Agreed.
- Next message: Hairy One Kenobi: "Re: Dhcp/dns"
- Previous message: Robert Waite: "Re: 2003 Web Server Security flaw"
- In reply to: Robert Waite: "Re: 2003 Web Server Security flaw"
- Next in thread: Robert Moir: "Re: 2003 Web Server Security flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
