 |
|
 |
|
On Sat, 7 Nov 2009 18:28:29 -0700, "Cliff Galiher" <...@gmail.com
I have to be honest, this could be a widespread problem and nobody knows it.
...you are browsing on IE for *AN HOUR* on your server??!?!?!?
Why are you browsing on your server AT ALL????????????????????????????? And
you installed FIREFOX on a server?!?!?!?!?!?!?!?!?!?!?!?!?!?
1) There is only one reason to browse from a server. To get drivers/updates
(and even that is a debatable reason.) That never takes an hour.
2) There is no reason to install firefox on a server. Every app installed
on a server increases the attack surface. IE is part of the OS so it is
somewhat unavoidable, but I'd never install another browser on a server. I
love me some firefox and chrome, but NOT on a server.
So yes, you are alone, out in the cold, experiencing this problem solo for
practicing very insecure server activities. (tongue in cheek obviously...)
-Cliff
"Jack" <...@f20g2000prn.googlegroups.com...
>
|
|
 |
|
 |
|
|
|
|
On Sat, 7 Nov 2009 21:42:11 -0800, "Russ Grover [SBS-MVP]" <...@REMOVETHIS.sbits.biz
Yes jack you are probably alone
I don't Don't surf from the server.
Sorry I've never seen this.
Russ
--
Russell Grover - SBITS.Biz [SBS-MVP]
Microsoft Gold Certified Partner
Microsoft Certified Small Business Specialist
World Wide 24hr SBS Remote Support - http://www.SBITS.Biz
30% OFF Microsoft Online Services -
http://www.microsoft-online-services.com/
"Jack" <...@f20g2000prn.googlegroups.com...
>
|
|
|
|
|
|
|
|
|
On Sat, 07 Nov 2009 17:08:19 -0800, Susan Bradley <...@pacbell.net
I don't install IE8 on servers.
I don't surf on the server. I go to MU and to get drivers. That's it.
I have no need for IE8, no need for Firefox.
Am I alone in limiting my use of web browsing on a server?
|
|
|
|
|
|
|
|
|
On Sun, 8 Nov 2009 12:58:40 +1100, "SuperGumby [SBS MVP]" <...@your.nellie
matter of fact, with all the carp manufacturer websites contain these days
I'm more likely to download drivers for my server on another PC.
Most servers I look after don't get far outside support.microsoft.com and
http://www.eventid.net.
"Susan Bradley" <...@TK2MSFTNGP02.phx.gbl...
|
|
|
|
|
|
|
|
|
On Sat, 7 Nov 2009 20:57:02 -0800 (PST), Jack <...@gmail.com
On Nov 7, 5:58 pm, "SuperGumby [SBS MVP]" <...@your.nellie
Here are the reasons why i have to surf on servers
- I do not have a dedicated computer in the client company. I have to
either work on the server in the server room (it is cold) or from my
own PC thru TS
- I surf on net on server for
Microsoft Updates
Dell Updates
Trend Micro Updates
This SBS Newsgroup
EventID.net
Experts-Exchange.com
I check all my managed servers once a week in the past 10 years, and
it is very normal for me to use the internet on servers for hours. I
believe that net surfing on servers should be limited, but it should
not be something to over panic.
Thanks
Jack
|
|
|
|
|
|
|
|
|
On Sat, 07 Nov 2009 21:25:20 -0800, Susan Bradley <...@pacbell.net
That's okay
That's okay
That's okay
Use your PC, and a nntp reader, web reading this is slow
That's okay
Use your PC... it has banner ads.
But an hour on the server?
I'm never on my server for an hour?
And I don't install IE8 on them.
Do you ensure that an java is also up to date? All it takes is hitting
a web site with a malicious banner ad and if java/flash/isn't up to date
and you happen to have that installed on the server...
Over panic, maybe not, but limit you use of it, and don't be on there
for an hour... yeah.
>
|
|
|
|
|
|
|
|
|
On Sat, 7 Nov 2009 23:29:09 -0800 (PST), Jack <...@gmail.com
On Nov 7, 9:25 pm, Susan Bradley <...@pacbell.net
Java, hmmm a good point. I did not pay much attention to Java update
in the past...
Thanks Susan
|
|
|
|
|
|
|
|
|
On Sat, 7 Nov 2009 22:34:01 -0800 (PST), Jack <...@gmail.com
On Nov 7, 9:25 pm, Susan Bradley <...@pacbell.net
Java, hmmm a good point. I did not pay much attention to Java update
in the past...
Thanks Susan
|
|
|
|
|
|
|
|
|
On Sat, 07 Nov 2009 23:45:33 -0800, Susan Bradley <...@pacbell.net
IMHO IE 7 is okay and good enough on a server. But if you are on that
box, it's the other stuff that will nail you.
|
|
|
|
|
|
|
|
|
On Sun, 8 Nov 2009 04:13:58 -0700, "Cliff Galiher" <...@gmail.com
Inline:
-Cliff
"Jack" <...@y32g2000prd.googlegroups.com...
First, the fact that you mention "the client company" and that you don't
have a dedicated machine, this leads me to believe you are an independent
contractor/consultant. If I'm wrong and you are an employee then you should
DEMAND a workstation.
If, however, I am correct and you are consulting for a company (or multiple
companies) then you need to realize that you aren't the one bearing the
brunt of the risk for your actions. Your client is. If the server gets
compromised, you get to walk away; they get to rebuild your data, send
letters to their customers about any data disclosed, and deal with all of
the other hoops that exist when a server gets hacked.
Moreover, as a consultant, you should be investing in your business. Two
tools that would allow you to avoid browsing from the server altogether?? A
laptop and a external USB hard drive (or eSATA if the server has an eSATA
port.) You download using your machine, move the files over, and install.
You can be in the "cold" server room for minutes, not an hour.
I'm going to ...not disagree with Susan exactly...but perhaps take a more
stringent line here. I don't browse from the server unless *necessary.*
What is necessary? On a 2003 server, that is Windows Update (or Microsoft
Update) since updates are web based. The "more info" link in an event log
opens IE, so researching events is also a necessary step. But "searching"
for information (via google, bing, or other) is *not* necessary. JUST the
link in the actual event log. If you need to do more research (eventID.net,
etc) then move to a workstation.
Newsgroups? No. Experts-Exchange? Definitely not. Dell? They seem to be
installing more plugins these days, and I don't like plugins on a server
either as they, again, load in memory because IE is part of the OS...and
thus increase the exposure of the server.
Anyways, I think you are getting my drift on what sites are "allowed" on
servers I manage.
The catch here is "normal for me." Just because it is normal for you
doeesn't make it safe. It is normal for some people in small towns to leave
their front doors unlocked, but that doesn't make that safe either. The
internet is no longer a small town (10 years ago it was) and practices that
you've gotten in the habit of doing need to be revisited. This is the new
world. This isn't panic, it is just matter-of-fact.
|
|
|
|
|
|
|
|
|
On Tue, 10 Nov 2009 22:14:10 -0500, "Andrew M. Saucci, Jr." <...@2000computer.com
So the server isn't worth having the latest updates? I strongly
disagree. It is the most vital asset in the network. It should be the first
to get IE 8, even if it is NEVER used, which is highly unlikely and
impractical in the SMB space. Or maybe updating isn't all that important
after all... I'm thinking of giving a seminar on this topic some day. I'll
probably get rotten fruit thrown at me, but I am always questioning the
conventional wisdom, especially when it is rife with inconsistencies.
"Susan Bradley" <...@TK2MSFTNGP02.phx.gbl...
|
|
|
|
|
|
|
|
|
On Wed, 11 Nov 2009 02:55:20 -0700, "Cliff Galiher" <...@gmail.com
I'm going to start with generalities and then focus on the specifics of IE8
to answer this. As an introduction though, I agree that questioning
conventional wisdom can be a good thing, but that doesn't mean conventional
wisdom HAS to be wrong, and in this case I see no inconsistencies.
"So a server isn't worth having the latest updates?" I'd argue that a
server is worth SO MUCH that it shouldn't necessarily have the latest
updates. If you update a workstation and it goes bad, you can simply
restore the workstation. If you are using good practices and keeping data
on the server, you can even get to a state with technologies such as WDS and
application virtualization that a workstation becomes a mere commodity.
Replacing and rebuilding a workstation can happen nearly transparently
without users noticing something was amiss. A server however, is the hub on
which these other technologies rotate. A server may host the OS image that
is pushed out to workstations. Or it hosts the terminal server that
virtualizes the applications users access. Or it houses their personal data
and emails that they access. A server outage becomes VERY noticeable. And
even a high-availability cluster won't protect you because most clusters
require being at the same OS level Clustering protects you from physical
failures, but not logical/software inconsistencies.
Upgrading a server should be taken *VERY* lightly. In large organizations,
that involves a test lab where application compatibility and impact can be
thoroughly tested. In the SBS world though, we rarely have that luxury. So
the rule is to evaluate WHY you'd upgrade (evaluate), back up (protection),
perform the update, and THEN test. The difference being that you are
testing after the fact instead of in a test-lab where live data is not at
risk. So, with that in mind, there are only two reasons *ever* to update a
server.
1) It adds a feature you want or need. Exchange 2007 SP2, for example,
exposes some features that weren't available in SP1. If you read the SP2
release notes and you want or need something then you upgrade to SP2 and
follow the blog posts on how to do this CAREFULLY on SBS. And...remember
that backup I mentioned? Do a quick search through this group and read how
often the SP2 upgrade has failed because of the unique nature of SBS. That
is a risk you put your server at, so a backup is ESSENTIAL. Why would you
take that risk unless the feature was worth the effort?
2) It adds security. Windows Server 2008 SP2 falls in this category. It
addresses significant security and stability issues that aren't
independently released in via hotfix on SP1. Even then, you should release
notes and evaluate if your organization is at risk before performing the
update. A good example of this evaluation would be the recent SMB2 exploit
patch. Necessary on a server since almost all servers are file servers.
But if your workstation doesn't share files and you've taken precautions at
the firewall level, you don't *need* to update workstations or non-SMB
servers.
Updating a server just cuz it is the latest and snazziest update is not a
good enough reason and, in fact, puts your server at greater risk of
software related issues than just leaving well enough alone. And again,
this isn't inconsistent advice. Another quick search will show people
recommendingan regularly telling people to hold off on Exchange 2007 SP2
until the SBS wrapper installer is ready. As I recall Susan Bradley even
has a blog post about the virtues of not being first in line...although I'm
being too lazy to bing that at the moment.
--
So now to specifics. Does IE8 fit either of my two reasons above?
1) Does it add a feature to the server? Well, browsing from the server is
BAD so...no! It doesn't! This may change in the future. The IE rendering
engine is used by MMC snap-ins and 3rd party applications, so if they
require IE8 to render properly then that becomes a feature you want. But
right now the SDK for MMC snap-ins still most definitely does not rely on or
use IE8 and...to my knowledge, no server application relies on the IE8
specific rendering engine changes for proper display either.
2) Does it add security? To properly answer this, we need to *define*
security, and no, I'm not talking about a game of semantics. There is
security at the user-context which IE8 most definitely improves. Its
enhanced phishing filter and changes to which zones pages are rendered under
most definitely protect users from malicious pages. But on a *MACHINE*
level, IE8 is not more secure than IE7. And since we don't browse from the
server, the user-level context is moot. The underlying engine is just as
secure (or insecure) in IE7 as it is in IE8. The media-player active-x
control exploit? Impacted both browsers. IE7 has not reached EOL yet so
security flaws such as buffer overflows that are found in the engine still
get patched. As long as you are keeping IE7 up-to-date, you are keeping it
just as secure as if you installed IE8. So again, no compelling reason to
upgrade.
....so with all of that in mind. Upgrade when necessary. Evaluate and then
deploy....I stick with the conventional wisdom on this. There is *no* good
reason to deploy IE8 on SBS. IE7 on the other hand....IE6 officially
reaches EOL in July. So for SBS'03 boxes, there is still time, but updating
should be on your radar...
-Cliff
"Andrew M. Saucci, Jr." <...@TK2MSFTNGP04.phx.gbl...
>
|
|
|
|
|
|
|