Sat, Jul 23 2005 15:10
Accepting risk. You do it every day. For those that are consultants you accept risk on behalf of your clients. You click on EULAs, you download patches, you install stuff on a regular basis and you accept risk for your clients. Sometimes you need to search for solutions for your clients.
When you are at your client's offices, where do you do this activity? Do you do it at your client's server? Do you ever find that Internet Explorer tool bar that pops up and prompts you to add web sites to the trusted zone an annoyance? You probably do don't you? But here's the thing... it's supposed to be annoying. It's supposed to remind you that this isn't the place you should be surfing from.
Now I know you'll probably say “Oh, but I have a fully patched server so why should this be a concern?” Because merely going to web site these days can end up with bad stuff on your machine. “Oh, then I should use another browser!” Not so fast as even other browsers can have vulnerable bits [java and what not] and be used as infectors.
So how can a fully patched machine get nailed? Because of the lack of patching by the web servers you visit. Earlier this year my own outsourced web site had a java trojan dropped on it because of the web site being intruded. For a day if you had surfed to my web site you could have gotten your computer nailed.
Paperghost [fellow Security MVP] has a whitepaper on how this is done. Michael Howard talks about how "Running with an administrative account is dangerous to the health of your computer and your data." and inside the Windows 2003 server is says this:
Using servers for Internet browsing does not adhere to sound security practices because Internet browsing increases the exposure of your server to potential security attacks. Regardless of the browser you use, you should restrict browsing on your server.
To reduce the risk to your server of potential attacks from malicious Web-based content:
- Do not use servers for browsing general Web content.
Use client computers to download drivers, service packs, and so on.
- Do not view sites that you cannot confirm are secure.
- Use a limited user account instead of an administrator account for general Web browsing.
- Use Group Policy to keep unauthorized users from making inappropriate changes to browser security settings.
Earlier this year the lack of patched DNS servers meant that DNS poisoning attacks could affect fully patched servers. Again..see the pattern here of blended threats? Having layers of security in place to ensure that stuff won't get you means that there's are indeed layers in place.
There have been many Internet Explorer patches that have not been as critical on Windows 2003 because of that Enhanced IE tool that is on that server.
So before you uninstall that Enhanced IE on that Windows 2003 server [and no I'm not telling you how to do this you'll have to google it yourself] Just stop. Think about the risk you are accepting. Think about the risk you are accepting on behalf of your client? Do you discuss your decision with your client? Do you think about the data they have on that server, the laws they are regulated by? Do you discuss this with your client?
The reason that is there to annoy you is that folks like Michael Howard sat down and said “what's the worst thing that can happen on that Windows 2003 server“ and the answer was... 'going to web sites while logged in as administrator'. [watch the presentation on the Blackhat site and you'll see what I mean]
All I ask is that the next time you are annoyed by that Enhanced IE lockdown on that server, just think why it's supposed to be annoying. There are bad things out there that we cannot control, so I would argue that you should leave the onion layers in place on the things you can control.
It's not 'just' your patch status that you should be worried about... it's the patch status of all the places you go to out there.
Control what you can.
Filed under: Security