The lesson this month.

re: The lesson this month.

Jason J. Thomas — Tue, 22 Aug 2006 18:13:28 GMT

Your response just does not fly with me. As a former large enterprise admin, you sometimes don't have the luxury of RDP/TermSrv/VNCing to a box to do as you say. In most cases, in my previous position, we did as much work as we could remotely. We are not needlessly surfing the web from these servers looking at *** or other questionable sites; we are merely using that to download a driver. Sure, we tried to stage these updates, but sometimes a driver was missed for one reason or another. Additionally, access via a toted laptop was not a particularly easy task, either.

We had a management station setup expressly for this purpose. Again, it was a server class machine--running Win2k, if memory serves--but it was our TS gateway if we needed it while addressing an outage remotely. This was used for us to manage non-Windows machines or others that were not accessible via a DRAC card. We even had Firefox installed on this server, too. In this case, we agree to disagree.

To be a further curmudgeon, I have to agree a lot with what Vlad said.

As for the VMware suggestion, I find that hardly a viable solution. You could setup a Citrix/TS box for this purpose, too. Then, of course you add a potentially untenable solution based on cost--appropriately beefy machine, licensure, etc. Code your sites clean such that they do not have dependencies on browsers. It's that simple. In this day and age, no one should be baking in those dependencies. That's just a sure sign of poor coding.

re: The lesson this month.

Vlad Mazek — Mon, 21 Aug 2006 01:24:36 GMT

I'm a developer, I cannot work in the restricted mode. All OEM boxes, workstations, laptops, etc ship with the user in Administrator mode - by default. Works for me, works for the rest of the world.

I run Firefox as admin, on Vista, with UAC turned off. 0 problems.

I run Firefox on my main XP workstation, as administrator. 0 problems.

I have run Firefox as an administrator on nearly every laptop I have owned for as long as Firefox has had a stable release and I have never had a problem.

Firefox
- patches itself without an issue
- patches clearly document the problems
- does not nag to apply the patch, it just does it
- does not require a reboot
- does not nag to reboot the computer or even worse automatically reboot if I am away from my desktop for more than 15 minutes
- remembers my sessions and tabs when it restarts
- properly warns me of dangerous content
- remembers file associations correctly
- has a far more sophisticated integration with search and blocks popups

Feel free to continue to rant. In the meantime, Firefox is a far more sensible choice and I am afraid to take a fully patched IE anywhere BUT Microsoft.com and our intranet. Based on the IE track record I believe, despite all the patches, that far too many holes in it still exist and do not TRUST it to be used on the Internet.

re: The lesson this month.

bradley — Sun, 20 Aug 2006 23:43:35 GMT

Okay that was weird.. I was trying to comment and it kept getting stuck on a reference to Michael Howard..... sorry 'bout the comments in "batches" like that.

re: The lesson this month.

bradley — Sun, 20 Aug 2006 23:42:48 GMT

Firefox AND running with least privilege absolutely... but Firefox with admin rights... we are so doomed to go right down the same path and repeat EVERY wrong move we are currently doing.

re: The lesson this month.

bradley — Sun, 20 Aug 2006 23:40:29 GMT

No browser is the answer as long as we are running with admin rights. The firewall and DMZ is dead. Browsers were designed to unload stuff onto whatever device they can.
be it desktop, whatever. As long as the fundamental design of the Internet is what it is, we cannot depend on the firewall.

re: The lesson this month.

bradley — Sun, 20 Aug 2006 23:39:33 GMT

I'm running as non admin here and it doesn't hurt one bit. Are you? I'm flexible and still am non-admin. Because I'm taking the time to learn all those group policy thingamabobbers that us IT pros are supposed to do. You saying that's too much now?

On the one hand you tell me that IT pros need to crack a book, on the other hand you say that Firefox is the answer to our security needs regardless of how we set up our workstations.

re: The lesson this month.

bradley — Sun, 20 Aug 2006 23:38:25 GMT

My workstations are just as much a part of my network as my server... and as long as we have this idea that they shouldn't be a foot soldier in the war, and the answer is to run as admin with Firefox, we are doomed, Vlad.

Mac isn't the answer either. Regardless of the fact that it has a cute guy as a spokesman.

Every single application I buy needs to pull it's weight.

re: The lesson this month.

Vlad Mazek — Sun, 20 Aug 2006 23:01:37 GMT

Do not buy applications that require IE. Simple as that. If you can scream about Quickbooks and asking people not to ignore them then you should at least be reasonable enough to tell people NOT to buy applications designed on technology that has a proven track of ridiculous security shortcomings and change management holes. "Sorry, we got sued so instead of paying up we'll just make this inconvenient for everyone else"

As for locking it down - Your network should be locked down and secured at the firewall, server, NAP/NAC, etc.... not on the workstation where it can get owned at any moment. If we all expect our computers to be as secure as possible while the network is wide open we'll either have to make the compromise of letting go of flexibility and features (ie, buy a Mac) or demand better written apps.

Microsoft is clearly not listening, their response is "we can't do much about writing secure software" - that whole secure by design is gone. Now its more about secure by patching and limiting access/functionality (I guess thats "secure by deployment" piece they promised us in 2001 coming with Vista in the way of UAC). And if they are not listening, we should not be using IE or committing to technologies that require IE to operate.

But given all of that, let the bygones be bygones. Where we are at now I believe Mozilla/Firefox is the way to go and Microsoft will have to go a long way to prove otherwise, at least for me.

-Vlad

re: The lesson this month.

bradley — Sun, 20 Aug 2006 21:50:18 GMT

If you are browsing for a solution to an error you most likely have taken off that enhanced IE that protects the server. You are also probably surfing as an administrator on the server. Neither one is acceptable risk for a domain controller. Have a workstation, RDP to the server, these days browser exploits are coming on ANY site. You cannot determine the difference from a good site and a bad site these days when even banner ads and other securty based web sites have been offering up vulnerabilities.

There have been several cases recently where security based sites have been defaced and intruded on. Thus defining "nefarious" may be the next web site that you click on.

And to answer Jason's question, fire up that vmware.

re: The lesson this month.

Jason J. Thomas — Sun, 20 Aug 2006 21:40:19 GMT

I would make the argument that there are occasionally needs when one must surf from a server. Mainly to download an update, but occasionally when you are searching for a solution an application error. In most cases, a good administrator will have everything ready, but sometimes you need that browser. Thus, I disagree with your statement. There is a need, but let's face the facts that most folks who access a server console are not your run of the mill user browsing all the various nefarious sites.

Unfortunately, there is a need for IE. To be honest, no website should foist upon you a browser choice, but there are business applications that do that. Nonetheless, I think it is the responsibility of the vendor to make sure their web-bassed application is browser-agnostic. What, if, pray tell, I have Linux users accessing an application?

re: The lesson this month.

bradley — Sun, 20 Aug 2006 21:34:33 GMT

Gotta use it in busienss Vlad, we can't get away from it so we need to learn how to lock it, and any other browser down.

re: The lesson this month.

Vlad Mazek — Sun, 20 Aug 2006 21:25:13 GMT

I've told you previously what you can do with that 2x4 :)

Bottom line: IE should not be used, anywhere by anyone. The same is not the case with Firefox, even with Administrative priviledges.

-Vlad