Do you put firefox/chrome on your windows server?

pwjohnston · May 2012

I know that IE has gotten better on the security front, but do you use an alternative browser on your Windows servers? Why or why not?

demonfurbie · May 2012

i dont put anything unneeded on a server, i dont use servers to go browse the internet at all, thats just asking for trouble imo

atorven · May 2012

removed unnecessary quote

Same, in the unlikely event that I need to go online for something I would use IE.

joshmadakor · May 2012

I put Chrome on my lab servers

Edit: Like a boss.

erpadmin · May 2012

Only time I browse the Internet on my servers is if I have to go to a vendor (Oracle, in this case) to download a patch. In that case, it is always IE. I would never want to increase the chance of instability on my production boxes. Even my development boxes I wouldn't want to take such risks.

If something breaks because I went to microsoft.com or oracle.com, then I can deal with Microsoft to fix it (we have bought their support through EA.) In the unlikely event that some Blue Badge looks at our server and sees Chrome, he could try to invalidate our support (I'm not sure if that's actually the case, but I'm not trying to find out either.)

Tackle · May 2012

No web browsing on my servers, including the terminal server!

I only use web when necessary for patches (like erpadmin)

Everyone · May 2012

Like others already pointed out, no web browsing from servers. There is a reason they put that annoying "IE Enhanced Security Mode" on the Server O/S.

In Windows Server 8, 2 of the 4 available modes don't have IE on them at all.

"Downloading Patches" isn't an excuse either. You do that from a workstation, then copy them over to the server.

ptilsen · May 2012

Yes, but only if needed. In general, web browsing on servers = bad. There are some exceptions, but not many.

I have deployed multi-user Chrome on an RDSH server used for full desktop environments from thin clients. Outside of that, it doesn't seem necessary very often.

RomBUS · May 2012

Yes I found it particularly strange if I ever saw other browser installs on the server, even misc. browsing history if it wasnt from a vendor or updates related. I do not even install any word processing apps either (such as Office) on servers

erpadmin · May 2012

Everyone wrote: »

"Downloading Patches" isn't an excuse either. You do that from a workstation, then copy them over to the server.

Oh pardon me, Mr. Blue Badge....pardon *blank*ing me....lmao.

For the few times I don't download from a server, I am doing it from a workstation. But the fact remains I would still not put a non-IE browser on a Windows server. No point or reason for it.

RomBUS wrote: »

Yes I found it particularly strange if I ever saw other browser installs on the server, even misc. browsing history if it wasnt from a vendor or updates related. I do not even install any word processing apps either (such as Office) on servers

Certain Enterprise applications need Office in order to process spreadsheets, or word documents. That actually happens on the server, as opposed to on the client. Even then, it's only Word/Excel.

cyberguypr · May 2012

Same a others, no browsing from a server.

DevilWAH · May 2012

you could argue that there is more potential for security issues when downloading from a workstation as the workstation is more at risk from malware as it will be used more on the internet. (Please not I said COULD... no that I do).

I am like most people unless there is a reason a server needs web browse or application then I don't install them, and unless there is a need for a server to connect to the internet it will be blocked by firewalls any way.

even if i do need to use a browser the fire wall will general only allow specific servers to connect to specific sites, which further reduces the reliance on the browser security.

But seeing how 99% of my admin is done via remote sessions (RDP or SSH) seldom is there ever a need to get on the internet from the server it self.

Roguetadhg · May 2012

I wouldn't be browsing on a server. I'd be keeping any server as light weight as possible - in every way I could think of.

The internet is full of baddies.

Slowhand · May 2012

You people have web browsers on your server? You mean we're not all just using Windows Server 2008 R2 Core exclusively by now?!?

undomiel · May 2012

We have a client or two that has Chrome running on their RDS farms. There were a few servers that I installed Opera on as IE wasn't working and I needed to get into a drac.

Qord · May 2012

Slowhand wrote: »

You people have web browsers on your server? You mean we're not all just using Windows Server 2008 R2 Core exclusively by now?!?

Use Lynx!

Tackle · May 2012

Qord wrote: »

Use Lynx!

Mom and Baby Lynx!

higherho · May 2012

Our IIS servers needed IE for testing purposes. But configuring , hardening it down to a T. the only browsing allowed on it is to a secured internal server locally. All external traffic is blocked. The other time I need IE is to access the GUI of a security console (again cannot browse the web, only access the GUI through IE).

Plus IE can be locked down much more than any other browser, at least from my experience.

erpadmin wrote: »

Certain Enterprise applications need Office in order to process spreadsheets, or word documents. That actually happens on the server, as opposed to on the client. Even then, it's only Word/Excel.

Yes you do! Office 2003 web components (some web applications running off a server need these installed).

joshmadakor · May 2012

Hahaha, thanks whoever +rep'd me, I had a good laugh

jmritenour · May 2012

I don't hit the net on any server if it can be avoided at all. If I need to DL something, I'll save it to a flash drive, or put it on a network share or something like that. I'll use IE if I absolutely need to reach the net, but other than that, I avoid it all together.

Forsaken_GA · May 2012

paranoid bastards.

I have no problem putting Chrome on a server. It's lightweight enough to not have any meaningful impact on the servers resources, it's behind a very well protected proxy, and the people who are likely to be using it for administrative purposes tend to be smart enough not to do crap like visit malware infested websites. If they are, you need to fire the person, not make the box a bigger pain in the ass to work with. If you make the box accessible on the wire, you're at risk, period. The risk should be managed, sure, but in a sane, non utterly paranoid way.

joshmadakor · May 2012

^ TSRH (I agree)

ptilsen · May 2012

Forsaken_GA wrote: »

paranoid bastards.

I have no problem putting Chrome on a server. It's lightweight enough to not have any meaningful impact on the servers resources, it's behind a very well protected proxy, and the people who are likely to be using it for administrative purposes tend to be smart enough not to do crap like visit malware infested websites.

I agree, but it really isn't that much more of a hassle to just not browse the web on that server, 99% of the time. Browsing the web is an increased risk (regardless of browser, proxy, etc), period. Not using production servers for web browsing decreases that risk.

If it's a question of browsing at all, I would say Chrome should be used on anything. I'll stand up for MS products all day, but not for IE. If you do feel the need to browse the web on a server, Chrome and Firefox are still the way to do it.

erpadmin · May 2012

ptilsen wrote: »

If it's a question of browsing at all, I would say Chrome should be used on anything. I'll stand up for MS products all day, but not for IE. If you do feel the need to browse the web on a server, Chrome and Firefox are still the way to do it.

I agree with everything you said, except this up above, though I am with you that IE is crap. Web browsing on servers should be minimized to the extreme (and I personally only limit that to patch downloads when I'm not on my workstation...). Even with IE being crap, it is still better to deal with IE on a server, or not at all. I only say this because the risk of instability should be minimized on those boxes, and only installing what is needed is always the best route to go. Chrome, Opera, etc., is not needed for production boxes.

ptilsen · May 2012

erpadmin wrote: »

I agree with everything you said, except this up above, though I am with you that IE is crap. Web browsing on servers should be minimized to the extreme (and I personally only limit that to patch downloads when I'm not on my workstation...). Even with IE being crap, it is still better to deal with IE on a server, or not at all. I only say this because the risk of instability should be minimized on those boxes, and only installing what is needed is always the best route to go. Chrome, Opera, etc., is not needed for production boxes.

Firefox and Chrome are more stable than IE. I have never so much as heard of either Chrome or FF causing any system instability in any way. IE tends to use substantially more resources than Chrome, and is inherently riskier to use. I'll stand by using Chrome if I do have to browse the web on a server.

DevilWAH · May 2012

See I can't remember the last time I logged on to a server physically, its always via RDP. I can't think of a case where there is a benefits of browsing directly form the server.

Server session on monitor one, workstation browser on monitor two with all my bookmarks and settings and a share they are both mapped to. To be honest until this thread came up I had forgotten servers have IE installed

ptilsen · May 2012

DevilWAH wrote: »

See I can't remember the last time I logged on to a server physically, its always via RDP. I can't think of a case where there is a benefits of browsing directly form the server.

You're remotely accessing the server from another location and need to download something from the Internet using that site's Internet connection.

That would be the prime example, and this is a situation I encounter 4-5 days a week.

erpadmin · May 2012

ptilsen wrote: »

You're remotely accessing the server from another location and need to download something from the Internet using that site's Internet connection.

That would be the prime example, and this is a situation I encounter 4-5 days a week.

If I had to choose between browsing the web with Chrome or FF and not browsing the web on a server directly, I'm going to not browse the web at all. Just because you might not have seen evidence of instability doesn't mean it doesn't exist. And if you're RDPing to a server (as opposed to physically going there) then there really isn't an excuse why something can't be downloaded from your workstation and then UNC to the server location (or UNCing to your downloaded location...)...you don't even have to a map a drive...lol.

Forsaken_GA · May 2012

erpadmin wrote: »

If I had to choose between browsing the web with Chrome or FF and not browsing the web on a server directly, I'm going to not browse the web at all. Just because you might not have seen evidence of instability doesn't mean it doesn't exist.

I apologize for the crassness, but this is a total crap argument. I could make the same argument for just putting the server on the wire. After all, just because you haven't seen any evidence that your server has already been pwned, doesn't mean it hasn't!

Everyone has different comfort levels when it comes to risk. Speaking for myself, I like to make reasoned and informed decisions, not ones based on fear. I fully agree that web browsing on a server should be kept to an absolute minimum, but to outlaw it entirely is a fear based decision, and IMHO, foolish, as you're denying yourself the use of a potentially useful tool.

Forsaken_GA · May 2012

ptilsen wrote: »

Browsing the web is an increased risk (regardless of browser, proxy, etc), period.

And yet, we let our uses do it on the same network all the time.

Sure, it makes sense and sounds great on paper, and it's perfectly logical. Web browsing carries a risk, no web browsing, no risk!

As a practical matter, yeah, no. If everyone did everything based simply on logic, we'd all give up building anything like a career or put a bullet in our heads the second we realized that nothing we do matters, since we're all going to die anyway. Very few things are clear cut black and white, and IT is no exception to that.

ptilsen · May 2012

erpadmin wrote: »

If I had to choose between browsing the web with Chrome or FF and not browsing the web on a server directly, I'm going to not browse the web at all.

Completely agreed. I would prefer to use a desktop and transfer over RDP or SMB.

erpadmin wrote: »

Just because you might not have seen evidence of instability doesn't mean it doesn't exist.

Oh, I agree. That's why I said I've never even heard of it. That doesn't mean I'm not open to hearing of it, either -- just that I haven't. If your experience has been either browser has any impact on server stability, please share, because I am interested in your experience.

erpadmin wrote: »

And if you're RDPing to a server (as opposed to physically going there) then there really isn't an excuse why something can't be downloaded from your workstation and then UNC to the server location (or UNCing to your downloaded location...)...you don't even have to a map a drive...lol.

Yes, there is. The remote site might have an underutilized 50mbps line while I'm operating over a 10mbps line that's often fully saturated. If I try to first download the file on my slower Internet, then transfer the file over RDP from my location, it would literally be faster to go home, download it, put it on a hard drive, then drive to the site, drive back home, drive back to the site, buy a sandwich, drive home, drive back to the site, eat the sandwich, then drive home again, then finally drive back to the site and plug in the hard drive and transfer the file, 95% of the time. I usually need the file more quickly than all that, so downloading it using that site's Internet connection tends to make a lot more sense.

Again, we will use a desktop at that site if possible, then transfer locally from that desktop to the server in question. But, if that's not an option, we will absolutely use Chrome or FF to perform relatively mundane operations. No, we shouldn't have to do this, but the reality is we sometimes do.

Forsaken_GA wrote: »

Very few things are clear cut black and white, and IT is no exception to that.

I agree completely. I don't think we disagree on this at all. Web browsing is an increased risk that should be avoided, but sometimes it is not reasonable to avoid it. It's not a black and white issue, as you say.

To elaborate on that even further, I have a variety of clients with a very wide variety of security needs. Some can't even have Internet access on most of their servers, while on the other hand I've had a client say that none of his data is important to keep confidential, and that he effectively faces no risk of monetary loss or serious impact if all of his data is compromised. Then there's a whole range of clients between that. So what steps are taken to mitigate what risks are going to vary by how great the risk is and how much of an impact a stability or security problem would have.

For most of my clients, downloading an ISO file from MS VLSC or maybe VMware does not pose a serious risk.

Do you put firefox/chrome on your windows server?

Comments