Do you put firefox/chrome on your windows server?

DevilWAH

Forsaken_GA wrote: »

If everyone did everything based simply on logic, we'd all give up building anything like a career or put a bullet in our heads the second we realized that nothing we do matters, since we're all going to die anyway. Very few things are clear cut black and white, and IT is no exception to that.

I do every thing based on Logic, and every thing is clear cut if you want to look close enough (planks constant and all). And out of all the things around IT is possible the most logical of all as it is its self built on top of pure logic

In the case of browsing from a server its the same as all other security issues, a question of Cost vs Benift, Game theory, probability, etc.

Just like you restrict browesing to some workstations for various reasons, Servers are the same, and I can see no reason why not to use some to browse the internet. while other secure servers it may be company policy to have air gaped from the rest of the network in which case what browser they have installed is beside the point. And then there are all the ones in between.

This is why every business should have the security policy and design standard written down and reflecting what is right for there business.

erpadmin

Forsaken_GA wrote: »

After all, just because you haven't seen any evidence that your server has already been pwned, doesn't mean it hasn't!

Everyone has different comfort levels when it comes to risk. Speaking for myself, I like to make reasoned and informed decisions, not ones based on fear. I fully agree that web browsing on a server should be kept to an absolute minimum, but to outlaw it entirely is a fear based decision, and IMHO, foolish, as you're denying yourself the use of a potentially useful tool.

While it is hard to to take your argument seriously with your use of l33t-speak, nevertheless I will excuse your crassness.

You really don't know me at all, and you know what that is 100% ok. Because if you did know me, you would understand that I'm not afraid of anyone, or anything. At the same time, that little thing called experience has a tendency to guide my actions at work. If you read my past posts in this thread, you will see that I personally have browsed the web on my servers, so I don't "outlaw" them entirely. But because I'm going to a limited number of sites, I won't allow a non-standard browser installed on my production servers just because IE is a bit slower. It is totally unnecessary and it is not based on fear, but just standard best practice.

snokerpoker

I never install FF or Chrome on servers. I've maybe had to use the web on a server 4-5 times in about 6 years of working in IT.

networker050184

Ok ladies and gentlemen, you don't have to take everything personal. Keep it professional and on topic here.

RobertKaucher

ptilsen wrote: »

Firefox and Chrome are more stable than IE. I have never so much as heard of either Chrome or FF causing any system instability in any way. IE tends to use substantially more resources than Chrome, and is inherently riskier to use. I'll stand by using Chrome if I do have to browse the web on a server.

I think this is kind of a moot point. None of the 3 major browsers represent, in themselves, an issue simply being installed on a prod server.

The real point of it is do you have a policy that says no unnecessary 3rd party applications on production servers or don't you? If you don't, then you don't. Is it ok if I install all of the add-ins that I love oh so very much as well? May be you just have a white list of apps that are allowed?

But why bother with the additional complexity? You don't need Chrome, nor FireFox, nor anything else except what the server needs to do its job. ERP's point is why muddy the waters with any additional software no matter how secure you believe in your heart-of-anecdotal-hearts said software really is? He's not suggesting anything about the security or lack-there-of for the other browsers. He's simply pointing out that a best practice is best for real reasons, even if we sometimes feel it is ok to ignore the best practice for the practicality of the real world.

We might find it's perfectly acceptable to install software X on a server for a given reason, but we all have to acknowledge that not having additional software beyond what is required does decrease the attack surface.

dustinmurphy

I wouldn't install FF or Chrome on a server, no. Why? Because it's unnecessary. Although we've discussed whether or not it's a good idea to "browse" the internet on a server... the fact is... a server is meant for a purpose. That purpose is NOT surfing the internet. Is that to say that I don't allow internet browsing on my servers? No. In fact, there are many good reasons (shared in this thread) as to why it's a good idea to browse the internet on the server. I'm not going to tax my internet connection downloading a 600MB file... only to tax the connection again to transfer it to the server... I'm going to download it directly to the server (or local network).

Since FF and Chrome have their own vulnerabilities, I find no good reason to use them in lieu of IE when hitting the net from a server. If I saw them on a prod server, I would most likely uninstall them and find out why they were there.

erpadmin

RobertKaucher wrote: »

But why bother with the additional complexity? You don't need Chrome, nor FireFox, nor anything else except what the server needs to do its job. ERP's point is why muddy the waters with any additional software no matter how secure you believe in your heart-of-anecdotal-hearts said software really is? He's not suggesting anything about the security or lack-there-of for the other browsers. He's simply pointing out that a best practice is best for real reasons, even if we sometimes feel it is ok to ignore the best practice for the practicality of the real world.

We might find it's perfectly acceptable to install software X on a server for a given reason, but we all have to acknowledge that not having additional software beyond what is required does decrease the attack surface.

Exactly my point Robert, well said, and repped!

"Best practices" exist for a reason; the mitigation of risk. Anyone who's ever taken so much as Security+ understands there's a diference between risk mitigation and risk avoidance. The nature of our jobs dictate that risk will always exist, especially if you have any box, a workstation or a server, "on the wire." However, my job is to help mitigate risk is to keep unnecessary software off my production boxes. Chrome and Firefox don't suck as browsers, and I really love Chrome. However, I don't need to install those browsers on my servers because I want to manage my risk on those servers (risk mitigation.)

Best Practices does not equal "fear..."

Thanks Robert once again for seeing my point.

RobertKaucher

erpadmin wrote: »

Thanks Robert once again for seeing my point.

And it's a perfectly valid one. But Forsaken's point that in many cases the practical out weighs those concerns is also valid. What it really comes down to is don't add things unless they are needed, but "Just because I like it" does not constitute a need.

We must have both a degree of restraint not to do things just because we don't feel the probability of something bad happening is minimal and a degree of freedom to get things done that we need to accomplish.

erpadmin

RobertKaucher wrote: »

We must have both a degree of restraint not to do things just because we don't feel the probability of something bad happening is minimal and a degree of freedom to get things done that we need to accomplish.

If one practiced risk avoidance, then one would be too inflexible to install anything to get something to work.

Risk mitigation allows one to weigh practicality vs. best practices. If practicality is needed, than that wins [disclaimer...I'm a Virgo--so I'm pretty effing practical. LOL.]

RobertKaucher wrote: »

What it really comes down to is don't add things unless they are needed, but "Just because I like it" does not constitute a need.

Remember...as I've stated all along, if it's necessary, then it gets installed. It was always my contention that installing web browsers that are non-IE was simply not necessary and that "Just because I like it" argument doesn't fly with me either.

jmritenour

Forsaken_GA wrote: »

paranoid bastards.

I have no problem putting Chrome on a server. It's lightweight enough to not have any meaningful impact on the servers resources, it's behind a very well protected proxy, and the people who are likely to be using it for administrative purposes tend to be smart enough not to do crap like visit malware infested websites. If they are, you need to fire the person, not make the box a bigger pain in the ass to work with. If you make the box accessible on the wire, you're at risk, period. The risk should be managed, sure, but in a sane, non utterly paranoid way.

Paranoid nothing. I work at one of the most secure datacenters in the country. Between SAS/SSAE, HIPAA, PCI, etc, pretty much nothing has port 80 open outbound anyway, so hitting the web directly from the box isn't an option. Networks are dual homed - everything has a private interface, obviously, routed back to a site to site VPN per each customer, and only things that will be serving up internet facing content even have a public interface. Default firewall rules are nothing is open until the customer tells us to open it.

I'm sure you know a much better way to do all of this, but hey, I deal with what I have to work with.

dustinmurphy

erpadmin wrote: »

Remember...as I've stated all along, if it's necessary, then it gets installed. It was always my contention that installing web browsers that are non-IE was simply not necessary and that "Just because I like it" argument doesn't fly with me either.

I agree with this point. It's not necessary. Although it's a short process, the amount of time spent on installing a non-IE browser is just a waste of time and resources. I don't know that I'd go as far as to say that it's a "dangerous" process or anything... but as you said... "because I like it" isn't a valid justification point to waste time and resources on a new browser.

blargoe

I don't install any other web browsers on my servers. I don't even install the IE upgrades on Windows servers (security updates continue to be pushed for the version of IE that came with the server, as long as the server is supported). I don't install stuff on servers that I don't think I will need. It is extremely rare for me to browse anything on the internet from the server.

The only exception I have right now is an Remote Desktop server that is set up to bypass our Internet filtering solution that has multiple browsers installed, because we were forced to set this up for certain users, but it is on an isolated network.

Forsaken_GA

erpadmin wrote: »

You really don't know me at all, and you know what that is 100% ok. Because if you did know me, you would understand that I'm not afraid of anyone, or anything. At the same time, that little thing called experience has a tendency to guide my actions at work. If you read my past posts in this thread, you will see that I personally have browsed the web on my servers, so I don't "outlaw" them entirely. But because I'm going to a limited number of sites, I won't allow a non-standard browser installed on my production servers just because IE is a bit slower. It is totally unnecessary and it is not based on fear, but just standard best practice.

Alright, fair enough, though I'll just say this - with IE's track record on security, you'd have a hard time convincing me that using IE is a best practice just because it's already there, especially while simultaneously making the argument for restricted web browsing on a server due to security concerns.

jmritenour

Forsaken_GA wrote: »

Alright, fair enough, though I'll just say this - with IE's track record on security, you'd have a hard time convincing me that using IE is a best practice just because it's already there, especially while simultaneously making the argument for restricted web browsing on a server due to security concerns.

I really don't want this to seem like I'm piling on with erp, because I'm not, but yeah, I would definitely say using IE would be a best practice from a security standpoint.

First of all, the "IE" is insecure is old hat and inaccurate. 6 was horrible, 7 was passably better, and 8 & 9 are both pretty locked down on their own, especially when you use them on Windows 2003 or 2008 server due to IE Enchanced Security Configuration, which is on by default. In fact, given current FIPS standards, installing a 3rd party browser could be seen as weakening overall server security, as they bypass IEESC.

Then you also have the fact that IE is covered by Windows update, which his auditable if & generates handly little reports on current patch levels if you're using WSUS. Chrome & Firefox can't do that, at least not without some type of 3rd party patch management software.

But again, at the end of the day, I wouldn't want a production server to even have internet access if it didn't need it, so it's a moot point.

Forsaken_GA

erpadmin wrote: »

Best Practices does not equal "fear..."

Yeah, sorry, not falling on my sword in the name of Best Practice. Never been a fan of the buzzwords, and 'best practice' is just another one of those. Most best practices are simply common sense codified. There are others that are quite debatable as to what is best, as 'best' in and of itself is quite a subjective concept.

Simply put, sometimes what is put forth as a best practice, isn't, particularly when it comes to security. Anyone who dares to try and use 'Best Practice' as an excuse with me had better be able to explain exactly *why* it's a best practice.

Let's take the current discussion, for example.

The Best Practice at question here is whether to install any unnecessary software, correct? Since we seem to be at a tacit level of agreement when it comes to web browsing (it's ok to do, but should be kept to the minimum possible), we're already principally agreed that a web browser is not unnecessary software.

What the argument over the best practices comes down to, in essence, is whether Chrome or Firefox should be considered unnecessary simply because of the presence of IE as a default. And this comes down to a matter of personal preference. Microsoft is obviously going to tell you that it's best practice to use IE. They're not exactly an unbiased party.

If you agree that IE is just fine and dandy, then that's cool. Personally speaking, I can make an argument for Chrome based on two things: #1 If it's an especially busy server where resources are tight, Chrome is one of the most lightweight I've ever seen. It'll be a lighter impact to use it over the bloatware that is IE or Firefox. Here, the best practice of IE fails the common sense test - it doesn't make good sense to use something that is more impactful on purpose. #2 Given IE's horrid security track record, if you're going to web browse on a server, then it doesn't stand up that you'd use something more likely to be compromised. The Best Practice argument falls down, because it's based on the argument that IE is the 'Best Practice' simply because the vendor has it pre-installed.

I'm sorry, but I believe best practices must pass the smell test, and must be able to stand on their own. If the concept can be easily contended with, and it cannot be clearly and definitively explained *why* it's a best practice, then it isn't. Anytime someone needs to fall back on the argument 'well, so and so says it's best practice...', that argument is over, there will be no more rational discussion on that subject.

Forsaken_GA

RobertKaucher wrote: »

We must have both a degree of restraint not to do things just because we don't feel the probability of something bad happening is minimal and a degree of freedom to get things done that we need to accomplish.

Agreed. There is a need to be vigilant, but the second you start being oppressive, your security policy will be worth spit, as folks will find a way to circumvent it, and they won't tell you about it. You catch an admin updating Facebook from a web browser on a server, that person needs to get tossed, or at the very least a Come Back to Jesus speech. Downloading drivers or updates for the OS on that box from the vendors website? Not a big deal.

Forsaken_GA

jmritenour wrote: »

I really don't want this to seem like I'm piling on with erp, because I'm not, but yeah, I would definitely say using IE would be a best practice from a security standpoint.

First off, no need to worry about piling on. I've stood alone against the crowd and held my own on more than one occasion here, not going to feel like I'm being picked on. I'd much rather folks speak their mind and engender a good debate than hold back out of fear of offending my delicate sensibilities, because I'm for sure not going to hold back for fear of offending yours

Now, with that being said... I can find a point of contention with your premise that IE is better from a security standpoint. I'm more than willing to listen as to why I'm wrong on that account, but understand, that when I do a simple google search for IE9 security vulnerability, I find many results, some as recent as March of this year, as well as vulnerabilities which exist in IE 9 and carried over into IE10 consumer preview. I stipulate that my examination is cursory, but I can provide direct proof that IE9 security leaves something to be desired. I welcome your defense of the premise that IE is better from a security standpoint.

Then you also have the fact that IE is covered by Windows update, which his auditable if & generates handly little reports on current patch levels if you're using WSUS. Chrome & Firefox can't do that, at least not without some type of 3rd party patch management software.

This a better argument, but not necessarily one for security. Microsoft isn't exactly known for being quick to turn around on security updates, while I've seen Mozilla and Google turn out updates to fix 0-day vulnerabilities in under a week on many occasions. The better integration with existing management tools is certainly a point in IE's favor though.

But again, at the end of the day, I wouldn't want a production server to even have internet access if it didn't need it, so it's a moot point.

For me, it depends on the nature of the server. My primary authentication servers? I don't even want those to have access to anything outside of their subnet if I can avoid it. Folks should be talking to relays, not the root servers. My home directory file server? Little less worried about that one (especially since some of the crap users put on there on purpose is a bigger nightmare than you're likely to see from them visiting sites.... finding ISO's with keygens or the latest episodes of True Blood encoded in XViD tended to make Forsaken an angry and vengeful deit... er, admin)

DevilWAH

Forsaken_GA wrote: »

I'm sorry, but I believe best practices must pass the smell test, and must be able to stand on their own. If the concept can be easily contended with, and it cannot be clearly and definitively explained *why* it's a best practice, then it isn't. Anytime someone needs to fall back on the argument 'well, so and so says it's best practice...', that argument is over, there will be no more rational discussion on that subject.

Well in this case, best practice is to not allow any internet access, reason being is if you disable access completely then you remove the chance of a "rogue" admin doing some thing stupid.

For a server that is carry out a few 100 million pounds of transactions ever minute, rather not risk the chance of a idiot crashing it, tossing them out the door after will be a bit late.

and in terms of chrome being more light weight, if you are running a server so close to the edge that opening a web browser is going to push it over the edge. The different in resources between Chrome and IE are not that large in relative terms.

Forsaken_GA

DevilWAH wrote: »

Well in this case, best practice is to not allow any internet access, reason being is if you disable access completely then you remove the chance of a "rogue" admin doing some thing stupid.

From a security standpoint, I'm absolutely sure that's best practice. From a practical standpoint, far from it. Since we don't run in perfect environments that have all the resources needed (ie, bandwidth on inter-site pipes, as ptilsen has demonstrated is the case in his environment), some best practices start getting tossed because they realistically can't be enforced.

and in terms of chrome being more light weight, if you are running a server so close to the edge that opening a web browser is going to push it over the edge. The different in resources between Chrome and IE are not that large in relative terms.

Oh, certainly, I agree, the resource usage argument is pretty much making a big deal out of nothing. However, alot of folks like to represent 'Best' as an absolute concept when it's really subjective, and the resource argument is a pretty good way of demonstrating that.

higherho

Does anyone here lock down their IE at all? Just curious, I recently went through a policy change and hardening IE took 2 hours to do (over 100 changes in GP).

dustinmurphy

DevilWAH wrote: »

Well in this case, best practice is to not allow any internet access, reason being is if you disable access completely then you remove the chance of a "rogue" admin doing some thing stupid.

For a server that is carry out a few 100 million pounds of transactions ever minute, rather not risk the chance of a idiot crashing it, tossing them out the door after will be a bit late.

I think that some sense needs to be taken as far as which servers are "safe" to browse the internet and ones that really shouldn't. There are mission-critical servers that should be tread lightly around... such as the one you mentioned.... personally, I would leave that one alone and use a near-by support server for surfing the internet and downloading necessary items, if possible.

and in terms of chrome being more light weight, if you are running a server so close to the edge that opening a web browser is going to push it over the edge. The different in resources between Chrome and IE are not that large in relative terms.

Yeah, I was going to mention this as well... if no one else did... personally, I use Chrome on my PC.... but I don't feel it to be enough of a benefit that I would run it on a server. It's unnecessary, and as for "security"... well, IE gets patched with Windows Updates.... so, it's secure enough.

I also agree that ANY admin changing Facebook status, etc on a server should be reprimanded... harshly.

jmritenour

Forsaken_GA wrote: »

First off, no need to worry about piling on. I've stood alone against the crowd and held my own on more than one occasion here, not going to feel like I'm being picked on. I'd much rather folks speak their mind and engender a good debate than hold back out of fear of offending my delicate sensibilities, because I'm for sure not going to hold back for fear of offending yours

Now, with that being said... I can find a point of contention with your premise that IE is better from a security standpoint. I'm more than willing to listen as to why I'm wrong on that account, but understand, that when I do a simple google search for IE9 security vulnerability, I find many results, some as recent as March of this year, as well as vulnerabilities which exist in IE 9 and carried over into IE10 consumer preview. I stipulate that my examination is cursory, but I can provide direct proof that IE9 security leaves something to be desired. I welcome your defense of the premise that IE is better from a security standpoint.

First of all, I didn't say that IE9 is better as far as security goes, merely that it is a better practice to use it. Given that it is the most targeted of all the major browsers, of course it is going to have the most *known/published* exploits.

That said, I'd still use it on a server OS before Chrome/FF/Opera. There are a myriad of reasons, and again, bear in mind, I'm coming at this from the compliant standpoint so I'm going to have a slightly different view of security and what is and is not acceptable.

1. Most exploits for IE9 published apply only to Windows 7/Vista/XP. The default configuration in 2008 and R2 is much less susceptible to what's floating around out there, unless you remove/disable the enhanced security config. Which a lot of well-meaning admins do, because they find the level of lock down, and the safe/supported ways to circumvent to be too much of a hassle. Or they install a 3rd party browser to get around it.

2. As mentioned above, you can lock down IE even further with group policy, which you can't do with Chrome/FF/Opera.

3. Windows Updates/WSUS, I mentioned earlier. Sure Chrome & FF have auto-updates, but no central way to manage them, and no central way to gauge what patch level you are at throughout your organization. That might seem like not a big of a deal to security at first, until an exploit for a certain version of FF/Chrome hits. And guess what? Since Chrome isn't a part of our standard image, it slips through the crack because I have no idea that it's installed, let alone what version it is. If I'm sticking with IE, at least I can run a report from WSUS as to what systems are lacking the latest IE security updates.

4. Then there's that whole pesky auditing thing. We are a hosted solutions/managed service provider. We have standard builds for Windows & all the Linux distributions. We install other software from an approved list as requested by the customer, such as SQL & lock it down accordingly. It is clean and pristine at turnover, and anything beyond that is in the customer's hands.

I've seen quite a few customers fail federal audits because they had software installed that wasn't deemed necessary to the function of the server in the role it was serving. Chrome has been the culprit a few times. Now, you could make the case that compliance is just another set of meaningless standards, and you'd be right to a degree - some of them are nitpicky, and really don't do much for overall security. But that doesn't help when you fail a PCI compliance audit, and your site is ruled not safe to process credit card transactions until it gets in compliance.

So, from a total security - including patch management, auditing, and knowing what the hell is running on my servers in my environment - I'm sticking with IE9 on my Windows builds. And I'm blocking 80 & 443 outbound until someone gives me a good reason to open it.

Forsaken_GA

jmritenour wrote: »

First of all, I didn't say that IE9 is better as far as security goes, merely that it is a better practice to use it. Given that it is the most targeted of all the major browsers, of course it is going to have the most *known/published* exploits.

No, here is what you said -

but yeah, I would definitely say using IE would be a best practice from a security standpoint.

Now, if the browser is less secure than other options, and you're going to tell me that it's best security practice to use a less secure piece of software, I would like to politely suggest that best security practice is full of crap, and following it without due consideration would make one a bad custodian of the infrastructure entrusted to their care.

That said, I'd still use it on a server OS before Chrome/FF/Opera. There are a myriad of reasons, and again, bear in mind, I'm coming at this from the compliant standpoint so I'm going to have a slightly different view of security and what is and is not acceptable.

I understand compliance issues, and how it takes so many options out of your hands. Doing something because you have to, otherwise you're at risk of legal and financial penalties is one thing. Doing it because you actually agree with it, when you should know better, whole other ball game.

2. As mentioned above, you can lock down IE even further with group policy, which you can't do with Chrome/FF/Opera.

Ultimately, irrelevant, for two simple reasons -

#1 Access to the server should be locked down enough to where the lockdown applied to the browser is pretty pointless

#2 Applying GPO's to people who have the ability to change the GPO's and calling it security is absolutely laughable. (Yes, I am quite aware that AD has the ability to delegate administrative tasks to others without having to provide full administrative access. It's also been my experience that this only tends to be implemented in very large enterprises. The only companies I've ever worked for that actually bothered with it have been Fortune 500's, everyone else, the admins had full power.)

3. Windows Updates/WSUS, I mentioned earlier. Sure Chrome & FF have auto-updates, but no central way to manage them, and no central way to gauge what patch level you are at throughout your organization. That might seem like not a big of a deal to security at first, until an exploit for a certain version of FF/Chrome hits. And guess what? Since Chrome isn't a part of our standard image, it slips through the crack because I have no idea that it's installed, let alone what version it is. If I'm sticking with IE, at least I can run a report from WSUS as to what systems are lacking the latest IE security updates.

Well, I think this is slightly out of scope. We're not talking about allowing non-standard browsers across the entire enterprise, so unless you have a truly massive number of servers, keeping the non-standard browsers updated is not that big of a deal. However, as I said, I concede the management point as being in favor of IE, though I personally don't believe that's a strong enough argument by itself.

4. Then there's that whole pesky auditing thing. We are a hosted solutions/managed service provider. We have standard builds for Windows & all the Linux distributions. We install other software from an approved list as requested by the customer, such as SQL & lock it down accordingly. It is clean and pristine at turnover, and anything beyond that is in the customer's hands.

Yup, I understand entirely, as I've done the same sort of work, and had to deal with the same sorts of compliance issues. I've spent quite a bit of time designing new network segments to support the needs of a customer and still stay compliant, and lets just say I've had to come up with some creative solutions in network engineering. Fortunately, my work was always able to pass an audit. However, the lesson I learned is that while standards are nice, when money is involved, management tends to make exceptions. As we had customers who had unique environments and requirements, we constantly got requests for software which was non-standard and needed an exception to what was on our approved list. And you try and tell the customer no. And then they point out that they can go to another host who's willing to support their needs. When you're talking about clients who provide revenue in the six figures per month, management becomes *remarkably* willing to grant exceptions. Now, your company may be better about that than mine was, or maybe your company is better at telling the customer up front that these are the rules, and if you can't live with them, we can't help you. I don't know who you work for, so I can't pass judgement on that aspect.

I've seen quite a few customers fail federal audits because they had software installed that wasn't deemed necessary to the function of the server in the role it was serving. Chrome has been the culprit a few times. Now, you could make the case that compliance is just another set of meaningless standards, and you'd be right to a degree - some of them are nitpicky, and really don't do much for overall security. But that doesn't help when you fail a PCI compliance audit, and your site is ruled not safe to process credit card transactions until it gets in compliance.

No, no, that's an entirely different ballgame, and I understand it entirely. But at that point, we're well out of the realm of technical operations, and solidly into the realm of politics.

So, from a total security - including patch management, auditing, and knowing what the hell is running on my servers in my environment - I'm sticking with IE9 on my Windows builds. And I'm blocking 80 & 443 outbound until someone gives me a good reason to open it.

Alright, and that's understandable. And honestly, I believe that admins prerogative is paramount. "Because that's the way I want to do it" is a perfectly acceptable reason to me. I have the utmost respect for someone who understands that, since they've been entrusted with the care and feeding of the infrastructure, this gives them a degree of discretion, and they're actually willing to use it.

Where I take umbrage is when folks try to fall back to nebulous things as debatable best practices to justify their decisions. I have never, ever, in my life said 'it's best practice' as a justification to someone for a decision I've made. If it's questionable, I can tell them exactly why I made the decision, in detail, with specific examples. I've been overruled twice in my career, and both times, there was cause for regret down the road. (Now, to be fair, there have been times where my decision was wrong. When that occurs, I do not haggle over it, I admit the mistake, fix it, and move on.)

SteveLord

I only put Windows Server 2008 Protection Suite Pro 2012 on it. With that, I never have to worry about using IE ever again since the software redirects me to their site upon loading IE. And the money I am spending to constantly upgrade the software to fix them is worth it in the long run.

Seems like a great way to prevent me from using browsers and keeping the server secure at the same time! Awesomesauce!
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Yes of course /end sarcasm!

ChooseLife

Part of this great debate, IMO, lies in the fact that everyone uses the same word "server" to refer to devices that are spread over a large spectrum of functions.

My comment - that of a person managing the company's mission-critical revenue-generating production servers - is the following. The decision whether or not to access Internet from servers should not be left to a particular admin or user. It should be decided during IT/IS/operations/infosec policy making process and then enforced through appropriate procedures. And the decision (in case of production servers) should be to not allow browsing (i.e. surfing) and downloading files from Internet directly. Patches and other software should be downloaded to specialized servers, checked for viruses, verified, tested in staging environment, signed off, and then distributed to production hosts.

erpadmin

Forsaken_GA wrote: »

Simply put, sometimes what is put forth as a best practice, isn't, particularly when it comes to security. Anyone who dares to try and use 'Best Practice' as an excuse with me had better be able to explain exactly *why* it's a best practice.

With all due respect, I think I've made my point on this: I don't want to have installed software that is not required to be on a production server to be installed. Others have written other examples that are noteworthy, but bottom line, production servers are not my or any user's personal workstation to be browsing the web in the first place.

Forsaken_GA wrote: »

What the argument over the best practices comes down to, in essence, is whether Chrome or Firefox should be considered unnecessary simply because of the presence of IE as a default. And this comes down to a matter of personal preference. Microsoft is obviously going to tell you that it's best practice to use IE. They're not exactly an unbiased party.

Whether Microsoft is an unbiased party or not (again, with all due respect) is irrelevant. Every shop I've worked for, including my current one, has paid for Microsoft support. Keep in mind that that support is used sparingly as we're limited to the number of times they are used (and in the six years we've invoked MS Support, the number is around three.) Since my days of supporting NT 4.0 boxes, there was one lesson learned that I kept: keep your servers as light as possible. Unless I have a vendor app that requires FF or Chrome on a server, neither of those apps will get installed for the simple fact that I would never want Microsoft to come back and tell me that the server is not working because they're installed. Now, of course, we BOTH know that that's a bunch of crap. But if that possibility exists, then that's a conversation I want to mitigate. I'm only speaking with respect to production servers...those browsers simply don't need to be there.

With respect to the argument that IE is more at risk with exploits than FF or Chrome, well, that should also be irrelevant provided that the sites visited are of those that are vendor sites to download patches. I or the other admins don't check email on those servers, or visit websites that could potentially introduce malware (not like I personally do on my PCs anyway.)

If I ever caught a fellow admin checking his FB on a server, he is going to need Jesus...(or whomever he prays to...)

Forsaken_GA wrote: »

Where I take umbrage is when folks try to fall back to nebulous things as debatable best practices to justify their decisions. I have never, ever, in my life said 'it's best practice' as a justification to someone for a decision I've made. If it's questionable, I can tell them exactly why I made the decision, in detail, with specific examples. I've been overruled twice in my career, and both times, there was cause for regret down the road. (Now, to be fair, there have been times where my decision was wrong. When that occurs, I do not haggle over it, I admit the mistake, fix it, and move on.)

It's ok, you can say you take umbrage with me. But let me tell you this, if I have a better idea than "best practice" I'll use it. I'm not one for reinventing the wheel, and those that think reinventing the wheel is fun should expect nothing but headaches. I'm not trying to be a hero...I just do my job.

Forsaken_GA

erpadmin wrote: »

With all due respect, I think I've made my point on this: I don't want to have installed software that is not required to be on a production server to be installed. Others have written other examples that are noteworthy, but bottom line, production servers are not my or any user's personal workstation to be browsing the web in the first place.

And if that's what it boils down to, that's fine. It's *your* choice, and that's what really matters. Do not toss the 'best practices' argument into the mix to try and justify your decision, it either stands on it's own or it doesn't.

Whether Microsoft is an unbiased party or not (again, with all due respect) is irrelevant.

Yeah, I disagree. When you use the suggestions of a vendor as justification for something you do, whether or not they are unbiased is *quite* relevant. When it comes to running a solid operation, I want the best solution to a problem, not the one the vendor says is best. You may not see a distinction, I do.

With respect to the argument that IE is more at risk with exploits than FF or Chrome, well, that should also be irrelevant provided that the sites visited are of those that are vendor sites to download patches.

If the security of the browser is irrelevant due to the nature of sites being visited, then so is the choice of browser.

Which I suppose is what I've been getting at all along. Whatever demons of security theater people chose to invoke as justification for their decisions, it all boils down to personal preference. The only real argument is whether or not people are willing to admit it.

Slowhand

Alright, I think that's enough for our daily browser holy-war.

A lot of good points have been made in this thread but I think it's time we leave it where it is, lest we keep going around in circles.