Book now with code EOY2025
Forsaken_GA wrote: » If everyone did everything based simply on logic, we'd all give up building anything like a career or put a bullet in our heads the second we realized that nothing we do matters, since we're all going to die anyway. Very few things are clear cut black and white, and IT is no exception to that.
Forsaken_GA wrote: » After all, just because you haven't seen any evidence that your server has already been pwned, doesn't mean it hasn't! Everyone has different comfort levels when it comes to risk. Speaking for myself, I like to make reasoned and informed decisions, not ones based on fear. I fully agree that web browsing on a server should be kept to an absolute minimum, but to outlaw it entirely is a fear based decision, and IMHO, foolish, as you're denying yourself the use of a potentially useful tool.
ptilsen wrote: » Firefox and Chrome are more stable than IE. I have never so much as heard of either Chrome or FF causing any system instability in any way. IE tends to use substantially more resources than Chrome, and is inherently riskier to use. I'll stand by using Chrome if I do have to browse the web on a server.
RobertKaucher wrote: » But why bother with the additional complexity? You don't need Chrome, nor FireFox, nor anything else except what the server needs to do its job. ERP's point is why muddy the waters with any additional software no matter how secure you believe in your heart-of-anecdotal-hearts said software really is? He's not suggesting anything about the security or lack-there-of for the other browsers. He's simply pointing out that a best practice is best for real reasons, even if we sometimes feel it is ok to ignore the best practice for the practicality of the real world. We might find it's perfectly acceptable to install software X on a server for a given reason, but we all have to acknowledge that not having additional software beyond what is required does decrease the attack surface.
erpadmin wrote: » Thanks Robert once again for seeing my point.
RobertKaucher wrote: » We must have both a degree of restraint not to do things just because we don't feel the probability of something bad happening is minimal and a degree of freedom to get things done that we need to accomplish.
RobertKaucher wrote: » What it really comes down to is don't add things unless they are needed, but "Just because I like it" does not constitute a need.
Forsaken_GA wrote: » paranoid bastards. I have no problem putting Chrome on a server. It's lightweight enough to not have any meaningful impact on the servers resources, it's behind a very well protected proxy, and the people who are likely to be using it for administrative purposes tend to be smart enough not to do crap like visit malware infested websites. If they are, you need to fire the person, not make the box a bigger pain in the ass to work with. If you make the box accessible on the wire, you're at risk, period. The risk should be managed, sure, but in a sane, non utterly paranoid way.
erpadmin wrote: » Remember...as I've stated all along, if it's necessary, then it gets installed. It was always my contention that installing web browsers that are non-IE was simply not necessary and that "Just because I like it" argument doesn't fly with me either.
erpadmin wrote: » You really don't know me at all, and you know what that is 100% ok. Because if you did know me, you would understand that I'm not afraid of anyone, or anything. At the same time, that little thing called experience has a tendency to guide my actions at work. If you read my past posts in this thread, you will see that I personally have browsed the web on my servers, so I don't "outlaw" them entirely. But because I'm going to a limited number of sites, I won't allow a non-standard browser installed on my production servers just because IE is a bit slower. It is totally unnecessary and it is not based on fear, but just standard best practice.
Forsaken_GA wrote: » Alright, fair enough, though I'll just say this - with IE's track record on security, you'd have a hard time convincing me that using IE is a best practice just because it's already there, especially while simultaneously making the argument for restricted web browsing on a server due to security concerns.
erpadmin wrote: » Best Practices does not equal "fear..."
jmritenour wrote: » I really don't want this to seem like I'm piling on with erp, because I'm not, but yeah, I would definitely say using IE would be a best practice from a security standpoint.
Then you also have the fact that IE is covered by Windows update, which his auditable if & generates handly little reports on current patch levels if you're using WSUS. Chrome & Firefox can't do that, at least not without some type of 3rd party patch management software.
But again, at the end of the day, I wouldn't want a production server to even have internet access if it didn't need it, so it's a moot point.
Forsaken_GA wrote: » I'm sorry, but I believe best practices must pass the smell test, and must be able to stand on their own. If the concept can be easily contended with, and it cannot be clearly and definitively explained *why* it's a best practice, then it isn't. Anytime someone needs to fall back on the argument 'well, so and so says it's best practice...', that argument is over, there will be no more rational discussion on that subject.
DevilWAH wrote: » Well in this case, best practice is to not allow any internet access, reason being is if you disable access completely then you remove the chance of a "rogue" admin doing some thing stupid.
and in terms of chrome being more light weight, if you are running a server so close to the edge that opening a web browser is going to push it over the edge. The different in resources between Chrome and IE are not that large in relative terms.
DevilWAH wrote: » Well in this case, best practice is to not allow any internet access, reason being is if you disable access completely then you remove the chance of a "rogue" admin doing some thing stupid. For a server that is carry out a few 100 million pounds of transactions ever minute, rather not risk the chance of a idiot crashing it, tossing them out the door after will be a bit late.
Forsaken_GA wrote: » First off, no need to worry about piling on. I've stood alone against the crowd and held my own on more than one occasion here, not going to feel like I'm being picked on. I'd much rather folks speak their mind and engender a good debate than hold back out of fear of offending my delicate sensibilities, because I'm for sure not going to hold back for fear of offending yours Now, with that being said... I can find a point of contention with your premise that IE is better from a security standpoint. I'm more than willing to listen as to why I'm wrong on that account, but understand, that when I do a simple google search for IE9 security vulnerability, I find many results, some as recent as March of this year, as well as vulnerabilities which exist in IE 9 and carried over into IE10 consumer preview. I stipulate that my examination is cursory, but I can provide direct proof that IE9 security leaves something to be desired. I welcome your defense of the premise that IE is better from a security standpoint.
jmritenour wrote: » First of all, I didn't say that IE9 is better as far as security goes, merely that it is a better practice to use it. Given that it is the most targeted of all the major browsers, of course it is going to have the most *known/published* exploits.
but yeah, I would definitely say using IE would be a best practice from a security standpoint.
That said, I'd still use it on a server OS before Chrome/FF/Opera. There are a myriad of reasons, and again, bear in mind, I'm coming at this from the compliant standpoint so I'm going to have a slightly different view of security and what is and is not acceptable.
2. As mentioned above, you can lock down IE even further with group policy, which you can't do with Chrome/FF/Opera.
3. Windows Updates/WSUS, I mentioned earlier. Sure Chrome & FF have auto-updates, but no central way to manage them, and no central way to gauge what patch level you are at throughout your organization. That might seem like not a big of a deal to security at first, until an exploit for a certain version of FF/Chrome hits. And guess what? Since Chrome isn't a part of our standard image, it slips through the crack because I have no idea that it's installed, let alone what version it is. If I'm sticking with IE, at least I can run a report from WSUS as to what systems are lacking the latest IE security updates.
4. Then there's that whole pesky auditing thing. We are a hosted solutions/managed service provider. We have standard builds for Windows & all the Linux distributions. We install other software from an approved list as requested by the customer, such as SQL & lock it down accordingly. It is clean and pristine at turnover, and anything beyond that is in the customer's hands.
I've seen quite a few customers fail federal audits because they had software installed that wasn't deemed necessary to the function of the server in the role it was serving. Chrome has been the culprit a few times. Now, you could make the case that compliance is just another set of meaningless standards, and you'd be right to a degree - some of them are nitpicky, and really don't do much for overall security. But that doesn't help when you fail a PCI compliance audit, and your site is ruled not safe to process credit card transactions until it gets in compliance.
So, from a total security - including patch management, auditing, and knowing what the hell is running on my servers in my environment - I'm sticking with IE9 on my Windows builds. And I'm blocking 80 & 443 outbound until someone gives me a good reason to open it.
Forsaken_GA wrote: » Simply put, sometimes what is put forth as a best practice, isn't, particularly when it comes to security. Anyone who dares to try and use 'Best Practice' as an excuse with me had better be able to explain exactly *why* it's a best practice.
Forsaken_GA wrote: » What the argument over the best practices comes down to, in essence, is whether Chrome or Firefox should be considered unnecessary simply because of the presence of IE as a default. And this comes down to a matter of personal preference. Microsoft is obviously going to tell you that it's best practice to use IE. They're not exactly an unbiased party.
Forsaken_GA wrote: » Where I take umbrage is when folks try to fall back to nebulous things as debatable best practices to justify their decisions. I have never, ever, in my life said 'it's best practice' as a justification to someone for a decision I've made. If it's questionable, I can tell them exactly why I made the decision, in detail, with specific examples. I've been overruled twice in my career, and both times, there was cause for regret down the road. (Now, to be fair, there have been times where my decision was wrong. When that occurs, I do not haggle over it, I admit the mistake, fix it, and move on.)
erpadmin wrote: » With all due respect, I think I've made my point on this: I don't want to have installed software that is not required to be on a production server to be installed. Others have written other examples that are noteworthy, but bottom line, production servers are not my or any user's personal workstation to be browsing the web in the first place.
Whether Microsoft is an unbiased party or not (again, with all due respect) is irrelevant.
With respect to the argument that IE is more at risk with exploits than FF or Chrome, well, that should also be irrelevant provided that the sites visited are of those that are vendor sites to download patches.
Use code EOY2025 to receive $250 off your 2025 certification boot camp!
