Accepting
risk. You do it every day. For those that are consultants you accept
risk on behalf of your clients. You click on EULAs, you download
patches, you install stuff on a regular basis and you accept risk for
your clients. Sometimes you need to search for solutions for your
clients.
When you are at your client's offices,
where do you do this activity? Do you do it at your client's server? Do
you ever find that Internet Explorer tool bar that pops up and prompts
you to add web sites to the trusted zone an annoyance? You probably do
don't you? But here's the thing… it's supposed to be annoying. It's
supposed to remind you that this isn't the place you should be surfing
from.
Now I know you'll probably say “Oh, but I have a fully patched server so why should this be a concern?” Because merely going to web site these days can end up with bad stuff on your machine. “Oh, then I should use another browser!” Not so fast as even other browsers can have vulnerable bits [java and what not] and be used as infectors.
So how can a fully patched machine get
nailed? Because of the lack of patching by the web servers you visit.
Earlier this year my own outsourced web site had
a java trojan dropped on it because of the web site being intruded. For
a day if you had surfed to my web site you could have gotten your
computer nailed.
Paperghost [fellow Security MVP] has a whitepaper on how this is done. Michael Howard talks
about how “Running with an administrative account is dangerous to the
health of your computer and your data.” and inside the Windows 2003
server is says this:
Using servers for Internet browsing
does not adhere to sound security practices because Internet browsing
increases the exposure of your server to potential security attacks.
Regardless of the browser you use, you should restrict browsing on your
server.
To reduce the risk to your server of potential attacks from malicious Web-based content:
- Do not use servers for browsing general Web content.
Use client computers to download drivers, service packs, and so on. - Do not view sites that you cannot confirm are secure.
- Use a limited user account instead of an administrator account for general Web browsing.
- Use Group Policy to keep unauthorized users from making inappropriate changes to browser security settings.
Earlier this year the lack of patched DNS servers meant that DNS poisoning attacks could affect fully patched servers. Again..see the pattern here of blended threats? Having layers of security in place to ensure that stuff won't get you means that there's are indeed layers in place.
There have been many Internet Explorer
patches that have not been as critical on Windows 2003 because of that
Enhanced IE tool that is on that server.
So before you uninstall that Enhanced IE
on that Windows 2003 server [and no I'm not telling you how to do this
you'll have to google it yourself] Just stop. Think about the risk you
are accepting. Think about the risk you are accepting on behalf of your
client? Do you discuss your decision with your client? Do you think
about the data they have on that server, the laws they are regulated by? Do you discuss this with your client?
The reason that is there to annoy you is that folks like Michael Howard sat down and said “what's the worst thing that can happen on that Windows 2003 server“ and the answer was… 'going to web sites while logged in as administrator'. [watch the presentation on the Blackhat site and you'll see what I mean]
All I ask is that the next time you are
annoyed by that Enhanced IE lockdown on that server, just think why
it's supposed to be annoying. There are bad things out there that we
cannot control, so I would argue that you should leave the onion layers
in place on the things you can control.
It's not 'just' your patch status that
you should be worried about… it's the patch status of all the places
you go to out there.
Control what you can. [E-Bitz – SBS MVP the Official Blog of the SBS “Diva”]