Re: Install Silverlight?

Tech-Archive recommends: Fix windows errors by optimizing your registry

Well, it is obvious you won't change your mind, but I still feel compelled to comment for other future readers that will find this thread. I'll ignore the personal attacks that you can't even admit to after making them:


You are presuming (effectively) unlimited funds and unlimited ability to manage the client. I am suggesting otherwise. Most of our clients (and in fact most of the world by volume) are small businesses who don't like spending money. We just can't apply the strict measures you argue.

Re-read my posts. NONE of my suggestions cost *ANY* money. If you are an employee, you already have a workstation to browse from. If you are a consultant, you damn well should have your own PC to download patches to a USB key with...and 99% of the time that PC will be a laptop you can take onsite to browse with as well. Added cost to the business? $0.

(1) Browsing from the server *is* a bad practice.

This is YOUR judgement. 'Bad' is truly over the top. It isn't recommended by many but nowhere does MS say DON'T. Why else would they provide the tools to make it safer? What you are suggesting is simply impractical for a great many people. Yes, MS does recommend restricting browsing from a server - I am dealing with it - note that MS only said 'recommend restricting'. Stop making this something impossible.

I posted the KB article where Microsoft stated browsing from the server is BAD. I also provided explanations why Microsoft has NOT removed IE from the server. You chose to ignore them as well.

(2) Trusting AV software is foolish.

Hmmm... you're calling an awfully large number of people foolish. Isn't that a direct personal attack? <g>. So you are suggesting we don't use AV software because it is foolish to do so? Well I think quite a number of AV software producers would take you to task over this. In fact, I think I know quite a large number of companies that spend quite large sums of money on their AV framework. So are they being foolish also? I certainly wouldn't rely 100% on anything but I think I would be able to find enough people to tell me that AV software has been of value. So you don't have any?

When I meet a person who says they trust their A/V software, I'll call them foolish. As far as I know, nobody has made that claim yet...but you. So if you feel I made a personal attack, so be it. But a *large number* of people? Nope. Not until they stand up and say I called them foolish. Back to A/V software though. I said *TRUSTING* it is foolish. Using it is a matter of practice...it helps. Undeniably. But it is not 100%, as you yourself admitted. But by browsing from your server, you *ARE* relying on it. Unnecessarily, if you follow my previous examples of how to avoid it (FOR FREE.)

(3) Microsoft can't really prevent it.

Prevent what? ...surfing the web? Of course not so I don't really know where you are going here.

Again, you chose to snip and ignore the full explanation. You insist that if browsing from the server is bad, Microsoft WOULD prevent it. So I'm saying they CAN'T. And you agree they CAN'T! But you say they would! SO they should do something they can't?!? You can't eat your own tail man....

(4) A firewall is not designed....

Again you malign the capabilities of several AV/firewall vendors who claim quite the contrary to your statements. But I am not arguing these things with you, you can do that directly with the vendors and the extent of the claims or their capabilities don't really worry me. My contention is that you are over-stating the risk especially when compared with what we see happening out there. It just isn't worth the paranoia you are projecting.

Yes, this one I admit I malign the capabilities of several firewall products. And I admitted as much WHEN I POSTED THIS. Zonealarm made this 'outgoing' protection popular...and literally marketed themselves into making competitors follow suit. It was a bad idea then, it is a bad idea now, and the contraversy surrounding this 'feature' is well documented. I am not alone in my opinion. Hell, I formed my opinion after meeting Steve Riley. If you ever get the chance to sit down with this man and discuss security, I highly recommend it. He's smarter than I'll ever be. Microsoft is lucky to have him.

I'm providing statistics. 7 infected servers in less than 5 months is
more tha a horror story, or two. It is an illustration that such occurences

Ok but we do not see that frequency of infection. Or perhaps because you are one who gets called you are seeing the problems. The ones who aren't infected don't ring up to tell you that. The trend I see is less and less infection, especially at the user workstation level. I don't know that I've ever seen a server compromised.

Plenty of people have posted about compromised servers. If you choose to ignore them until you see it yourself, I cannot change your opinion. This is one of those points that you are arguing ONLY on personal experience. I can only hope that another reader will realize that and make an informed opinion.

And they are also usually the most willing to listen, because they know that
downtime == bankruptcy. THAT is our job. And failing to do it is

Yes well you see? This is over the top. An infected server is RARELY likely to mean bankruptcy for the majority of businesses. An inconvenience and a cost but bankruptcy? This is where you do yourself a disservice by making this out to be bigger than it is. Ok, so for businesses where the risk is that high, go for it! But gee, for the majority it is something way less.

In an SBS environment, SBS is usually the *only* server. If it gets compromised, there is downtime the company usually cannot afford. If personal information is compromised (such as credit card numbers) and litigation ensues, the problem gets even worse. Information Week did an article last year (no longer online or I'd post the article) that 75% of small business that suffer server intrusions go out of business within the year of the incident. I don't do myself a disservice in any way. I read articles, I use due diligence, and I protect my customers. The numbers speak for themselves. And 75% *is* the magority...so saying the magority is way less is just ignoring the facts.

-Cliff

.

Relevant Pages

  • Re: Install Silverlight?
    ... Most of our clients are small businesses who don't like spending money. ... MS does recommend restricting browsing from a server - I am dealing with it - note that MS only said 'recommend restricting'. ... Trusting AV software is foolish. ... The trend I see is less and less infection, especially at the user workstation level. ...
    (microsoft.public.windows.server.sbs)
  • Re: Thou shalt have no other gods before the ANSI C standard
    ... > server and a gagle of Windows desktops around them. ... > infection on the server that holds our critical business data. ... > he is charitable enough to consider competent, how do most businesses ... and should not be allowed into the legitimate services ...
    (sci.crypt)
  • Re: [Full-disclosure] windows future
    ... backup and recovery plan these days. ... Businesses will be less affected than ... Did you see the link I posted to the "Evolvable Malware" PPT? ... I have already decommissioned one server, ...
    (Full-Disclosure)
  • RE: [fw-wiz] Managed Firewall Service - Opinions
    ... > Company A installs 3rd party software and server for vacation rental business. ... > and insists MSSP ... Company C is introducing a vulnerability and risk ... For many businesses this is an acceptable level of risk. ...
    (Firewall-Wizards)
  • Re: Terminal Server - alternatives
    ... Imagine a user, in remote to a server, uses word, it crashes and wants ... Software coding for SBS 2003's major features was finished in the mid-2003 ... many small businesses, in particular "micro-businesses" with fewer than 5 ...
    (microsoft.public.windows.server.sbs)