So, do you still think having Internet Explorer on your server is a good idea?

Microsoft is making its updates to IE only available for Windows XP.

To which I say, what about all of those servers out there?Surely they include Server 2003 in this. But that’s a problem. Upgrading to Server 2003 isn’t always an option. Some applications only run on Windows NT 4.0, or on Windows 2000.

Unfortunately, sometimes you have to have a web browser installed on a server to get updates, either from your vendor or from MS. Windows Update, of course, only works with Internet Explorer.

One option is to uninstall Internet Explorer using the tools from litepc.com. A potentially more conservative option is to keep IE installed, use it exclusively for Windows Update, and install another lightweight browser for searching knowledge bases and downloading patches from vendors. Offbyone is a good choice. It has no Java or Javascript, so in theory it should be very secure. It’s standalone, so it won’t add more muck to your system. To install it, copy the executable somewhere. To uninstall it, delete the executable.

An even better option is just to run as few servers on Windows as possible, since they insist on installing unnecessary and potentially exploitable software on servers–Windows Media Player and DirectX are other glaring examples of this–but I seem to hold the minority opinion on that. Maybe now that they wilfully and deliberately install security holes on servers and refuse to patch them unless you run the very newest versions, that will change.

But I’m not holding my breath.

If you found this post informative or helpful, please share it!

One thought on “So, do you still think having Internet Explorer on your server is a good idea?

  • September 24, 2004 at 9:39 am
    Permalink

    You can download the administrative updates. Not only is it faster, it’s safer and you can time the updates a lot more easily. You can access the administrative installs using Firefox too. You really shouldn’t be doing *any* web browsing on a server that’s in production. That’s the only way to be safe, especially with such "minor" problems as JPEG parsing problems.

    The updates only pertain to the pop up blocker and other useless stuff that was included in SP2. Security updates may or may not be included — the noise coming from Microsoft in that regard is contradictory.

    I don’t think issue is about selling Windows XP. This is about selling Windows 2003. No one I know is excited about Windows 2003 – it offers nothing that Windows 2000 doesn’ t have directly or indirectly.

    Windows 2003 is also stupidly secure – it’s asinine. To get an ASP.NET web application to access a remote SQL Server over the network you have to trudge through five hours of worthless and indirect documentation. Why is the operating system interfering with the network protocols? That’s the firewall’s job — not the operating systems.

    Then again I blame much of the insecurity of Windows on the people who run the boxes and not Microsoft. I’m not immune to my own criticism — I failed to read the instructions for the OpenSSL patch issued by RedHat for a vulnerability a year or so ago and was immediately infected. (Then again, I never expected patch instructions for a Linux box to read "and finally, reboot the server to complete the installation.")

Comments are closed.