Unitrends Why are you still using flash?
-
@thecreativeone91 said:
@thanksajdotcom said:
@thecreativeone91, I don't know why you're so opposed to installing Chrome on your servers.
It's a security risk. There's a reason you use IE in protected mode (and only access Intranet) on servers. And don't install flash/java client. It's a big security risk and chrome bypasses that protection. That's only okay on terminal servers. Other server that would make you fail a lot of compliance audits.
One could argue the opposite too. Using IE is traditionally insecure and using Chrome would be a security bonus. Seems like it would pass a more stringent audit with Chrome that with IE.
In reality, I prefer neither and would like my servers GUIless.
-
@scottalanmiller said:
@thecreativeone91 said:
@thanksajdotcom said:
@thecreativeone91, I don't know why you're so opposed to installing Chrome on your servers.
It's a security risk. There's a reason you use IE in protected mode (and only access Intranet) on servers. And don't install flash/java client. It's a big security risk and chrome bypasses that protection. That's only okay on terminal servers. Other server that would make you fail a lot of compliance audits.
One could argue the opposite too. Using IE is traditionally insecure and using Chrome would be a security bonus. Seems like it would pass a more stringent audit with Chrome that with IE.
In reality, I prefer neither and would like my servers GUIless.
Chrome doesn't have protected mode, and can browser the internet freely. IE in protected mode can only go to Windows KB/Update downloads and Intranet. Chrome nor firefox never passes on gui based windows servers.
-
@thecreativeone91 said:
Chrome doesn't have protected mode, and can browser the internet freely. IE in protected mode can only go to Windows KB/Update downloads and Intranet. Chrome nor firefox never passes on gui based windows servers.
Never passes what? I'd flag IE in an audit before Chrome. If you are using the browser itself for blocking rather than more stringent controls, that alone should be a fail. Firewalls and proxies are far more secure than letting software self-regulate.
-
Auditing is not something official. It's just hiring people, generally the least competent people, to go look at something for you. I've had auditors flag things like 'patching' as a process that had to be justified!
-
@scottalanmiller said:
Auditing is not something official.
Depends on the compliance. There are many of them that I've had to follow that audit. If you don't comply your systems have to be taken offline til fixed.
-
@thecreativeone91 said:
@scottalanmiller said:
Auditing is not something official.
Depends on the compliance. There are many of them that I've had to follow that audit. If you don't comply your systems have to be taken offline til fixed.
Yes, but "auditing" is just a random term. Like saying that "no admin will do X". But there is generally not just an admin who will, but many that will swear by it.
Official audits, often, are very insecure. You do them to pass a cert, not to be secure. So while yes, there are "official" audits for things like PCI compliance, you don't use them when you want to just be audited for security. If you are doing a security audit, Chrome might easily pass and IE not. Windows itself might not even pass, but normally would. If you have audit backed by a vendor trying to make a buck or an auditor that is just using checkboxes, any random thing might or might not be allowed.
But it is very important to not connect the actions of one audit with another. Many audits are at odds with each other. I've certainly been through audits that require things that would fail a more common audit process.
-
@scottalanmiller said:
@thecreativeone91 said:
@scottalanmiller said:
Auditing is not something official.
Depends on the compliance. There are many of them that I've had to follow that audit. If you don't comply your systems have to be taken offline til fixed.
Yes, but "auditing" is just a random term. Like saying that "no admin will do X". But there is generally not just an admin who will, but many that will swear by it.
Official audits, often, are very insecure. You do them to pass a cert, not to be secure. So while yes, there are "official" audits for things like PCI compliance, you don't use them when you want to just be audited for security. If you are doing a security audit, Chrome might easily pass and IE not. Windows itself might not even pass, but normally would. If you have audit backed by a vendor trying to make a buck or an auditor that is just using checkboxes, any random thing might or might not be allowed.
But it is very important to not connect the actions of one audit with another. Many audits are at odds with each other. I've certainly been through audits that require things that would fail a more common audit process.
This +10000!
-
-
We had to replace power strips a few years ago because the auditors as of that year only accepted strips with some new code stamped on them, but where otherwise identical to the ones we already had.
-
@Dashrender said:
We had to replace power strips a few years ago because the auditors as of that year only accepted strips with some new code stamped on them, but where otherwise identical to the ones we already had.
I remember you saying about that!
-
@scottalanmiller said:
@Dashrender said:
We had to replace power strips a few years ago because the auditors as of that year only accepted strips with some new code stamped on them, but where otherwise identical to the ones we already had.
I remember you saying about that!
The crazy thing auditors want just to keep somebody employed... don't get me wrong.. we need audits to keep people honest, but at the same time it should be OK to find nothing wrong with those you're auditing too.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
We had to replace power strips a few years ago because the auditors as of that year only accepted strips with some new code stamped on them, but where otherwise identical to the ones we already had.
I remember you saying about that!
The crazy thing auditors want just to keep somebody employed... don't get me wrong.. we need audits to keep people honest, but at the same time it should be OK to find nothing wrong with those you're auditing too.
It's the auditors that we have the hardest time keeping honest, though!
-
We have auditors. They aren't a scam. Sometimes a bit misguided as some of the auditors have very little tech experience but not a scam.
However, I will make a point of saying that it's a government requirement and we all work for the same clowns. -
@nadnerB said:
We have auditors. They aren't a scam. Sometimes a bit misguided as some of the auditors have very little tech experience but not a scam.
However, I will make a point of saying that it's a government requirement and we all work for the same clowns.Government ones are the worst. CJIS is very strict.
-
@thecreativeone91 said:
@nadnerB said:
We have auditors. They aren't a scam. Sometimes a bit misguided as some of the auditors have very little tech experience but not a scam.
However, I will make a point of saying that it's a government requirement and we all work for the same clowns.Government ones are the worst. CJIS is very strict.
CJIS? What is that?
I'll go ahead and make up some silly alternatives because that's the way my head works.
Courtroom Justice In Space
Counter Jargon Idiot Spectrum
Charles Jest Intolerable Stabber
Can Julie Investigate Satchels
Cruise Joke In Ship -
@nadnerB said:
@thecreativeone91 said:
@nadnerB said:
We have auditors. They aren't a scam. Sometimes a bit misguided as some of the auditors have very little tech experience but not a scam.
However, I will make a point of saying that it's a government requirement and we all work for the same clowns.Government ones are the worst. CJIS is very strict.
CJIS? What is that?
I'll go ahead and make up some silly alternatives because that's the way my head works.
Courtroom Justice In Space
Counter Jargon Idiot Spectrum
Charles Jest Intolerable Stabber
Can Julie Investigate Satchels
Cruise Joke In ShipCJIS is Criminal Justice Information Systems It's from the FBI.
-
@thecreativeone91 said:
@nadnerB said:
@thecreativeone91 said:
@nadnerB said:
We have auditors. They aren't a scam. Sometimes a bit misguided as some of the auditors have very little tech experience but not a scam.
However, I will make a point of saying that it's a government requirement and we all work for the same clowns.Government ones are the worst. CJIS is very strict.
CJIS? What is that?
I'll go ahead and make up some silly alternatives because that's the way my head works.
Courtroom Justice In Space
Counter Jargon Idiot Spectrum
Charles Jest Intolerable Stabber
Can Julie Investigate Satchels
Cruise Joke In ShipCJIS is Criminal Justice Information Systems It's from the FBI.
Oh, I see. That just screams boatloads of red tape, bureaucracy and migraines