7

After pulling up a Windows Server 2012 instance, I learned that google.com is riskier than I thought:

Internet Explorer Blocks Google.com

It does the same for microsoft.com. There are instructions to disable "Enhanced Security Configuration," but this article by Michael Pietroforte suggests the motivation for this is to all but remove IE from Windows Server, and his suggestion is:

Don’t use a web browser on a server.

Is this good advice? And if it is, how do I follow it and still install the various applications I need?

For context:

  • The server is a VM that I don't have easy physical access to.
  • In my instance, it's not public facing, but I'm interested if the answer changes in that situation.
  • I'm not a server admin. I'm a developer trying to set up a build agent. So maybe I'm missing some server admin common sense.
jtpereyda
  • 1,430
  • 2
  • 16
  • 26
  • Not using a web browser on a server is generally good advice in context. That context would be for Internet traffic. There are times when you need a web browser on a server though, to test other internal (other servers or resources) resources on your network/domain. – Brad Bouchard Dec 18 '15 at 21:33
  • For the most part I get by using curl but I dont know if that will work on windows or for the OP's needs – Purefan Dec 20 '15 at 02:38

2 Answers2

9

It is very good advice to not use the web browser for Internet traffic on the server.

It's our policy (I work in cyber security for a federal agency) to never use a web browser (for Internet, or external websites) for any sort of Internet traffic even if it's to download a file that will be used on the server. As another user mentioned in their answer, it is a good idea to download any files or data needed on the server from a different computer; one that is trusted and is on the same network. Then, take the file(s) and verify hashes if you want to go that far, and then copy it to the server either through the network (probably preferred since you don't have easy physical access to this VM) or using a USB drive or something of that sort.

Another thing that I'd recommend if you're able to, is to use the built-in Windows firewall or a trusted third-party firewall (host-based of course) and apply a template or policy to it that doesn't allow web traffic from the server. As an example of this, we use a vendor for antivirus that has a built-in host-based firewall as part of the antivirus software. We then create a firewall policy called "Servers" and apply it to all servers and on that policy we lock down all incoming and outgoing web (usually port 80) Internet traffic so that the server cannot access the Internet even if we accidentally click on the web browser.

As far as uninstalling the browser altogether, I don't think that's a good idea. There are many times when a web browser comes in handy for things like accessing another server that runs a web console or something of that nature that you'd need to use. If you uninstall your web browser you'd have no way of accessing any of these other consoles.

Brad Bouchard
  • 628
  • 1
  • 5
  • 13
  • 1
    Not allowing *any* http(s) traffic from a server does of course cause trouble when you have a service-oriented architecture. – Philipp Dec 18 '15 at 21:40
  • It can Philipp. However, that's why I mentioned only port 80 and not 443 or any other SSL ports. If traffic is outgoing on 443, or any other SSL/TLS ports (or incoming) from a server for a specific (trusted, known good reputation vendor) service then I don't have a problem with it. Also, our firewall policy can be tweaked to allow just this traffic for a specific service on a specific server to communicate to just a single external endpoint/entity. I agree though, it makes things more complicated in some scenarios. – Brad Bouchard Dec 18 '15 at 21:42
  • 1
    Thanks. Using a network share to get downloads from another PC works well and is relatively low overhead. – jtpereyda Dec 21 '15 at 20:29
  • That is true and it is a method that works... however, you have to be careful not to just download the file straight to the network share and then jump right on the server and get it from the network share. The reasoning here, is that the file you downloaded may be infected, which is why it's a good idea to download the file to your computer first, run an AV scan against it, and any other scan you might want, compare the hash of the file against what the website says the hash is, and then put it on the network share to retrieve from the server. You're on the right track. Great question! – Brad Bouchard Dec 21 '15 at 20:39
3

well actually browser side exploits its a really big issue this days . the best way you could do this is by download the installer you need in other computer check the cryptographic of the .exe you need how check md5 and sha cryptographic on windows and send it to the server by sftp or other encrypted method depending on witch services you have running on your server or in your work station .

Sarastro
  • 321
  • 2
  • 13