0 Replies Latest reply on Aug 8, 2019 9:39 AM by mkp72

    Patching internet browsers on Servers

    mkp72

      Up to now I mistakenly thought my servers’ browsers had been being patched and were secure. I was informed by Solar Winds Tech Support that, "It's a bad security practice to install browsers on servers. And a lot of customers would fail audits if they accidentally got installed. So we err on the side of caution and make the administrators have to be 100% sure they want to install it on a server before they can."

      In just our environment alone, we have several thousand terminal server users on well over 100 servers that access the internet daily using Chrome or Firefox to access web applications which don't work well on Microsoft's browsers. When we piloted Patch Manager, I was excited about the automation of publishing update packages and was never told I'd have to hack every Chrome or Firefox package that comes out (sometimes multiple times per month) just so I can keep my servers secure. The attack vector that poses for my company is substantial. Internet Explorer comes installed and is updated by Microsoft on servers. I’m not sure Solar Winds should determine what IT security practices should be via its packages. It seems like this approach is an effort to save us from ourselves. Microsoft's best practice is for internet access to be blocked via GPO on a server not a 3rd party software patching product. If a browser gets installed on a server where it shouldn't be, IT departments bear that responsibility and if it’s against a particular company’s security policies, the person installing it should know better probably be fired. If the software publisher is putting out Server/Workstation agnostic installers for Chrome and Firefox, why would Solar Winds deviate? Please reconsider this policy and either provide a 2nd Server specific package or remove the “NOT” applicability rules for servers. As a customer I don’t feel should have to edit packages every time Google or Mozilla release a new browser version. For me it defeats my ability to automate staying secure. The administrative overhead this creates seems unnecessary for System Administrators.