This post is inspired by a post in the sbs newsgroups that started when someone asked if Silverlight be installed on a server.  One poster in particular indicated that in the SBS world that we should ‘get over’ this idea that one shouldn’t surf at the server.  It was his contention that in this day and age that if you should trust your firewall and your antivirus and thus be able to trust surfing on a server.  That Silverlight was just there to make web sites better so why shouldn’t it be installed on the server?  As SBS 2008 is coming out in the future, he was looking forward to more server tools possibly based on technologies like Silverlight.


First off it would depend on not only the firewall but the antivirus.  But even with that.. let’s ask ourselves is it safe to be surfing at the server for information on Google these days?


First off when you are on the server, to make the Browser even viable for downloading anything one has to do one of two things, either you need to disable the enhanced IE browser security or you add the web site to the trusted zone. 


Then you have to remember that while the best practice on a workstation where it’s assumed you will be browsing is that you are not running with administrator or root access, on a server, the chances are you are surfing on that box as a domain administrator.  Any malware, any drive by anything would nail you as you browse.


Okay but the poster argued that a firewall and antivirus is all you need.  First off even the best antivirus is reactive not proactive.  And secondly, unless a firewall is one of the “unified theat management devices” newly out in the marketplace today, typical firewalls are not enough to protect you from web browsing.



(web filtering image from Calyptix Unified Threat Management Product)


Unless your firewall can do that, sorry, it’s not safe to be anywhere,let alone a server and surf at it these days.


Yes, even in the SBS space, rule on the workstations should be only install that ‘code’ (i.e. adobe, flash, java, etc) that you absolutely NEED to operate.  If you don’t have a means to ensure that things OTHER than Microsoft are updated, be aware that the malware cocktails these days are going after the non Microsoft stuff we can’t patch.


So if we are not going to surf at a server.


If silverlight is just to build prettier web sites.


If it’s another piece of code that I have to keep updated, then why is is needed at the server?


Workstations are a different beast altogther and the risk management should be evaluated accordingly. 


But should Silverlight be installed on a server?  Some would argue that on a terminal server it has a place, a reason to be on a server.


I still say no to servers that are not terminal servers..  There is no reason that SilverLight is needed “on” a server that is functioning as a domain controller.  And there is no reason to be at that server ‘surfing’ for solutions to error messages.  It’s too dangerous these days with malvertisements.  Your next ‘trusted site’ just may not be.


This is your domain controller folks.  It’s just not worth the risk.


Surf at your workstation that was built for it, not the server.

 

4 Responses to Should Silverlight be installed on a Server?

  1. JamesB says:

    The only time I can even start to say it’s OK to surf from the server is to hit up Microsoft for a patch or download however have you noticed even there you have to close that damn “Download Silverlight” Pop Over. Try doing remote support for a client over a dialup line (yes sometimes that does happen still) and you need to patch the server. Off to download.microsoft.com you go but wait, here comes that damn Silverlight banner which takes 10 mins to build on the slow connecton. Wrose let’s say somebody actually did install Silverlight, now try browsing Microsoft remotely over a slow connection.

    No browsing from the server. No plug-ins on the server. No screwing around with the default IE settings on the server. Seeing a thread here, KEEP YOUR HANDS OFF! If you REALLY need to browse from the server install a Linux VM or even one of the MS downloadable VM’s.

  2. Chris Knight says:

    You don’t need Calyptix UTM to do that type of filtering – just point your DNS forwarders to OpenDNS and set up an account. You’ll get the same filtering capability.

  3. Hear here! Servers shouldn’t need GUI stuff solely for the purpose of making the interface prettier. They should be much more Spartan than Flash, media players, or even Silverlight. Besides, more stuff on the server means more things to patch that could ask for a reboot and adversely impact the “Server has been running:” time on SBS.

  4. Nick says:

    Well put S.B. I agree.

    Isn’t “Don’t surf on the domain controller” in server 101? Since SBS is the everything, don’t you think it makes it that more foolish to mess around on?