Banning ActiveX at the firewall is hardly taking away the MS
desktops. It's still viable inside the firewall as long as you're
talking about a relatively trusted environment. If you aren't talking
about a relatively trusted environment inside you probably shouldn't
be running an MS desktop anyway.
> > But if you think you can say that ActiveX is bad so take it way, you'll
> > have to tell them to take away all your MS desktops as well.
> Love to, but that won't happen. That's like trying to fireproof your
> office by banning paper.
Not all that inconcievable. There are perfectly viable
alternatives to an MS desktop for anyone who feels like using
them. It's also possible to put them on another net by themselves with
a seperate firewall and security policy. You can even run them fairly
open, with the security policy that sensitive stuff doesn't go on the
open net. I.E. network A is the low security network where the users
are allowed to sysadmin their own desktops. Network B is the high
security network where that isn't allowed, and the permitted OS's are
mandated. Network B doesn't trust network A any more than it trusts
the internet. Not foolproof in the slightest, but draws a better
boundary for the users as to what is important.
> > I'm sure
> > many of you have been saying that for a while now, but the facts are in
> > front of the majority of you and can be seen just by looking around your
> > office.
> Yep. And those facts say that the desktop will be completely unable to
> provide any useful security for the forseeable future.
Microsoft's desktop will always be completely unable to
provide any useful security for the exact same reasons as we've seen
for years and years with Sendmail. It's big, bloated and constantly
afflicted with creeping featuritism. It's not *designed* to provide
useful security, it's designed to work well as a desktop environment
that can sell. period, Just as Sendmail is a MTA first and security
somewhere not first. (This isn't always a bad thing if your first and
formost requirement is a powerful MTA) Security can be addressed for
99% of it's users by a few glossies with the words "Hacker" "Internet"
and "C2" jumbled in the the rest of the marketing hype, since the odds
are they'll never get seriously hit even if they ran a fully unsecured
Bob Beck Obtuse Systems Corporation
True Evil hides its real intentions in its street address. Search and you
shall find it, and the truth shall set you free.