Our cybersec team are getting onto us about all our servers having web browsers installed.

[-]

Barrerayy@reddit

presumably your servers have no internet access besides whatever you use for security/updates etc? So who cares if it has web browsers?

[-]

This is why people need stronger backgrounds before getting into infosec and why I will die on this hill.

There are plenty of posts about people saying you don't need networking or other background to get into infosec and it's just wrong, without the background knowledge you can't judge things as accurately.

Everyone who has worked as an admin in a Windows environment knows removing Edge is a big no no, so clearly this person doesn't have the background they really should.

This also makes things harder if you work in like a SOC and have to check EDR alerts and shit, if you don't know core things about Windows, you won't be able to judge when an alert is higher priority or not.

[-]

Secret_Account07@reddit

It’s really bad. It should be a requirement to work in infra of some kind. So many folks say things but if you put em in front of a computer don’t know what the hell they are doing.

Like yes, let’s block port 443 everywhere, Ted. Brilliant

[-]

planedrop@reddit

No we MUST block everything by default, minimum access, I need per domain whitelisting! lol

But yeah 100%, having some background in infra is incredibly important for most other facets of IT IMHO. infosec, developers, devops, whatever it may be.

[-]

ihaxr@reddit

No we MUST block everything by default, minimum access, I need per domain whitelisting! lol

Zero trust baby. We do this on all our Prod servers. It's just easier from a security perspective and, as long as your network/security teams are somewhat responsive, it's not a big deal.

[-]

planedrop@reddit

I mean if you PROPERLY do zero trust, yes, but my joke was mentioning per domain whitelisting because absolutely no one does that and shouldn't.

Like, for a normal client device subnet, yeah no you won't get away with manually whitelisting everything lol.

But yeah, proper zero trust is the way to go, or at the very least actual segmentation (which so many places don't have) and then microsegmentation if you can.

But full ZTNA or SASE, yeah that's the dream, if you can afford it.

[-]

PhilipLGriffiths88@reddit

Identity-first, zero trust connectivity, using on authenticate-before-connect (not connect then authenticate, which unfortunately is how the majority of solutions work) is the way forward... and it should not just be for human access, but also non-human connectivity across servers, OT, agentic AI, APIs, and more.

Also, while not 'free', open source of this does exist, so it doesnt have to be an unaffordable dream.

[-]

planedrop@reddit

Yeah I agree with this. I mean, even as much as I hate agentic AI, I still completely agree lol.

It's absolutely the way to go. I still think the price is high for some orgs though, and that's even with open source stuff, simply because you gotta pay someone that actually understands this stuff to set it up. I'll just put it this way, I'm not cheap lol.

[-]

PhilipLGriffiths88@reddit

Yeah, totally fair. The people cost is real - and honestly that’s part of the point I keep coming back to. If “zero trust” means manually redesigning routes, firewalls, VLANs, NAT, ACLs, DNS and per-domain allowlists, it becomes expensive fast (I call this the 'connectivity tax').

The better architecture, IMO, is to make the default state “nothing is reachable,” then let identity/policy create only the specific service connections needed. That reduces both attack surface and the amount of specialist underlay/network plumbing required (which means we can net save lots of cost).

It still needs competent people, no question. But the goal should be fewer bespoke tickets and less artisanal network surgery every time a new app, API, workload, site, or agent needs to talk to something. That’s where I think identity-first connectivity can make ZT less of a luxury project and more operationally scalable.

Happy to share to share the open source if you're interested.

[-]

Nah UDP 123 is the promove

[-]

bankroll5441@reddit

Our CIO mentioned in a recent meeting that we need to "Make sure we are insulated from Open Source as a threat model". I almost barfed

[-]

planedrop@reddit

LMAO that's just lovely, a clear misunderstanding of how this stuff works.

Probably gets lots of vendor handouts too lol.

[-]

Cheomesh@reddit

Yeah, I was never an especially high-spec sys admin or anything, but I'm glad that's where my career started. Even if I'm not directly familiar with a system or piece of software I can usually fall back on my other experience to frame it while I get up to speed.

[-]

nickerbocker79@reddit

Our network and security team just block internal servers from accessing the web and just whitelist what is needed. No need to remove the browser.

[-]

Cmd-Line-Interface@reddit

"cyber security analyst- who isn't technical' , that is a little worrisome.

Browser on a server?

akkruse@reddit

Graphical client applications like browsers?

laughs in Lynx

[-]

trimalchio-worktime@reddit

you're installing special software just for webpages?

laughs in curl

[-]

akkruse@reddit

Special packages just for web requests?

laughs in telnet

[-]

Zoddo98@reddit

Wait until the cybersec team hear that curl can be used to ""access"" the web and freak out.

*/s

...or not*

[-]

trimalchio-worktime@reddit

If people don't stop piping curl to bash I'm going to wind up agreeing with them.

[-]

glotzerhotze@reddit

laughs in winget

[-]

NotEvenNothing@reddit

That's fair. That would get rid of 90% of my browser on Windows Server usage.

[-]

Speeddymon@reddit

If you use curl, there's still a browser.

I hate people that do that. They’re effectively saying, “I don’t understand this, can you drop whatever you’re doing and read this and then explain it to me? Also, if you don’t read this and it does apply to us, I’m going to blame you because I asked you to look at it and you dropped the ball.”

It’s the worst combination of incompetence and CYA all bundled into one sentence.

[-]

itishowitisanditbad@reddit

"Hey, take time and the liability of my job all the time, i'll take the pay, thanks!"

[-]

bayridgeguy09@reddit

Last year Cyber said we need to disable NTLM by end of week. Guess whats still running due to legacy apps. These people have no clue what they are doing.

[-]

AGenericUsername1004@reddit

Whats wild in the companies I've worked at the cyber guys get paid a lot more than the sysadmins who keep the place running and all they do is run nessus scans and write acceptable use policies (most likely using templates or AI to do so).

[-]

lordjedi@reddit

CyberSecurity in general gates paid more. Management is going to come after the CyberSecurity guys first if they have a scanner for finding vulnerabilities. It's the cyber guys job to let the sysadmins know where the vulnerabilities are so they can be patched/filled.

Assuming the cyber guys let the sysadmins know, management then goes to the sysadmins in the event of a breach. Sometimes the cyber guys have access to tools they can use to mitigate the vulnerabilities, but often times they don't (patching servers is best made automatic anyway).

OzymandiasKoK@reddit

Could be, but people who don't know what they are talking about often object to things without having to confuse them with anything else.

[-]

Did they have some kind of replacement suggestion for the service accounts?

[-]

Simmery@reddit

Nope. It was just an angry idiot telling us to do stuff. And he was good at sucking up to the CIO, so it didn't matter that we all thought he was an asshole.

[-]

lordjedi@reddit

Yuck. What's the mitigation? Document it and move on? Spin up a separate server specifically for those apps?

I'm dealing with some of this stuff right now and it's crazy how much legacy shit is out there.

[-]

EugeneBelford1995@reddit

JMHO, but NTLM isn't by itself bad per se as long as

Nothing is ASREPRoastable [nothing is by default, you'd have to create this issue]
LLMNR, NetBIOS, & mDNS are disabled
SMB Signing is enforced on all systems
I have always liked smartcards. Users like them too, no pwd to remember or change
LAPS or similar is in use so workstations don't all have the same local admin pwd
Domain Admins aren't logging in everywhere willy nilly so their creds aren't cached all over
You audited what that admin who worked here 5 years ago did RE delegating rights
gMSAs or similar in use so Kerberoasting won't get anyone anywhere

But others are right, most of the "cyber folks" I have worked with don't even know what half the stuff listed above is let alone how to implement it.

[-]

commissar0617@reddit

People actually use smartcards?

[-]

Mundane-Ad-5536@reddit

Good luck with implementing one of those as long as…

[-]

CeleryMan20@reddit

I’ve done five of your eight points. Guess I need to add an audit for accounts having Kerberos pre-auth disabled now. Sigh.

(Wouldn’t AS-REP and Kerberoasting still apply without NTLM running on the wire, so long as unsalted NT-hashes are still being stored in AD?)

[-]

EugeneBelford1995@reddit

Well ASREPRoasting isn't a thing against the default settings in AD 'out of the box' so it's only there if you misconfigured things. Even then it's not going to get anyone anywhere without passwords that can be cracked.

Hence why smartcards are so awesome.

One can Kerberoast without RC4 being allowed, it just takes longer. The trick again is to not have anything that be cracked, hence why gMSAs are awesome.

JMHO but strong passwords > disabling NTLM and smartcards are > than almost any other single mitigation. After all a phisher can't phish a password that the user themselves doesn't know.

[-]

FreeK200@reddit

Smart cards used to be a pita to auth against, but after updating the software stack to apps that support modern auth and throwing everything at your idp of choice, it's so much better. Before it was a crap shoot whether an app would support smart cards. Now we just federate via saml/oidc, with the idp configured to essentially act as middleware between the app and Active Directory.

fadinizjr@reddit

At least your analysts address the right platform?

Because mine don't, I work just with Microsoft environments and sometimes I got tickets for Linux CVEs and the Linux Teams get tickets for Microsoft ones.

Depends on the environment. I’m a sysadmin who works closely with the cyber team and they basically do all the boring paperwork while I get to do the fun stuff. If they give me a stupid ticket, I just tell them and close it out.

Yep, I started to answer your post first, but then delved into a response to the OP. Shit happens when you're drunk, like formatting. You seem to have made it through the block of text ok and without harm though. So, good job. :pats you on the back:

[-]

stone500@reddit (OP)

Help me understand what the functions of a cybersec analyst and a system engineer should be. I understand that as the engineer, it's my job to have the technical knowledge and experience to help implement whatever action we decide to take. I don't want the analysts or hell even the cybersec engineers (usually) to be going in and changing my systems.

However, I always thought that the analysts should be able to outline the risks, provide solution paths (with input from system engineers), and perhaps provide a checklist of security checkmarks that we should be following to adhere to whatever security standards we've decided on.

In my experience I don't feel like we really get that. We get links to bleepingcomputer.com articles concerning products we don't have (for example, I was sent an article about concerns with Youtube Vanced, which she interpreted as simply being Youtube. I had to explain to her what it was). If they send me a concern and I have follow up questions, I literally get a Copilot response.

I guess my question is, what is a cybersecurity analyst's role supposed to actually be?

[-]

Tricky_Fun_4701@reddit

I've been a system engineer for 35 years.

Because of various factors many people making decisions about security don't know anything about security.

Hell- they don't even know anything about networking or servers.

But they can read and force an engineering department to do something (Like "Remove Edge") which makes no sense from a technical standpoint and may even damage the server.

Right? If you don't understand how the plumbing is configured, how can you understand what the logs are telling you? It's some real Idiocracy sh!t going on.

cbowers@reddit

Seems odd. Our SOC was built with extremely technical analysts. With “full stack” all role IT experience, networking, firewall, infrastructure, etc. They previously did any/all IT roles. That’s how they not only understood the user behaviours, but the environment, the strengths and weaknesses, the constraints.

It’s how you triage faster with background insight and people/systems understanding.

To the browser issue. My worry is if they’re worried enough to be yanking browsers the SIEM coverage for [parent]processes, command line strings isn’t where it needs to be. If it was: - they wouldn’t be surprised where browsers were and weren’t. They’d know every process on every device and what those processes were doing. - they’d have process telemetry to know the baseline expected vs unexpected behavior and detections to stop the things they’re worried about. - they’d don’t have sufficient DNS monitoring and controls on the servers.

If those are true… uninstalling browsers on server aught not to give them comfort, and the discomfort should be directing their efforts and dollars on better SIEM insight, monitoring and controls.

The more normative issue seen on servers is where third party browsers are installed with no patch process. They sit dormant and unpatched as a potential risk score escalating on the Vulnerability Management dashboards.

NysexBG@reddit

I work for a company where we have 1 Security guy currently and look for a second ( EU ). How do you distinct between analyst and technicals ?
I am classical sysadmin btw, i do take interest in hardening and security overall but nothing too deep like certs or red team.

[-]

AppointmentIll9358@reddit

Those are the people that skipped A+ cus and Net+ cus they thought they were too good for it

[-]

jnkangel@reddit

Sounds more like an auditor/compliance team than a cybersecurity team.

Don’t be surprised, currently working with a client who’s lead Cyber analyst didn’t even know their DNS server IPs

After being in my current position for about 6 years I spoke to a CS specialist whose been with the org for over 10. When explaining the setup I was planning I mentioned "they'll be in the same network as the XYZ domain devices, but not domain joined".. their response of "we have more than just the 1 ABC domain, oh good to know" derailed my entire train of thought

[-]

Maro1947@reddit

Have you not dealt with Cybersecurity before?

[-]

StrategicBlenderBall@reddit

You must be new here. I’ve been in the cybersecurity field for over a decade, most “cybersecurity analysts” are just compliance checkers. They’re typically not technical.

It's the equivalent of that scene from Idiocracy:

"This one goes in your mouth, this one goes in your ear, and this one goes in your butt. Wait... no... this one goes in your butt."

[-]

Software is centrally deployed, so it’s never downloaded from the web during an interactive session.

They brought their own RSAT from home

[-]

Strahd414@reddit

Note: we _did_ allow that. The migration to Core was part of a larger process to limit our attack surfaces.

For example, before then, helpdesk was all Domain Admins. We removed that and moved over to granular, delegated permissions (this was pre-PAM/IGA deployment). We were also strict about the controls over a person's "admin" account vs their "user" account.

[-]

Cheomesh@reddit

What were you using for PAM? I've messed with Delegation of Authority before but never needed to move beyond that.

[-]

I agree with her. You should just run a script and install Linux server on all of those machines. You may not be able to run what you need, but I assure you a cli experience will bring you no browsers.

[-]

Lost_Drunken_Sailor@reddit

Work cybersecurity for a very large gov organization. Browsers were removed from nearly all servers. If they haven’t been, we know which ones and we bug the crap out of those sys admins until it’s corrected.

Some of my colleagues are very VERY annoying so I’m sure it gets done.

[-]

Picotrain79@reddit

Just put a fake proxy address in!

[-]

[-]

Mental_Beginning_698@reddit

ok in retrospect, fair point on the documentation. You probably don't want that side of the house assuming anything.

[-]

GoogleDrummer@reddit

Its like they were simply reading from a screen.

Based on my experience that's all they're doing. They have all these fancy tools and dashboards, and if any of them go red they panic and tell me to fix it. No idea about why it's red; just, "Red bad. Fix red."

[-]

Aero077@reddit

I had one that made a lot of noise about our routers "broadcasting our routes to other networks" (via a bgp connection). I hit reply-all and mocked him hard. He hated me and never spoke to me again.

[-]

Mental_Beginning_698@reddit

I'd love to but often had to stay on the diplomatic since too many are cc'd. or maybe thats the point.

[-]

japanthrowaway@reddit

This made me spit my coffee out. Thanks for the laugh

[-]

jocke92@reddit

If you don't have edge you'd have internet explorer. That's worse.

That's how it should be?

Security's job is security, not maintenance. They should be able identify and prioritize when something needs a patch or a configuration change. They should absolutely not be logging into servers and running updates or changing configurations. That's the job of whoever administers that machine.

[-]

FreeK200@reddit

This is all organization specific, but whenever I see this train of thought, I'm always tempted to ask "what is the value add here?"

Effectively, you're arguing that cyber's job is to spit out a vulnerability report at someone. Why are groups of people getting paid to delay getting vulnerability report into actionable hands while they sort by CVSS scores?

It's always been something I've seen to justify otherwise unnecessary positions. Shipping those reports directly to the appropriate teams should allow the teams themselves to do everything you just said, sans 18 emails about how this patch was backported two product releases ago and how it isn't applicable to our environment.

Obviously a small group of people should serve as oversight over this process. They're there to ensure all assets are being scanned with no gaps in coverage, reports / artifacts aren't being fakes, and should be working with configuration management to do so. Likewise, they should be configuring the reports and validating these claims against external sources, and calling out BS when they see it.

It's just asinine that I'm left with a team of four administrators to accomplish tasks, with 9 "cyber security" personnel providing us conflicting guidance every step of the way.

On that some note, this may be specific to my environment, but I always find it laughable that the mentality is that their team exists to audit our own. So many of the things that cyber security asks us for could very easily be validated themselves if they were interested. Instead, they open themselves up to the possibility of data being fudged while in transit to themselves. In that sense, I've always been an advocate of a separate, controlled account through which they can validate the live state of configurations themselves. Shockingly, they prefer me to do it.

I've always found this contradiction fairly funny, especially when I've yet to have an outside auditor take me at my word. Instead, they're much more interested in having their own (temporary) admin accounts for whiteboxing, or to hover over my shoulder while I pull up the relevant configuration. Im certain I'd be laughed at if I sent them an excel spreadsheet or a text transcript of a terminal output, but that's considered ideal by people within my org...

[-]

somerandomguy101@reddit

"what is the value add here?"

The valueadd is that with a 9 person team, patch management is just part of one persons job. The job is less "Just run windows update", but tracking how patching is going and prioritizing when something needs to be patched asap. In any large organizations, there's always stray assets where patches don't apply properly, and there are always services where version updates are a non-trivial effort.

It is likely this person is just misarticulating the issue.

The only browser installed on a server should be Edge and it should be validated by a VMDR platform that it is being patched successfully. The browser should be configured to operate in a highly restricted manner that has at a minimum account login / password caching / history disabled.

My guess is that their VMDR platform flagged for several browser installs in user directories that have sat stagnant for years as a result of troubleshooting by a sysadmin.

[-]

russellvt@reddit

We don't even bother installing the X libraries on any servers.

[-]

maxlan@reddit

Kids these days probably have no idea what you mean.

I used to work somewhere we did install X libraries and apps, but not the server, on the server.

Because the X server is actually on the clients...

[-]

russellvt@reddit

[-]

jrussbowman@reddit

The question you need to ask is what are the risks they are concerned about?

Some security professionals like to suggest their preferred solution to minimize risk, but there are usually other equally acceptable solutions. The goal needs to be to change the discussion topic to the actual risk so then you can have a conversation about options.

[-]

SirDerpingtonTheSlow@reddit

I bet you also think blocking ICMP Pings is some revolutionary security technique.

[-]

maxlan@reddit

What's your ip address? I've got a couple of places I can swamp you with icmp floods from.

Hopefully there isn't another zero day in the icmp stack any time soon...

If you need ping in your life, please go get a job where your skills are relevant. Maybe as a landscape gardener or something.

[-]

SirDerpingtonTheSlow@reddit

420GB@reddit

It doesn't though, at least not by default.

[-]

Ubermidget2@reddit

Yep - Wait until they work out that every Windows Server will execute arbitrary code in a .exe. The Horror!

[-]

You trust _anyone_ with access to your production servers??

????

sysadmin really still is in the 1980s.

Instead:

Using Iac: build an image of the server, remove everything it doesn't need to run.

Get the Iac reviewed.

Use the Iac with CICD to deploy servers into production as needed.

The days of "logging in" to production servers are from the olden times.

battletux@reddit

Threat and Vulnerability Management person here.

Your cyber teams reaction shows that they need someone with better technical knowledge in charge. As this reaction is reserved for an immature department that is very knee jerk in reacting to issues.

They should understand that Edge is built into the core of Windows Server these days and that removing or disabling it is not easy and can break too much.

I get that best practice is to only run the bare minimum on a system to support it's applications but Microsoft doesn't agree and what's to share their bloat with everyone.

Sorry you are in this situation all I can suggest is looking at other possible controls that can keep your cyber team calm. For example specific monitoring of application usage or edge in your siem and to make sure that edge is patched monthly (and maybe report on it specifically if it will make them happy).

[-]

mangeek@reddit

My goodness. I'm a cybersecurity engineer and know that every Linux system can be expected to have cURL, wget, and probably a dozen libraries that can grab stuff off the web via HTTP just as easily as a browser to an attacker, and that Windows is inseparable from at least two web libraries that can be called from a script.

The answer isn't to 'remove the browser', it's to have guidelines that prohibit their use backed by controls that enforce them, and tools to measure what does go in and out.

[-]

maxlan@reddit

Curl wget and other libraries being run as an unprivileged user will not run any javascript or code or anything else that browsers do now. (Unless you ask it to)

Hell, curl won't even follow a 302 redirect unless you ask it to.

And even if they do run something you have to consciously ask it to run as root to do any harm.

Browsers in windows run loads of stuff automatically and set cookies and run plugins etc etc... and there are usually a few unpatched bypasses to let them get full admin controls.

Technically, your security team is correct. For example, Edge can be used as a tool in a LOL-based attack.

That also means your server can’t connect to any other external services it may need. Now the dev team either needs to white list all ips that it would outbound to or some dns updates to allow some domains. Either that or a proxy in network. Both are good to have but thats a lot of overhead all for keeping a browser installed.

[-]

Frothyleet@reddit

That also means your server can’t connect to any other external services it may need. Now the dev team either needs to white list all ips that it would outbound to or some dns updates to allow some domains.

Cybersecurity at my company (large) is a joke. It's just a bunch of fools in India pulling reports from Brinqa telling us every week that we have more vulnerabilities and what are we going to do about it. No context to any of the vulnerabilities or whether or not they are even remotely likely to be utilized. All they care about is that their spreadsheet numbers go down, which can also happen if a security exception is filed. They don't care that it's still vulnerable as long as someone with enough authority says it can't be updated (because it will break production, etc).

Not only is it a joke, it is a massive waste of a lot of people's time.

[-]

e_karma@reddit

Welcome 😁, I had an analyst asking me to shutdown DNS service on our DNS server ..The reason why in insist Cyber Analysts should have at least some time doing admin/networking work, but people accuse me of gate keeping

[-]

oni06@reddit

InfoSec should be the next level up after sysadmin / netadmin.

Going straight to security with zero ops experience is annoying at best.

Nagroth@reddit

Wait until they find out about the Linux servers can do with curl.

[-]

ntwrkmstr@reddit

Wait till they find out about Invoke-WebRequest!

[-]

StephenM222@reddit

Wait until they realise that they are making network connections. Active directory or databases seem obvious connections.

So your security team are idiots who don't understand risk, but let me explain what's driving them.

Lacking a technical background they've probably bought some (expensive) tool that scans servers/containers for any installed software with a known vulnerability in it, and that tool then gives them a happy little list of vulnerabilities across the fleet, sorted into a nice report they can show up the line.

Lacking real technical skills this is a fine substitute for actually doing the work of understanding the environment.

Make them write up a formal risk, which shows how the risk could really cause an issue first - and then you can have it prioritised vs other risks to be dealt with as it deserves.

No need to argue with them, that's just feeding the bear, work the risk prioritisation process and let that show what the real security risks are (i.e. not this bullshit).

blorbschploble@reddit

I am generally a fan of not running browsers on servers, and certainly not logged in as an admin, but this is one of those rare instances where an administrative control beats a technical control as long as it’s paired with useful logging…

[-]

BWMerlin@reddit

You could always run Windows Server core edition (I am not sure what the current branding of this is) removing all the GUI components.

I would point out to your security team that many applications installed onto a server require a browser to do initial configuration. You could look at doing firewall rules to restrict to localhost or local VLAN.

[-]

The CIS Benchmark for Microsoft Edge on Windows Server is currently at version 4.0.0… that would be a great place to start…

[-]

Awkward-Candle-4977@reddit

You can configure edge update channel to Extended Stable using group policy. It's the real stable version.

https://ma-zamroni.blogspot.com/2025/10/set-windows-office-onedrive-to-real.html#zzzbrowser

[-]

japanfrog@reddit

Wait till they learn that your server has a network driver. Or better yet, don't tell them.

[-]

CheeksMcGillicuddy@reddit

You are not a cyber security team if your aren’t technical. That’s just silly.

[-]

zero_z77@reddit

I had to reread your post because i first read it as web server. Because having active web servers on everything can be a significant cybersecurity risk if you aren't maintaining them very well. That makes perfect sense.

But a browser? That's not a threat, unless your sysadmins are routinely doing naughty shit on the internet while logged into a server, and that's a management issue. I mean even if you still had IE floating around, on windows server it's already locked down to the point of being basically unusable by default. By the time a threat gets far enough into your system to compromise a web browser on a server, you have much bigger problems already.

Wait until they find curl is part of windows server and probably an old version

Same for some ssl lib

[-]

jhdore@reddit

Windows server core doesn’t install a gui, and you have none of the desktop-based crap that comes with the stupid desktop codebase. No Edge, no Bing Maps Service, no Copilot shite, nowt. And hopefully, a lot less to update and updates to cache. Run your network properly and you really don’t need a browser on a server.

[-]

mikeyvegas17@reddit

this is the way for windows server. core for everything unless there's a need a gui, which i've yet to really find.

[-]

Frothyleet@reddit

There are, sadly, a few Windows Server features that actually require a GUI to work.

Off top of my head, WDS is the one I remember, but that's on the deprecation train now.

[-]

JaffaCakeStockpile@reddit

Your servers may also have a 3rd party electricity dependency which is a core risk you should alert your cyber security team to

[-]

Frothyleet@reddit

I bet that would REALLY shock them.

Get it? SHOCK them?

[-]

Secret_Account07@reddit

Easy fix - firewall request to block internet access and figure out what vulns they want fixed.

Did they even provide a Qualys report or…. Anything?

[-]

I don't see the problem with having browsers installed on servers at all. It's not like they're running and accepting remote connections. You can't really exploit them. What in the world is the reasoning for not wanting them?

[-]

Can‘t you convert everything to server-core? I believe that doesn’t have a Browser installed?

All cyber compliance related work is based on risk: identifiying it, documenting it, and having the stakeholders do a cost/benefit of remediation, mitigation, or accepting it.

From a cyber perspective they are concerned with whether risks are identified and whether they have been accounted for one way or another. So when they hear 'web browsers are installed on all of our servers because they come with Windows server' their reaction to this is 'we have not documented and applied policy and procedure to managing the risks associated with web browsers on the servers' which, if true, is a glaring error. It's the equivalent of finding out something like 'Oh no we don't store our files on the file server, we just store them on Greg's external hard drive and have his PC mapped to our devices to access it'. That solution isn't wrong, it is working for the business, but it's wrong because it's got so many unaccounted for risks involved: are backups set up to account for this, what if Greg loses his laptop, end devices being connected makes lateral movement from a malicious actor highly likely during compromise, etc.

Now, many cyber peoiple don't have the WISDOM to understand other technical perspectives and realities, so they think this is insane, this is an emergency, this is a 5-alarm fire, what if every server we own is encrypting itself as we speak with ransomware? In reality this is just something that needs to be worked through, documented properly, decisions made, and everyone can move on.

[-]

Ok_Discount_9727@reddit

Your security team doesn’t know “poo”

[-]

Larsonski@reddit

We have also thousands of servers and security team asked if we could at least get rid of the default Edge/IE MSN.com startpage. So we changed it to a blanc page on our servers. Not perfect, but still better than trying to remove it.

There are some hardening requirements I've seen that mandate Web Browsers are removed from Servers..so I'm guessing your ITSec staff is just responding to those.

At the same time, you can't (as ITSec) tighten things down to the point where no one can efficiently do their job, and there are ways to mitigate what people can and can't do, limit what sites they can access, etc.

Instead of taking the "You guys are all idiots" stance, understand that there are Server admins that are pretty naive - and see if there a legit way they can put some controls around things while not impeding your ability to do what you need. If you can justify a need vs a want, along with some sound security controls, that should satisfy them.

In the past I've seen Server Admins download programs from BitTorrent, Freeware sites, and others and installed those applications and totally wrecked systems. Don't even get me started on dumb stuff I've seen application admins do to boxes and apps.

I know this isn't much help, but there is some reasoning behind the requirement.

[-]

touchytypist@reddit

Just wait until they learn that the Command Prompt is on servers. gulp

[-]

androk@reddit

Have a firewall so browsers can only access internal sites and that should be enough to alleviate the concern.

[-]

it's simply not possible to completely remove edge. if your cyber sec dude doesn't realize that, you should probably explain to leadership that your cybersec dude is useless and they better search for a replacement.

[-]

[-]

Appolflap@reddit

Just verify your Edge installations are getting updated via Windows Update. You don't want the built-in edge updater. Because then every time you start the browser yoy are working with the old version until the next start (rinse and repeat). I've seen servers highlighted in our vulnerability scanner for this issue (given, those were Chrome installations at the time), and subsequent central security up my *ss for that to resolve when I was a Business ISO.

[-]

nefarious_bumpps@reddit

IIRC, you can configure a GPO that blocks the use of Edge on the servers. But IMHO, server admins should be among the most skilled, knowledgeable and trustworthy employees in your company, and as long as you have clear policies and standards against using a web browser on a server, there should be no reason to need to implement technical controls.

[-]

thehuntzman@reddit

I have been on both sides of this and really all I can say is this is basic Operational Risk Management. It is a relatively low-effort/low-impact mitigation to reduce your attack surface. Like you said, server admins shouldn't be using the web browser anyway, but to Cyber Liability Insurance, for example, using the honor system to ensure policy adherence holds a lot less weight than using a technical control when it comes time to make a breach claim if the attack vector is discovered to be the web browser.

In reality though - yes you're correct that experienced admins SHOULDN'T use the web browser but that implies every admin the company hires in the future is both experienced and does what they SHOULD be doing.

[-]

themastermatt@reddit

"Im the new Cyber Employee and ive got a great background with Internal Audit" is one of the worst phases to hear these days.

[-]

Master-IT-All@reddit

Having a GUI and apps installed that are not required for the services hosted adds potential attack points.

Since Windows Server has the Core install mode, for a secure environment it should be the default choice and installations with the desktop experience which includes the Edge browser need to be documented and the risk acknowledged.

Edge is a component of the Desktop Experience, not the OS.

[-]

International-Wind22@reddit

Windows servers came for a long time with xbox services installed. It’s just windows being windows

[-]

Skyhound555@reddit

We go old school.

Squid proxy to limit browsing capabilities on servers. Easy and effective.

Devs hate it, but they're whiny little bitches anyway. It's about reducing attack vectors and devs installing random stuff is the most stressful of attack vectors.

Devs need to learn how to use SCP protocols too.

[-]

wrxsti28@reddit

I wouldn't ask to remove edge browser. I think I'd work with you guys to understand what websites are used within your host. Not sure if it would at the firewall level or GPO. I'd also ask edge browsers to be updated on a monthly basis.

Figure the best way to meet you and I half way

[-]

bagomojo@reddit

My background 30 years in IT, last 19 I have owned a cybersecurity assessment and advisory. The problem with web browsers are really if they are not kept up to date. And some plugins could potentially access the Os or ad depending on the users creds. Keep them update and permissions in check and you're fine. I wonder if they mean no web servers on domain controllers.

[-]

glabel35@reddit

I mean, your golden image should not have edge on it. Remove everything you can from the initial build and add what is required when it becomes required.

[-]

bjc1960@reddit

Always great when an Azure Kubernetes incident takes 6 hours to resolve because every troubleshooting tool has been removed.

[-]

Empty_Map_4447@reddit

If you're running Windows in the enterprise and have not already locked down all the "telemetry" aka legalized spying and surveillance on your servers, then unused browsers are the least of your concerns.

But they are not wrong. Any bit of software on a system that is not required for it to perform its function is a security risk. The fact the you cannot easily remove Edge from Windows Server editions is a critical defect in the design of the of the OS.

Ours are complained about servers having port 22 open

So that’s fun

[-]

justaguyonthebus@reddit

Get pedantic on the language.

Did you really "install" browsers on your servers? Of course not. Why would you do that when Windows Server already has Edge built into it?

Now, "do you need a GUI on your windows servers?" is a very different question.

[-]

NickBurnsCompanyGuy@reddit

For what it's worth. I'm at a very large enterprise and they blocked web browser access for us years ago.

I don't have any more than that, but this is what we do currently.

[-]

Hale-at-Sea@reddit

Oh my god! And curl is installed on the Linux servers, egads!

There's not much a browser can do that can't be done in powershell or vb or jscript or whatever compromised app is theoretically giving access to Edge. Any of your existing controls like edr, web filtering, outbound firewall etc are generally going to be better places to stop the kinds of stuff Edge would be used for

Ah yes, they went to a cyber secruity boot camp, and got hired based on the lessons they learned in the boot camp, but they never worked in an IT environment a day in their life...

[-]

showerhandles@reddit

I might tell them to f off and get a life

[-]

dekogen3057@reddit

Wow, how do they not know your servers need access to the web at times? Fkng pathetic

[-]

Inquisitive_idiot@reddit

if they don’t understand the requirement, they’re definitely not gonna understand the technical explanation 😅

Require them to offer a list of potential mitigations for discussion when providing a requirement.

Request that they give you the opportunity to provide feedback on the requirement and mitigation before the meeting

[-]

Glassweaver@reddit

A non-technical analyst is alarming, but she's also right.

Best practice is to use server core and manage your servers through powerhshell & the like. Server core does not have a UI, edge, or the overhead and, yes, additional stack surfaces that introduces.

That being said, most organizations worried about something like that have FAR bigger things to worry about, like a 2012 forest functional level, at least one device out there that's keeping you from disabling smbv1 because the risk seems easier to accept than whatever specific exec this effects having to use scan to email, for example, instead.

But yes. Browsers on servers is bad.

[-]

eufemiapiccio77@reddit

Jesus. More report readers spouting nonsense. Push back and say give me instructions how to remove them and we will put it in the backlog. Which AI product flagged this as a risk.

[-]

ajf8729@reddit

There’s plenty of times where having a browser on a server is needed. Plenty of apps that are installed on servers have web management consoles that are sometimes needed to be accessed locally. You secure things by restricting what browser is used, and locking it out with AppLocker where it isn’t needed. And also make sure it is updated somehow. Standardize on Edge, remove and lock out all other browsers, and lock out Edge where it is never needed.

[-]

YSFKJDGS@reddit

All of you are doing this wrong.

You talked about your servers being locked down account wise but make zero mention of how your internet access for them works. Is it yes/no, is it yes with IP's vs no, is it layer 7 firewall with proxy... etc.

You have been through 'multiple' meetings where that ONE fact would have changed the entire conversation, so what are you not telling us?

When you work for a TRUE large scale enterprise, the security team is going to shift much more into risk/policy than 'doers'. In this case, if ANYONE (including you) had half a brain you would be working towards a risk based security approach, where you combine your server and network posture into what it would take to exploit the browser and cause issues.

MS Edge should be patched via wsus/win updates, if you are putting chrome on them for whatever reason then whatever rmm you use can handle it.

99% of this thread is people falling for rage bait thinking their shit doesnt smell and security teams suck. Chances are these same people are not nearly mature enough in their network/security structure either, and are most likely dealing with a 'small' company while acting like it's big.

[-]

ISeeDeadPackets@reddit

I hate cybersecurity people with zero IT background. What she's asking you to do violates the CIA triad as it jeopardizes the integrity of the system. The systems are necessary to conduct business (presumably or they wouldn't exist) and if you can't conduct business then there's no point to having security. Instead of asking you to remove the web browsers, anyone competent would simply want to make sure the communications path into and out of the server is restricted down to the necessary ports/protocols required and that they system is adhering to your patch management/vendor access/whatever policy.

[-]

arkiverge@reddit

You don’t remove the browser, you restrict it. It’s clear the entire cyber team took the bulldozer training class and nothing else is this is what they think.

[-]

dev_all_the_ops@reddit

Your security person is right, you really shouldn't have full desktop environments on your servers.
That's where windows server core comes in.

https://learn.microsoft.com/en-us/windows-server/administration/server-core/what-is-server-core

However, there is always a disconnect between the 'idealist' and the 'realist'.

As an idealist, you shouldn't have graphical interfaces on servers.
As a realist, its going to be a large project to move all your servers from standard windows to windows server core.

Most cybersecurity analists read an automated report and go apeshit about everything they see that somebody/Copilot once told them 'is not good'.

Most of our servers don’t have internet access, heck most of them can’t even talk to each other unless specified.

Next they will be telling you to remove the print spooler.

[-]

Make sure any browsing on them is logged (to a different server) and keep access to them audited.