Jump to content

Remove Ie From Win 2003 Server?

goretex30

By goretex30
in Windows 2000/2003/NT4

 Share

Recommended Posts


Br4tt3

Br4tt3

Posted
Posted

I would say... "u shouldnt remove it" instead of "u cant remove it"

yes, IE is a pain in tha a** when it comes to security fixes and so on.. removing it and all associated components and I can ensure that lots of intgrated security / features that are shared between win32 and the IE components wont work anymore... as MS has carefully integrated IE components into Win32 so that u for the specific purpose shouldnt remove it (otherwise it wont work correctly = as in all features)

but the again.. go ahead and see if it works. Would be intressting to see tha results as feedback to the community if any issues arises.

regards

Ge0ph

Ge0ph

Posted
Posted

Yes you can remove a lot of the IE wrapper but if you remove the mshtml.dll and the other supporting files you will have a non working Windows OS. It's the mshtml.dll and supporting files that needs most of the sucurity patchs.

So I guess your right, you can remove it but you will have such a mangled mess it begs the question.....Why?

goretex30

goretex30

Posted
  • Author
Posted

Reason for removal = need to support one old application that costs more than then several servers to replace and that application does not work with IE greater than 5.0.

And the reason for putting Windows server 2003 instead of an older operating system is that the new server purchased has hardware not supported by the older operating systems.

Thanks again

Ge0ph

Ge0ph

Posted
Posted

I ran into a similar situation and ended up installing VMWare on the server and then loading an older OS in VMWare to run the PITA software.

fdv

fdv

Posted
Posted

Br4tt3 and Ge0ph, I have some questions. I want to understand better the reasons people hesitate to remove IE.

Br4tt3: "I can ensure that lots of intgrated security / features that are shared between win32 and the IE components wont work anymore... as MS has carefully integrated IE components into Win32 so that u for the specific purpose shouldnt remove it (otherwise it wont work correctly = as in all features)"

If you're removing IE, what security features are you worried about? If you remove IE, why worry about it not working correctly (in other words, it's removed, it shouldn't work at all, because it's not there).

Ge0ph: "Yes you can remove a lot of the IE wrapper but if you remove the mshtml.dll and the other supporting files"

In the nLite forums, we make a distinction between core OS files and IE files. BTW, my version of this file is 5.0.3700.6699, unpatched SP4, from 6/2003. No problems, because you have to visit a malicious website with IE or get a malicious HTML message in OE. If you analyze hotfixes you see that without IE, the exploits cannot take hold in a system, per "vulnerability details." (For example ONLY, because I know we're talking about 2003 here, here's a list of Win2k hotfixes to read about at http://www.vorck.com/wu.html)

Ge0ph: "you can remove it but you will have such a mangled mess"

What did you find mangled about your nLite installation? If you remove IE and leave the IE core, how is this a "mangled mess"?

As I said, I am genuinely curious about why people are so afraid of removing IE when it's been established that it can be done in the nLite forums (and I've run Win2k without it for 4 years). I run no Norton software, as their packages are known to look for IE. I have not found other software that will not run on my IE-free machine.

Ge0ph

Ge0ph

Posted
Posted

The "IE core" is where the html rendering happens, not IE. So removing just IE and leaving the core you still have the part that causes the security problems. If you remove the core most of explorer (the file manager) will not work right, hence, a mangled mess.

On your W2k box, do you have a mshtml.dll file in your system32 folder? If you do you still have the IE rendering engine installed. Without it things like help files, Office XP/2003 (not sure about 2000), Quicken, Norton AV, and many other programs will not work right or work at all.

This thread has a bit more info on the subject.

fdv

fdv

Posted
Posted

@Ge0ph - If you check out existing IE exploits, they can only happen if they can get to the HTML rendering engine. If you use Mozilla, for example, that can't happen. That said, I do not have shdoclc.dll or mshtml.dll on my home machine (it works fine). I can get by without Windows Help, that's my choice, but if someone wants to keep Help, keeping mshtml.dll isn't a big deal, because the exploits need a vehicle to _get_ to mshtml.dll, and that's IE, OE, or Help.

Checked out the link... people saying IE can't be removed in 2004 just haven't been paying attention, IMHO. They pin everything on mshtml.dll, and Windows runs without it. One must also remove mshta.exe, mshtml.dll, mshtml.tlb, mshtmled.dll, and mshtmler.dll (among a dozen others). Finally, a true core Windows file, shdocvw.dll, makes calls to IE, so it's often mistaken for an IE file (if IE isn't there, it simply can't call).

BTW I run Office XP just fine. I didn't know about Quicken, no one who uses my fileset has reported using that. I'll have to borrow a copy from someone for testing out.

In any case, to anyone reading generally, my files and nLite allow you to run without IE. Check it out on a Virtual Machine. If you like running without it, cool. If not, everyone's okay with that too.

Ge0ph

Ge0ph

Posted
Posted
because the exploits need a vehicle to _get_ to mshtml.dll, and that's IE, OE, or Help.

Or Quicken, Quickbooks, Norton AV, or any of the hundreds of popular programs that need mshtml.dll to run. IE,OE,and Help are not the only programs that use it.

However, if your happy with limited functionality then more power to you. I personally like all the bells and whistles and don't really see the point in intentionally crippling an OS.

BTW, I think nLite is a great little program but whenever I have used it to remove certen components it has cauesed me problems down the road.

fdv

fdv

Posted
Posted
Or Quicken, Quickbooks, Norton AV, or any of the hundreds of popular programs that need mshtml.dll to run. IE,OE,and Help are not the only programs that use it.

Hmmm, I don't buy it. How likely is it that a hacker would insert an attack via the HTML Help system in Quicken, Quickbooks, Norton AV, etc? They'd have to be sitting at your machine! I reiterate, the way that explots _get to_ mshtml.dll is via a "Web-based attack scenario" (see KB below). Let's take a few examples, all of which apply to a Windows 2003 machine. Look at the Vulnerability details in each case. Web-based attack scenarios, in each case, apply to IE. For example, that's the only way a problem with an ActiveX control is going to get passed on to the Windows Shell (Mozilla and other browsers can't do this).

MS04-023: Vulnerability in HTML Help could allow code execution.

http://www.microsoft.com/technet/security/...n/ms04-023.mspx.

"In a Web-based attack scenario"...

Microsoft Security Bulletin MS04-037

Vulnerability in Windows Shell Could Allow Remote Code Execution (841356)

http://www.microsoft.com/technet/security/...n/ms04-037.mspx

"An attacker could exploit the vulnerability if a user visited a malicious Web site."

"By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone."

"In a Web-based attack scenario"...

How to disable the ADODB.Stream object from Internet Explorer

http://support.microsoft.com/kb/870669

"Adodb.stream provides a method for reading and writing files on a hard drive. ... when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ)."

Microsoft Security Bulletin MS05-001

Vulnerability in HTML Help Could Allow Code Execution (890175)

http://www.microsoft.com/technet/security/...n/MS05-001.mspx

See Vulnerability details.

"Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX controls and active scripting in the Internet zone and in the Local intranet zone."

Microsoft Security Bulletin MS05-002

Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711)

http://www.microsoft.com/technet/Security/...n/ms05-002.mspx

"An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message....By default, Outlook Express 6, Outlook 2002 and Outlook 2003 open HTML e-mail messages in the Restricted sites zone."

Microsoft Security Bulletin MS05-013

Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (891781)

http://www.microsoft.com/technet/security/...n/ms05-013.mspx

Microsoft Security Bulletin MS05-015

Vulnerability in Hyperlink Object Library Could Allow Remote Code Execution (888113)

http://www.microsoft.com/technet/security/...n/MS05-015.mspx

Microsoft Security Bulletin MS05-008

Vulnerability in Windows Shell Could Allow Remote Code Execution (890047)

http://www.microsoft.com/technet/security/...n/MS05-008.mspx

In any case, you're right, it boils down to what you like. If you want the bells and whistles, there's no reason to pull IE out. If you want a more secure OS, IMO, some crippling is necessary. In the end, careful browsing and a firewall pretty much solve all of these issues.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...