SUMMARY: Netscape (client) security

From: Mark Bergman (bergman@phri.nyu.edu)
Date: Thu Oct 31 1996 - 23:11:22 CST


Here's a long-delayed summary on the subject of installing Netscape
3.0 (with the potential to run Java) on multi-user public
workstations.

Responses from:

Richard Pieri <ratinox@unilab.dfci.harvard.edu>
bismark@alta.jpl.nasa.gov (Bismark Espinoza)
Sam Kmety <samk@andataco.com>
Marcelo Maraboli <maraboli@itata.disca.utfsm.cl>
Rachel Polanskis <rachel@juno.virago.org.au>
"Daniel J Blander - Sr. Systems Engineer for ACS" <Daniel.Blander@ACSacs.Com>
Jim Harmon <jim@telecnnct.com>

The best answers were:
Rachel Polanskis <rachel@juno.virago.org.au>

You can start by removing the java support libraries and the plugin
support libraries that netscape give you...

Netscape gives you an App Defaults file as well that you could adjust the
X resources for to remove selection values from the menus you do not want
to keep,
such as "enable Java script"...

finally, an individul cache for each user is a huge waster of disk
resources.
Install a proxy server, like squid, point netscape to use it, and zero
the entries for a user cache! - that way you share resources better...
------------------------------------------------------------------------
  

From: "Daniel J Blander - Sr. Systems Engineer for ACS" <Daniel.Blander@ACSacs.Com>

The use of an http proxy helps - since (at least for Netscape's which I use)
you can specify which file types/stream types not to allow - like java
applets.....this gives you global control over all your users.....worries
depend upon the need for the applets (probably minimal at this point) versus
the time and effort to disable them, versus the risk they
present....which can be great but they are still pretty sparse.

------------------------------------------------------------------------

In the end I installed Netscape, without the plugins or Java
library. This isn't a great solution, as these can be installed
locally by the users (in our case, they probably aren't
sophisticated enough). I thought about re-writing user's netscape
preferences file (a poor choice, unless I wanted to write a script
to divine the correct e-mail address, real name, etc. for the e-mail
preferences). I played with the Netscape.ad applications-default
file, but that didn't seem to work.

In summary, I really wish that Netscape Corp. would make some
provisions for secure installations in multi-user environments.

----
Mark Bergman                       bergman@phri.nyu.edu
System and Network Administrator   212-578-0822
Public Health Research Institute   Rm. 1074, 455 1st Ave, NY NY, 10016



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:14 CDT