# Windows server 2003 Security - Javascript



## Pantho (Feb 20, 2008)

Me and a friend have purchased a dedicated server.

This box is running Windows 2003 Standard R2 x86


We use it as a web server along with running a game server (CS:S)

We are having a debate on the security issues implied with enabling Javascript inside Internet Explorer 7 on the server.

When using remote desktop, we want to be able to download mods/mappacks etc for the server. But doing this is difficult as most websites require javascript enabled.

I know javascript enabled is a security risk if the user visits a "dodgy" website.

But is it a security risk just being enabled? He seems to insist people could use php exploits to upload/activate custom javascripts on the server.

I cannot find any reference to these exploits on the internet, ive found some with shell/asp scripts but not with javascript.

Thankyou

/pantho


----------



## XtabbedoutX (Sep 12, 2007)

I would disable it AS LONG AS you are only going to download map packs and patches. I would not surf the internet with a server any way. Use a client computer to download the map packs and patches then upload them to the server. 

With a gaming server you have to leave ports open anyway so that is a greater security risk than java script.


----------



## Pantho (Feb 20, 2008)

XtabbedoutX said:


> I would disable it AS LONG AS you are only going to download map packs and patches. I would not surf the internet with a server any way. Use a client computer to download the map packs and patches then upload them to the server.
> 
> With a gaming server you have to leave ports open anyway so that is a greater security risk than java script.


Problem with servilely limited upload capabilities on client side.

But i already decided on the action, and jscript will be disabled.

But i am trying to settle a debate on the subject 

Does enabling javascript, even if we never surfed the internet, have any significant security risks?


----------



## XtabbedoutX (Sep 12, 2007)

Pantho said:


> But is it a security risk just being enabled? He seems to insist people could use php exploits to upload/activate custom javascripts on the server.


No. You can run JavaScript on a server without having it enabled in IE anyway. JavaScript is used for more than just websites. 

I have a content filter that the management console is written in java and does not use a browser.


----------

