Locked-down Chrome on server?

[HCHTech]

For a while now, I have been installing Chrome on the main server I use for administering a client's stuff. I do this so I can access various internal equipment's web admin pages - printers, NAS, network equipment, etc. I set the home/start pages to about:blank, and I restrict access to only whitelisted IPs by editing the shortcuts to launch Chrome like the following example:

"C:\Program Files\Google\Chrome\Application\chrome.exe" -host-rules="MAP * 127.0.0.1, EXCLUDE 172.16.1.241"

This just plain works better than trying to use IE. I'm sure it's not as secure my way, but I'm wondering how excited to get about that fact. It's only me accessing the server, In case I forget and try to download a new driver or something, this acts more like a not-so-subtle reminder: "Oh yeah, I'm on a server, don't browse the internet, dummy."

I've been reading a LOT lately about servers and setups, so I'm wondering if I should rethink this practice. How many demerits should I get?

 

[Sky-Knight]

Powershell is on all modern Windows platforms, and it includes the Invoke-WebRequest applet, which is by default aliased to wget.

So... the concept that a server is somehow magically less secure because it has a browser on it is asinine. Anyone that can run powershell even as a limited user on the platform has a browser. httpie is free, and dropped quickly on the platform too for something even more flexible.

I install Firefox on all my servers, for all of the same reasons you do. The catch? I don't bother wasting my time trying to limit it. If I want to control web access from a server, I use a content control engine in my UTM to do that. Any attempt to control the device from the device itself is a fundamental waste of time.

Oh, and the above powershell stuff exists on CORE as well, so even if you ditch the GUI, you can still download stuff.

Chrome does install a ton of crap that stays resident though... so again I suggest Firefox because it only runs when you tell it. But a browser on a server is no big deal, it's got MANY even before you make your life easier.

You want a secure server? Wrap it up in stuff that's configured as default as possible. Stop wasting time with special focused hackery, all of that tomfoolery ends up in a LESS secure environment. Security is a function of visibility after all, all these extras? Not easy to know about. Not easy to audit. Very easy to forget. That's not secure, that's the opposite of secure.