I think Henning's post may be a thread for a discussion forum for security policies, but I do understand the objection to incomplete security policies? I would have to agree, it would be ineffective to look at only one part of the potential vulnerability. Apologies, I should have been more clear. To Answer Brian's question, what I meant was that you can find out what has a dependancy on netcat by starting the removal process in yast, it'll tell you what, other than yast2, has a dependancy. If there's another machine in the organization that already has netcat removed you could ask it's operator what is missed. Somtimes a Security Tech / Admin's arm can be twisted a bit if you have a specific need for an application, usually with conditions though. It is indeed quite often the case that a company has such a security policy. But what I mean is that such an incarnation of a security policy is rubbish. Imagine a VIP disco (for the case that "disco" is uncommon: A place where loud music is played and where the drinks are expensive) where your girlfriends pocket is checked for knifes but your jacket not for guns. You remove the obvious knife "netcat" but do don't even check the jacket "yast" for a gun where "gun" might even mean that it does changes somewhere where you wouldn't want it to change things if you would know about it... (Certainly "gun" could also mean that there are trojans or security holes in this monster application)