"he is correct, its IE6 and all server connections are made via Citrix or connection to a DRAC (notoriously un-reliable)"
So that IE6 vuln that MS are touting as a good reason to upgrade is quite serious to MoD apps.
My quick look at DRAC says it's accessible through a browser, telnet or SSH connection, even when the server is switched off, and with the capability to upload software from the controller PC via a "Virtual CD" facility.
Hmm. Take over IE6 and you could (in principle) stuff whatever you liked on the server.
I'm guessing the secure procedure would be block browser access and *only* permit server management access via an SSH compliant terminal emulator, if that's possible.
Bespoke apps locked to IE6. Another "qualtiy" development bought to you by HMG's favourite IT con-tractors.