RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

From: Sarbjit Singh Gill (ssgill_at_gilltechnologies.com)
Date: 07/19/05

  • Next message: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
    To: <focus-ms@securityfocus.com>
    Date: Tue, 19 Jul 2005 23:02:31 +0800
    
    

     
    Greetings,

    I think there are 2 main schools here:
    1. AV required depending on server role and usage. If documents remain
    relatively static(web server serves content only), then lock down, fully
    patched and no AV required. It is secondary. If running a site where
    documents are uploaded by users, e.g. a web based document management
    system(e.g. sharepoint) where documents are uploading reqularly then a AV is
    required for sure.

    2. AV required always. Filtered scanning required.

    /Gill

    > -----Original Message-----
    > From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
    > Sent: Tuesday, July 19, 2005 5:00 AM
    > To: Jeff; focus-ms@securityfocus.com
    > Subject: RE: Should webservers, eg. IIS 6 have anti--virus
    > installed on them?
    >
    > Jeff,
    >
    > Interesting comments. Especially about not having IIS in a domain.
    >
    > Gill,
    >
    > To me the issue of virus protection depends on how you get
    > content installed on a machine and what type of content is on
    > the machine If you have a lot of users loading documents to
    > your web servers, you might want to consider adding virus
    > protection to the servers. Of course you should also have
    > virus protection on the desktops as well. I would not
    > configure on access virus scanning, but instead would have
    > scheduled scanning.
    >
    > Dennis
    >
    > -----Original Message-----
    > From: Jeff [mailto:jeff@turbofish.com]
    > Sent: Monday, July 18, 2005 4:15 PM
    > To: focus-ms@securityfocus.com
    > Subject: RE: Should webservers, eg. IIS 6 have anti--virus
    > installed on them?
    >
    > Another thing with IIS is it is always good to keep it out of
    > the domain altogether. Plus, I monitor all traffic to and
    > from the machine. For example, our email/IIS server doesn't
    > attach to the network, it sits all by it's lonesome on a
    > completely different hub that doesn't touch any of the
    > networked machines. Ok, it doesn't really get lonely, I talk
    > to it everyday and it does sit right next to the other
    > servers. I think I caught it winking at the big SQL server
    > the other day - people are beginning to talk.
    > But seriously, you need to check SP everyday and keep all of
    > the holes filled so yes, you are correct, that is number one.
    > At the same time, I have found it helpful to pick and choose
    > which patches to install. I have had hardware updates from
    > Microsoft that caused me nothing but grief.
    >
    > Other concerns with running a IIS server is data. I don't
    > even like hooking it's SQL server [smallish - just to run web
    > data with] with our big SQL server because of security
    > reasons. I even turn off the lights just so that the other
    > servers won't get jealous
    >
    > Viruses shouldn't be too much of a trouble with IIS because
    > the vast majority of all viruses are activated via email, the
    > rest with a few rogue sites. Don't run an email client on it,
    > don't surf the web with it, keep all extra ports locked down,
    > keep all of the service packs and security releases, be
    > careful if you run an email server that saves the emails in
    > temp files, and just as an extra protection, it wouldn't hurt
    > to have a anti-virus running.
    >
    > Ok, I'm going home to start working on the non system admin
    > programming side of my job - maybe even get some sleep. I
    > hate these 16 hour work days without sleep. You know it's bad
    > when I enjoy getting a power outages that knocked off all of
    > the PC's in our network. No power, no PC/server problems!
    >
    > -----Original Message-----
    > From: Shyaam
    > Sent: Monday, July 18, 2005 10:20 AM
    > To: ssgill@gilltechnologies.com
    > Cc: focus-ms@securityfocus.com
    > Subject: Re: Should webservers, eg. IIS 6 have anti--virus
    > installed on them?
    >
    > According to my level of knowledge(which is very minimal, in
    > this especially), I would say that a web server should be
    > patched well first.
    > the
    > anti-virus is a secondary issue. Ofcourse, you need an
    > antivirus too, but there should always be good patches
    > implemented which checks for the latest signatures.
    > --Shyaam
    >
    > On 7/17/05, Sarbjit Singh Gill <ssgill@gilltechnologies.com> wrote:
    > >
    > > Greetings
    > >
    > > Should IIS have anti-virus installed on them. I know I
    > would do it for
    >
    > > a fileserver but for IIS, I rather lock it down.
    > >
    > > Thanks.
    > > /Gill
    > >
    > >
    > >
    > ----------------------------------------------------------------------
    > > -----
    > >
    > ----------------------------------------------------------------------
    > > -----
    > >
    > >
    >
    >
    > --
    > Thank you in advance for your time and consideration.
    > Yours Sincerely,
    > R.S.Shyaam Sundhar
    >
    > --------------------------------------------------------------
    > ----------
    > ---
    > --------------------------------------------------------------
    > ----------
    > ---
    >
    >
    >
    > --------------------------------------------------------------
    > ----------
    > ---
    > --------------------------------------------------------------
    > ----------
    > ---
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"

    Relevant Pages

    • Re: I hate IIS - "Server Application Unavailable" error message
      ... I would but there is not "Application Pools" underneath the local ... Did you install, at least, the Web or Standard versions of Windows Server 2003? ... except when you choose to install IIS on a domain controller. ...
      (microsoft.public.dotnet.framework.aspnet)
    • RE: Internet printing
      ... Configuring the IPP Print Server: ... (IIS is synonymous with PWS, Peer Web Services, which is what ... -This will install and configure basic IIS on the current machine. ...
      (microsoft.public.windows.server.sbs)
    • Re: No DHCP in administrative tools
      ... OK, we need to install the DHCP service, but we're gonna hold of a mo' on ... In computer management, expand IIS, expand websites, which sites do you ... SQL Server Config ...
      (microsoft.public.windows.server.sbs)
    • Re: OWA 403 Forbidden, POP3,
      ... Is there a way to just re-install the IIS components to a set of Default ... incorrect type of install of Trend not in a virtual directory was probably ... From your post, I understand you after you rebuild SBS Server, you ... Go to your "%SystemRoot%\IIS Temporary Compressed Files" ...
      (microsoft.public.windows.server.sbs)
    • [NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
      ... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ...
      (Securiteam)