RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 07/20/05

  • Next message: Jim Harrison (ISA): "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?" 
    Date: Tue, 19 Jul 2005 16:43:58 -0700 (PDT)
To: Brady McClenon <BMcClenon@uamail.albany.edu>, focus-ms@securityfocus.com

    Brady,

    > What are "known good pages"?

    Perhaps another way of saying it is "web pages that
    are supposed to be there."

    > Heck, you my not even be the only admin!

    Sounds like more of a procedural issue, not one that
    is going to be solved with by installing another
    software package.

    > I had to jointly administer
    > one once with another guy and I didn't even trust
    > him!

    And what good is A/V software going to do when the
    other admin can log in and disable it?

    > Even if you are
    > they only one, there's no harm in protect yourself.

    From? What threat are you protecting ourself from?
     
    > Look at it like
    > this, the Tour de France has the best cyclists in
    > the world, surely the
    > know the proper way to ride bike, but yet they all
    > wear helmets. Why?
    > Because no one is infallible. If you think you
    > are... Well, ignorance is bliss I guess.

    Okay, so you're resorting to cheap shots now? Wow,
    and here I was thinking that we could discuss this
    like fellow professionals. Sorry to waste your time.

    > The Code Red example is good, but just because AV
    > wouldn't have helped
    > in one case, doesn't mean it wouldn't in another.

    It was just one example...

    > I saw it save someone
    > from a SQLSpida worm infection.

    Oh, good. Maybe you can explain, then, why the
    attacked machine had the ports exposed to the
    Internet, and a blank 'sa' password. According to the
    write-up at the F-Secure site
    (http://www.f-secure.com/v-descs/sqlspida.shtml), this
    worm infected systems with a blank 'sa' account.

    > They patched, but apparently not
    > properly, or applied patches out of order down the
    > road, or who knows,
    > so they were still vulnerable. Worm got dropped in
    > through the exploit,

    Exploit? Here's another site that explains the
    "exploit":
    http://www.securiteam.com/windowsntfocus/5WP0N0K75U.html

    > but the AV grabbed the file with the payload the
    > second it hit the
    > drive. Sure, you could blame it on the sys admin.
    > but we all make
    > mistakes so I could happen to anyone.

    That's a pretty big mistake.

    > Now I pose a question. If "servers need to be
    > patched, firewalled,
    > isolated, and locked down. Additionally, code
    > should be audited for
    > vulnerability to XSS and SQL injection." is "all
    > part of good
    > administration." Then why isn't an AV client? None
    > are infallible and
    > make your web server impervious to compromise, they
    > only minimize risk.
    > They're just a layered defense. Why balk at another
    > layer?

    So b/c an admin doesn't have the time and/or skills to
    properly administer a web server and ensure that the
    content itself doesn't expose it, you're going to
    install an anti-virus application? Sounds like a
    band-aid approach, one that won't serve you in good
    stead when a bit of malcode that the client doesn't
    have a signature for hits the system.

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Jim Harrison (ISA): "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"

    Relevant Pages

    • RE: Users slam Microsoft Security Analyser
      ... responsibility does go to the admin as well. ... Proper configuration can go a long way in securing a system. ... incident recovery, y is greater than x (plus y usually seems to happen at ...
      (Focus-Microsoft)
    • Re: A user dont have the permission to disconnect other user.
      ... There is, unfortunately, no proper answer to this issue in the standard ... examine the session before doing so. ... the admin has no idea if they are ... Trust yourself. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: ntpd crashes.
      ... so the admin can make the proper measures) but a different thing is ... That issue has been argued on the NTP developer mailing lists. ... Crashing the daemon is Dave Mills' way of telling the admin that something is badly broken here and needs to be fixed. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
      (Debian-User)
    • Re: Outlook Web Access does not display properly on the premium view.
      ... Yep, ive got this problem too, but i have yet to have a proper answer. ... If you login to the xp machine as an admin can you view it correctly then?? ... Tristan ... Tony ...
      (microsoft.public.windows.server.sbs)