RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

• Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #248"
• Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Next in thread: Matthew Farrenkopf: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 20 Jul 2005 09:59:00 -0500 (CDT)
To: focus-ms@securityfocus.com

Harlan,

I agree with you about what it takes to protect a system.

-IF- a server is just a webserver...
-IF- a system is properly administered...
-IF- a system is patched immediately...
-IF- knowledgable IIS Security Admins lock it down properly...
-IF- web servers don't need lead-time for maintenance windows...
and -IF- there are no 0-day attacks...
-THEN- AV may be considered unnecessary.

My observation in the business world is that there is a better chance of all planets lining up in a row than this happening often enough to really consider it.

Admins get overwhelmed and make mistakes. Coders make mistakes. Microsoft makes mistakes. Even if they don't, businesses still take some time to test patches before deployment. Somewhere, somehow, a window of opportunity will open up.

When that happens, then someone will try to (a) put a program on a system, and (b) execute it. If/when that happens, I can tell you that there is a percentage chance (different depending on AV vendor and malicious code) that AV software will find the deposited program, and delete it between steps (a) and (b). If that happens, the attack is foiled, in spite of the flawed components and configuration us humans have put there. That's why it's a -LAYER- of protection. 'Defense in depth' is not just a buzzword, it's real.

I don't like making blanket statements. Honestly, I don't like using AV on everything. I feel the malware 'industry' is allowing the AV industry to hold us Windows shops hostage. In order to keep the code clean, I have little choice but to use it.

In medium/large shops, it's a normally accepted practice because it keeps the termites from eating your infrastructure. In small businesses, where you don't have full-time Security Admins, it can quietly save the business, all for a few dollars out of the profit margin. In SoHo situations, it can mean life or death, because the kids use the same PC or at least the same network, and your average SoHo user doesn't know things like 'KaZaa can be really bad,' and SoHo businesses are banking EVERYTHING on the lone PC working right. Oddly, SoHo shops are least likely to have it up to date.

I actually treat it like a HIDS. If something shows up that shouldn't be able to show up, then I know I've got a problem. Otherwise, I've got a degree of confirmation that things are pretty safe and sound.

Just my $.02
~Jeff

-------------------------------------------------------

So far, this is has been an interesting discussion,
but beneath it all, I'm seeing what I think is a
disturbing trend.

> Antivirus needs to be part of the overall security
> plan for all Windows machines - it's just part of
> the cost of doing business - the cost of the
> software, maintenance, and CPU overhead.

I'm seeing absolutist statements like the one above,
and it bothers me.

If a web server is just a web server, the content is
served to the client, going outbound...not coming into
the server. If the purpose of the system is to take
known-good pages (from the owner) and make them
available to the public (over ports 80 and 443), then
what is the point of A/V software?

I'm seeing a lot of people say that A/V software is
necessary, and that it's part of a 'holistic' or
'defense in depth' approach, but this really sounds
more like Dilbert's "buzz word bingo" than anything
else.
 
> Certainly, servers need to be patched, firewalled,
> isolated, and locked down. Additionally, code
> should be audited for vulnerability to XSS and SQL
> injection.

Yes, without a doubt. This is all part of good
administration.

> None of these things are perfect. Not that AV is
> perfect, but it is another layer of defense - making
> it part of that "Defense in Depth" strategy.

But, defense against what?

> AV has grown into more than just defense against
> viruses. It is often effective against worm code,
> and some AV has identified common hacking tools
> (e.g. - NetCat) as something that doesn't belong on
> most systems. You can argue the viability of this
> move, but most companies - if they have a security
> team - have less that 0.1% of their machines which
> maybe should have it there.

"something that doesn't belong on most systems"? How
does it get there? If a web server is properly
configured and managed, then perhaps the most likely
means of infection is from the administrator
himself...and in such cases, A/V software is useless.

> AV needs to be part of the cost of running Windows -
> for better or for worse.

Again, I'm seeing this as an approach that's being
parrotted, rather than thought out. I'm not saying
that MS products are perfect...not at all. But what I
am saying is that using proper administration
principles, those that have been espoused for well
beyond the past decade, paying additional money to add
yet another software package to a web server simply
doesn't make good business sense.

Why pay more money for another application to
maintain, and another set of logs that you're not
reviewing anyway?

Several years ago, Dave LeBlanc set up an IIS 4.0
server in accordance with simple common sense, and it
was not vulnerable to Code Red...a full year before
Code Red was launched.

When Code Red was launched, A/V software would not
have helped. However, if the .hta script mapping had
been disabled the day before Code Red came out, then
guess what? No problems.

Should systems have A/V software in place?
Maybe...depending upon the function and purpose of the
system. Does it make sense? Does it make good
business sense? What's the business
reason/justification for installing another software
package (for $$) over disabling current functionality
(which doesn't cost anything)?

Harlan

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #248"
• Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Next in thread: Matthew Farrenkopf: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]