RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

• Previous message: Matthew Farrenkopf: "Re: Should servers have anti--virus installed on them?"
• Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Next in thread: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Reply: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 20 Jul 2005 11:00:27 -0400
To: "Harlan Carvey" <keydet89@yahoo.com>, <focus-ms@securityfocus.com>

If what I said was taken to be a cheap shot I apologize to all. It was
meant to be a warning to never take the attitude that one is infallible,
and perhaps I should have said "one" instead of "you", because that is
what I meant. I did not mean to single any one person out.

I'll digress a bit now and say this. No, an AV product is not a
necessity on an IIS server, but then neither is a firewall. They are
both just ways to minimize risk, and I can not see how anyone can oppose
one and advocate the other. Would I recommend running IIS without
either? No. If the added cost of either is too costly then let
management make that call, but as a sys admin never rule out any
security measure based on cost. If it bogs down your system, well then
maybe adding exclusions will help or in the end you may have to go
without and disable or uninstall it.

What are we trying to protect ourselves from with AV? Well, except for
the obvious viruses, worms and trojan horse answer, which seems
smartass, I do know. What's the next threat going to be? No one knows
that either. My system is fully patched and properly secured. Why do I
need AV? Why do I need a firewall? Answer: To minimize risk against
what you, or your product vendor didn't see coming, or the vulnerability
that is discover and disclosed to the public before a patch, or other
solution was released or found. Yes, they are both band-aid approaches,
but sometimes band-aids is all you have. AV software, firewalls, IDS
systems, (I'm sure more could be named but I'm drawing a blank).
They're all really band-aid approaches. If we could guarantee the
security of our systems, none of them are needed. Unfortunately, we can
not.

I also think it's being lost that a lot of web servers are not single
admin, or a group of admin/developers posting content. I work in
academia and know a few other colleges that use IIS to give student
space to create their own personal web page. Many ISPs give clients
space too. Can it honestly be said that these admins don't need to
install an AV client, or that it might be a good idea?

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Matthew Farrenkopf: "Re: Should servers have anti--virus installed on them?"
• Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Next in thread: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Reply: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]