RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

From: Wozny, Scott (US - New York) (swozny_at_deloitte.com)
Date: 07/20/05

  • Next message: Steve Bostedor: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?" 
    Date: Wed, 20 Jul 2005 13:25:38 -0400
To: "Harlan Carvey" <keydet89@yahoo.com>, <focus-ms@securityfocus.com>

    Yes, absolutes are dangerous, but so is building a defense based upon
    what 'should' be. And I fully agree that there are more and more people
    out their using 'defense in depth' as a buzzword they don't really know
    understand and an excuse to spend security budget without knowing what
    it means, but in this case I think it actually applies.

    The web server 'should' just be a web server with no other processes.
    The firewall 'should' be protecting it so the only traffic to it is
    inbound page requests and outbound responses of known good pages from
    the server you trust. Input and output 'should' be scrubbed such that
    the web server could never be compromised through a request or send data
    back to an 0wner by disguising it as a web page being served. Code
    'should' be exploit free from specially crafted requests. However,
    unless you write the code yourself, patch the box yourself in real time,
    have exclusive administrative and user access to the web server, have
    exclusive administrative access to the firewall, have exclusive
    administrative access to the switch that connects these two devices (if
    any) and have exclusive physical access to each of these devices at all
    times AND any conduits which carry traffic when devices are not in the
    same room, that which 'should' be is not, necessarily, that which is.

    Do yourself a favour and throw intelligently configured AV on the box to
    protect against some of the possible contingencies of a world where
    'should' is not the same as 'is'. THAT is what defense in depth is for.
    A world where $#it happens and the more _quality_ tools you have in you
    bag of tricks, the better off you'll be, in general.

    Hope this helps,

    Scott

    -----Original Message-----
    From: focus-ms-return-8315-swozny=deloitte.com@securityfocus.com
    [mailto:focus-ms-return-8315-swozny=deloitte.com@securityfocus.com] On
    Behalf Of Harlan Carvey
    Sent: Tuesday, July 19, 2005 11:11 AM
    To: focus-ms@securityfocus.com
    Cc: jeff@shawgo.com
    Subject: RE: Should webservers, eg. IIS 6 have anti--virus installed on
    them?

    So far, this is has been an interesting discussion,
    but beneath it all, I'm seeing what I think is a
    disturbing trend.

    > Antivirus needs to be part of the overall security
    > plan for all Windows machines - it's just part of
    > the cost of doing business - the cost of the
    > software, maintenance, and CPU overhead.

    I'm seeing absolutist statements like the one above,
    and it bothers me.

    If a web server is just a web server, the content is
    served to the client, going outbound...not coming into
    the server. If the purpose of the system is to take
    known-good pages (from the owner) and make them
    available to the public (over ports 80 and 443), then
    what is the point of A/V software?

    I'm seeing a lot of people say that A/V software is
    necessary, and that it's part of a 'holistic' or
    'defense in depth' approach, but this really sounds
    more like Dilbert's "buzz word bingo" than anything
    else.
     
    > Certainly, servers need to be patched, firewalled,
    > isolated, and locked down. Additionally, code
    > should be audited for vulnerability to XSS and SQL
    > injection.

    Yes, without a doubt. This is all part of good
    administration.

    > None of these things are perfect. Not that AV is
    > perfect, but it is another layer of defense - making
    > it part of that "Defense in Depth" strategy.

    But, defense against what?

    > AV has grown into more than just defense against
    > viruses. It is often effective against worm code,
    > and some AV has identified common hacking tools
    > (e.g. - NetCat) as something that doesn't belong on
    > most systems. You can argue the viability of this
    > move, but most companies - if they have a security
    > team - have less that 0.1% of their machines which
    > maybe should have it there.

    "something that doesn't belong on most systems"? How
    does it get there? If a web server is properly
    configured and managed, then perhaps the most likely
    means of infection is from the administrator
    himself...and in such cases, A/V software is useless.

    > AV needs to be part of the cost of running Windows -
    > for better or for worse.

    Again, I'm seeing this as an approach that's being
    parrotted, rather than thought out. I'm not saying
    that MS products are perfect...not at all. But what I
    am saying is that using proper administration
    principles, those that have been espoused for well
    beyond the past decade, paying additional money to add
    yet another software package to a web server simply
    doesn't make good business sense.

    Why pay more money for another application to
    maintain, and another set of logs that you're not
    reviewing anyway?

    Several years ago, Dave LeBlanc set up an IIS 4.0
    server in accordance with simple common sense, and it
    was not vulnerable to Code Red...a full year before
    Code Red was launched.

    When Code Red was launched, A/V software would not
    have helped. However, if the .hta script mapping had
    been disabled the day before Code Red came out, then
    guess what? No problems.

    Should systems have A/V software in place?
    Maybe...depending upon the function and purpose of the
    system. Does it make sense? Does it make good
    business sense? What's the business
    reason/justification for installing another software
    package (for $$) over disabling current functionality
    (which doesn't cost anything)?

    Harlan

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
--- 
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. [v.E.1]
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Steve Bostedor: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"

    Relevant Pages