RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

From: Steve Bostedor (Steveb_at_tshore.com)
Date: 07/20/05

  • Next message: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?" 
    Date: Wed, 20 Jul 2005 14:34:10 -0400
To: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>, "Harlan Carvey" <keydet89@yahoo.com>

    I wouldn't dream of leaving one of our web servers without antivirus
    software on it for a second! Everyone take a second and remember back
    to the Code Red and the various SQL worms. All that it took was a
    buffer overflow and a virus was on your system before you could blink.

    We were saved because by the time that it hit our servers, Symantec had
    a cure and stopped it. This is just one example of what COULD happen to
    you should you neglect to properly secure your web servers with at LEAST
    antivirus protection.

    In addition, we reset the local administrator passwords on all of our
    member servers and workstations periodically using the password reset
    tool at http://www.vncscan.com. I know that there was another thread on
    that on this list a while ago.

    I can tell you many personal experiences where changing all of the
    remote Administrator passwords and using Norton Antivirus has saved our
    butts big time. I strongly urge you to use a tool like that to change
    your local administrator passwords and use the strongest antivirus you
    can even if you think that you're not at risk.

    The server that you save may be mine!

    - Steve

    -----Original Message-----
    From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
    [mailto:sbradcpa@pacbell.net]
    Sent: Wednesday, July 20, 2005 3:32 AM
    To: Harlan Carvey
    Cc: focus-ms@securityfocus.com; jeff@shawgo.com
    Subject: Re: Should webservers, eg. IIS 6 have anti--virus installed on
    them?

    Not to mention ..if you were anywhere near a live system at 3:45 p.m
    Pacific time on a certain Friday when someone didn't do their due
    diligence and flatlined every single one of my workstations and even
    nailed my server....you might make you look at antivirus in a new
    light....

    A/V is just introduction of new... possibly untested code on a machine
    .... possibly every hour on the hour....

    http://silverstr.ufies.org/blog/archives/000844.html

    Harlan Carvey wrote:

    >So far, this is has been an interesting discussion,
    >but beneath it all, I'm seeing what I think is a
    >disturbing trend.
    >
    >
    >
    >>Antivirus needs to be part of the overall security
    >>plan for all Windows machines - it's just part of
    >>the cost of doing business - the cost of the
    >>software, maintenance, and CPU overhead.
    >>
    >>
    >
    >I'm seeing absolutist statements like the one above,
    >and it bothers me.
    >
    >If a web server is just a web server, the content is
    >served to the client, going outbound...not coming into
    >the server. If the purpose of the system is to take
    >known-good pages (from the owner) and make them
    >available to the public (over ports 80 and 443), then
    >what is the point of A/V software?
    >
    >I'm seeing a lot of people say that A/V software is
    >necessary, and that it's part of a 'holistic' or
    >'defense in depth' approach, but this really sounds
    >more like Dilbert's "buzz word bingo" than anything
    >else.
    >
    >
    >
    >>Certainly, servers need to be patched, firewalled,
    >>isolated, and locked down. Additionally, code
    >>should be audited for vulnerability to XSS and SQL
    >>injection.
    >>
    >>
    >
    >Yes, without a doubt. This is all part of good
    >administration.
    >
    >
    >
    >>None of these things are perfect. Not that AV is
    >>perfect, but it is another layer of defense - making
    >>it part of that "Defense in Depth" strategy.
    >>
    >>
    >
    >But, defense against what?
    >
    >
    >
    >>AV has grown into more than just defense against
    >>viruses. It is often effective against worm code,
    >>and some AV has identified common hacking tools
    >>(e.g. - NetCat) as something that doesn't belong on
    >>most systems. You can argue the viability of this
    >>move, but most companies - if they have a security
    >>team - have less that 0.1% of their machines which
    >>maybe should have it there.
    >>
    >>
    >
    >"something that doesn't belong on most systems"? How
    >does it get there? If a web server is properly
    >configured and managed, then perhaps the most likely
    >means of infection is from the administrator
    >himself...and in such cases, A/V software is useless.
    >
    >
    >
    >>AV needs to be part of the cost of running Windows -
    >>for better or for worse.
    >>
    >>
    >
    >Again, I'm seeing this as an approach that's being
    >parrotted, rather than thought out. I'm not saying
    >that MS products are perfect...not at all. But what I
    >am saying is that using proper administration
    >principles, those that have been espoused for well
    >beyond the past decade, paying additional money to add
    >yet another software package to a web server simply
    >doesn't make good business sense.
    >
    >Why pay more money for another application to
    >maintain, and another set of logs that you're not
    >reviewing anyway?
    >
    >Several years ago, Dave LeBlanc set up an IIS 4.0
    >server in accordance with simple common sense, and it
    >was not vulnerable to Code Red...a full year before
    >Code Red was launched.
    >
    >When Code Red was launched, A/V software would not
    >have helped. However, if the .hta script mapping had
    >been disabled the day before Code Red came out, then
    >guess what? No problems.
    >
    >Should systems have A/V software in place?
    >Maybe...depending upon the function and purpose of the
    >system. Does it make sense? Does it make good
    >business sense? What's the business
    >reason/justification for installing another software
    >package (for $$) over disabling current functionality
    >(which doesn't cost anything)?
    >
    >Harlan
    >
    >
    >
    >------------------------------------------
    >Harlan Carvey, CISSP
    >"Windows Forensics and Incident Recovery"
    >http://www.windows-ir.com
    >http://windowsir.blogspot.com
    >------------------------------------------
    >
    >----------------------------------------------------------------------- 

    ----
>-----------------------------------------------------------------------
----
>
>
>  
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
    • Quantcast