RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 07/20/05

  • Next message: Harlan Carvey: "Re: R: Should webservers, eg. IIS 6 have anti--virus installed on them?" 
    Date: Wed, 20 Jul 2005 11:48:51 -0700 (PDT)
To: focus-ms@securityfocus.com

    > I wouldn't dream of leaving one of our web servers
    > without antivirus
    > software on it for a second! Everyone take a second
    > and remember back
    > to the Code Red and the various SQL worms. All that
    > it took was a
    > buffer overflow and a virus was on your system
    > before you could blink.

    Yes, and all that it took to protect against Code Red
    was to have disabled the .idq/.ida script mapping.
    SQL Spida infected systems with blank 'sa' passwords.
    SQL Slammer targetted UDP port 1434.

    In all of these cases, A/V should not have been
    needed, had proper administration been conducted in
    the first place.

    Again, the security process was broken in each case,
    and installing A/V was just a band-aid.

    > We were saved because by the time that it hit our
    > servers, Symantec had
    > a cure and stopped it.

    Why did these hit your servers in the first place?
    Why did you have .idq/.ida script mappings enabled?
    Were they required? Why did you have a blank 'sa'
    password on your SQL database server? Why were you
    exposing UDP 1434 to the Internet?

    > This is just one example of
    > what COULD happen to
    > you should you neglect to properly secure your web
    > servers with at LEAST antivirus protection.

    Had properly and well documented procedures been
    observed in the first place, A/V would not have been
    necessary.
     
    Harlan

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Harlan Carvey: "Re: R: Should webservers, eg. IIS 6 have anti--virus installed on them?"

    Relevant Pages

    • RE: Should webservers, eg. IIS 6 have anti--virus installed on them?
      ... Getting people to protect their servers ... It is a very simple and indisputable fact that antivirus played a major ... protection on it no matter what its role is. ... SQL Spida infected systems with blank 'sa' passwords. ...
      (Focus-Microsoft)
    • Re: sql 2005 active/passive cluster options
      ... that is storing data on a seperate SQL 2005 Standard box. ... SQL server had an hardware fault causing application downtime for ... their product is an active/passive sql cluster. ... terms of active/passive failover I need two identical servers (since ...
      (microsoft.public.sqlserver.clustering)
    • RE: permissions compatible with pre-Win2000 servers
      ... Based on your reply, the NT machine which running SQL 7 is not a PDC, BDC, ... With regards to the anonymouse connection to SQL, ... >Our concern is for our NT4 servers that are dedicated to running SQL7 ...
      (microsoft.public.windows.server.migration)
    • Re: Performance Monitor / Database Storage using ODBC
      ... This solution would be just working temporarily (a few servers), ... Andrew J. Kelly SQL MVP ...
      (microsoft.public.sqlserver.tools)
    • Re: Web App Security Model.
      ... SQL permissions are correctly restrictive (so worse case the allowed ... If these machines are standalone the threats posed by them are ... applications / implementation and whether their design has ... My company wants to have a few Windows Servers running web app's (ASPX ...
      (microsoft.public.security)