RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

• Previous message: Harlan Carvey: "Re: R: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Next in thread: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Reply: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 20 Jul 2005 12:28:28 -0400
To: "Harlan Carvey" <keydet89@yahoo.com>, <focus-ms@securityfocus.com>

I take a more community mind approach to security. Yes, I can set ACLs
to read and not execute, but that doesn't stop proliferation of the
virus to others. As much as I don't want my server infected, I don't
want reports that people visiting my site have become infected because
of files they downloaded. Setting to read only can't protect me from
that. With the logic you give, I don't need AV on my file servers
either.

As for the rest, It's obvious we disagree because the logic that we
don't know what the next threat may be holds with me, or that we could
have missed something when securing the server (again that infallibility
thing) holds with me. So I'll agree to disagree. I gave my reasoning,
if you don't agree, that's ok, but it's not helping anyone for me to
continue to repeat myself.

And correct that an A/V product without a definition for a virus is
useless, unless you use one like I do that has heuristic scanning adding
some level of protection. Also, many AV vendors now have definition
for well-known "hacker tools" (I hate term, but can't think of a better
one). Many worms and script-kiddies use the vulnerability to drop in
files that do the real damage. Drop in an FTP server (reason for
firewall), backdoor (reason for firewall), keylogger, whatever, and
execute as SYSTEM. If there was no patch for the vulnerability,
wouldn't it be nice to an AV product to grab those?

And lastly if you state that AV or whatever is not needed if you
properly secure your systems, that is an attitude of infallibility, and
therefore I caution. You can not guarantee security! You may not need
AV, but not for that reason.

-----Original Message-----
From: Harlan Carvey [mailto:keydet89@yahoo.com]
Sent: Wednesday, July 20, 2005 11:31 AM
To: focus-ms@securityfocus.com
Cc: jeff@shawgo.com; Brady McClenon
Subject: RE: Should webservers, eg. IIS 6 have anti--virus installed on
them?

Brady,

> If what I said was taken to be a cheap shot I apologize to all. It
> was meant to be a warning to never take the attitude that one is
> infallible,

Part of the reason I took your comment the way I did was b/c no one in
the thread, that I could see, was taking the attitude that they were
infallible. In fact, it appears to me that it's quite the
opposite...the prevailing attitude seems to be that A/V software should
be installed "just in case", and because "you can't possibly cover
everything".

All in all, I felt that your warning was about as appropriate as saying
something like, "don't look directly at the sun"...okay, good advice,
but what did that have to do with the thread?
 
> I'll digress a bit now and say this. No, an AV product is not a
> necessity on an IIS server, but then neither is a firewall. They are
> both just ways to minimize risk, and I can not see how anyone can
> oppose one and advocate the other.

Again, I'm not following you. If you've configured your server so that
it's only a web server, and confirmed that the only open port is port 80
(and perhaps port 443), what's the point of the firewall?
What ports would you then be blocking?

If a stateful inspection firewall or application proxy is used, I
wouldn't load either one on the same system as the web server.

With regards to minimizing risk, I have to ask...what risk? Based on
what I'm seeing in the thread so far, the risks imposed to the system
largely occur when it ceases to be *just* a firewall. Some respondants
have mentioned SMTP servers, file sharing, FTP servers, etc...at which
point, the web server ceases to be
*just* a web server and includes other services. The function/role of
the box has changed, and should be considered.

> Would I recommend
> running IIS without
> either? No. If the added cost of either is too costly then let
> management make that call, but as a sys admin never rule out any
> security measure based on cost.

I think you're making a very valid point here, though perhaps not the
one you intended. You say that the sys admin should not rule out any
security measure based on cost. In my experience, not a great many
sysadmins are security professionals - though some may be. My point is
that I'm not sure that the run-of-the-mill sysadmin is really qualified
to make the call. Let's say Joe SysAdmin does install the A/V software
on a web server...what's his reasoning for doing so? Most of the
reasons I've seen so far have been pretty ethereal...I've read
statements about "unknown threats", but that logic doesn't hold.
Unknown by whom? If it's unknown to the A/V vendor, then what good is
the software product going to do?

I've also received emails/responses from folks talking about some of the
threats we've seen. One respondant (I'll go out on a limb here and
guess that he was/is a
sysadmin) stated to me that he "saw" an A/V product block a SQL Spida
worm infection. IMHO, there are larger issues at work here, b/c if that
admin didn't understand how Spida does what it does (ie, look for blank
'sa' accounts), in the larger scheme of things, A/V software (on a
database server in this case) is only a band-aid solution and doesn't
address the real issue(s).

> What are we trying to protect ourselves from with AV? Well, except
> for the obvious viruses, worms and trojan horse answer, which seems
> smartass, I do know. What's the next threat going to be? No one
> knows that either. My system is fully patched and properly secured.
> Why do I need AV? Why do I need a firewall? Answer: To minimize risk

> against what you, or your product vendor didn't see coming, or the
> vulnerability that is discover and disclosed to the public before a
> patch, or other solution was released or found. Yes, they are both
> band-aid approaches, but sometimes band-aids is all you have.

Again, I ask you...if the exploit is previously unknown, how is an A/V
product going to protect you?
If it's "unknown", then presumably the A/V vendor doesn't know about it
either...so what good will their product do you?

> AV software, firewalls, IDS
> systems, (I'm sure more could be named but I'm drawing a blank).
> They're all really band-aid approaches. If we could guarantee the
> security of our systems, none of them are needed.
> Unfortunately, we can not.

That argument doesn't make any sense at all, really.
You're saying that we can't guarantee security, which I agree with.
Security is not a point solution, it's a process. But you're
recommending point solutions.

If an exploit is previously unknown, how is A/V software going to help
you? If it's not known, and especially if it's not known by the vendor,
what good is the product going to do you? Firewalls might work, but if
you've already got the port closed on the system...ie, your web server
isn't running an FTP server, too...then what's the point? And
IDS...*if* you've had the foresight to purchase an IDS based on
heuristics, why would you just put that on the web server?

> I also think it's being lost that a lot of web servers are not single
> admin, or a group of admin/developers posting content.

Then that is a security issue in and of itself, and one in which
installing A/V software is NOT the best approach. After all, when
you've got multiple admins on the system, what is to prevent one of them
from disabling the A/V software all together.

> I work in
> academia and know a few other colleges that use IIS to give student
> space to create their own personal web page. Many ISPs give clients
> space too. Can it honestly be said that these admins don't need to
> install an AV client, or that it might be a good idea?

What would be the point? Why not simply set ACLs so that files can be
read but not executed? Or why not reject all files in which the first
two bytes read "MZ"?

Also, what is the threat of a student uploading a malware to a web
server? If the malware cannot execute on the web server itself due to
ACLs, then to what risk is the web server exposed? Sure, if someone
else comes along and downloads and executes the malware, they will be
infected, but as long as the malware is sitting on the system, what harm
is it doing? I have copies of SubSeven on my system at home...but none
of them are running.

Harlan

------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Harlan Carvey: "Re: R: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Next in thread: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Reply: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]