Re: Should webservers, eg. IIS 6 have anti--virus installed on them?

• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• In reply to: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Next in thread: Brady McClenon: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Harlan Carvey" <keydet89@yahoo.com>, <focus-ms@securityfocus.com>
Date: Wed, 20 Jul 2005 17:57:02 -0700

It all depends on how the server is configured, where it is being deployed,
what methods are in place to allow content to updated, who is updating and
how, and what users (and trust level) are accessing the content.

Given the circumstanced outlined by Harlan, I can see his point: In such an
environment where the server is updated, locked down, firewalled, ACL'd,
etc, the question is "what am I protecting myself from."

But I have to say, I've been doing this stuff a really long time... And
coming upon a configuration like that in the "real world" is an exception,
not a rule. Only in specialized installations where budget and staff
allowed for very tight controls on content and process changes and auditing
did I see installations that were configured that way, and more importantly,
that stayed that way.

In what I would call "normal" installations where multiple people (or even
departments) are responsible for coordinating content updates from multiple
sources to multiple systems in any number of ways (sharepoint, ftp, rdp, or
even file shares for that matter) it makes good sense to have a
service-based AV product running on the server in case someone makes a
mistake, or where an internal virus is launched that could compromise one of
the internal updating methods (Like Nimda did.) If all my employees were
Harlan, I wouldn't be that worried about it. But they're not, so I am.

> Again, I ask you...if the exploit is previously
> unknown, how is an A/V product going to protect you?
> If it's "unknown", then presumably the A/V vendor
> doesn't know about it either...so what good will their
> product do you?

I have server-based AV on my servers. If a l337 virus/worm goes wild today,
I'm aware that my box won't be protected from the A/V recognition standpoint
until tomorrow or the next day. But it *will* be. The other security in
depth measures I have in place will protect the box from "direct" attack
(hofpefully); if not the extra day may be all that was needed- we have no
way of knowing, so there's not much point is arguing if it will or won't
help in that case. But more important is the fact that my AV solution
identifies most pen/hacker "tools" as malware or Trojans.

While the AV won't protect from an attack using an unknown vulnerability, it
will protected against attackers using the vulnerability to drop more
"common" tools on the box to further compromise it. In addition, it could
help protect against "parallel" systems that may be compromised. If someone
owns a server in my DMZ, launching attacks against parallel systems is much
easier from "within." Trojans or assisting tools (like priv esc) won't hit
the file system on those protected box, even if placed there via "valid"
means.

> Then that is a security issue in and of itself, and
> one in which installing A/V software is NOT the best
> approach. After all, when you've got multiple admins
> on the system, what is to prevent one of them from
> disabling the A/V software all together.

It may not be the best approach, but it is one that works if someone fat
fingers something. One must consider the "human" factor in all of this.

> Also, what is the threat of a student uploading a
> malware to a web server? If the malware cannot
> execute on the web server itself due to ACLs, then to
> what risk is the web server exposed? Sure, if someone
> else comes along and downloads and executes the
> malware, they will be infected, but as long as the
> malware is sitting on the system, what harm is it
> doing? I have copies of SubSeven on my system at
> home...but none of them are running.

It's one more thing that can be used against us (you). In my case, SubSeven
won't make it on there. Yes, if you have it sitting there but ACL'd not to
execute, then in its current state, it poses no threat. But I could find a
way to ACL it to run. Then you saved me the trouble of how to figure out
how to get it on the box in the first place.

Effective security measures take into account how people really work- they
anticipate that people will make mistakes and that they will do stupid
things. The current state of the Internet conclusively proves that people
do very, very, foolish things regarding security. Given that, I think it
better logic to address the question as "why NOT have AV" than "why have
it." In my mind, it's better to have a tool and not need it than to need
the tool and not have it.

Just my respectful .02 worth, sir.

T

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• In reply to: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Next in thread: Brady McClenon: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]