RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

From: Joe Marsh (
Date: 07/21/05

  • Next message: Adrian Marsden: "RE: Should webservers, eg. IIS 6 have anti--virus installed onthem?"
    Date: Thu, 21 Jul 2005 12:46:29 -0500

    If you are in an industry that is subject to audits like the SAS70, it is
    incumbent to prove why you are *not* taking "industry standard" or "best
    practice" precautions. You don't justify an installation of A/V, for
    instance, you justify why you don't have it. Certain MS patches cause
    Metaframe XP to implode; it gets documented, and auditors nod rather than

    If all your (internal and externally facing) web servers are configured to a
    baseline, and you can document that x, y, and z do not have access to the
    file structure on the box itself or on the machine holding the web content,
    and you can prove default deny with 1/2/3 open inbound ports, UNC paths are
    not available, and...

    Or, you can take the tack that it impacts performance too much... Well,
    we've seen examples of how to minimize it. If AV causes that big of a
    performance drain, and it's not a configuration issue, then your capacity
    planning is a suspect that will be examined more closely by your auditors.

    Or, you can install it, configure it to do at least a nightly scan on all
    but content, and pay your $35 per license and check the box.

    A/V isn't a panacea, of course, nothing ever is. It's about defense in
    depth. A perfectly secured web server will have a incident occurence rate
    of 2%. Great, that may be a risk you accept. But to establish that as the
    occurrence rate, you have to be sure to the six nines that everything else
    is right. Can you guarantee that if anybody besides you touches anything?

    To return to my original point, A/V is too cheap, and is too easy to
    configure properly for classes of servers, to have much of a reasonable hope
    of justifying why it's *not* installed. In regulated or sensitive
    industries, you must justify deviation from certain standards. If you can,
    great. Write your specific reasons down, and you've justified *not*
    installing it. Having principle based discussions with a team of auditors,
    in an attempt to justify best practice deviation flies about as far as a
    lead balloon.

    If you're not being audited, great. If you never think you'll be sued,
    fantastic. I've always been a big believer that it's possible to be a small
    "world-class" company, as long as you meet the standards. Trickle down:
    you're a world class employee when you think like you work at a world class

    Joe Marsh


  • Next message: Adrian Marsden: "RE: Should webservers, eg. IIS 6 have anti--virus installed onthem?"

    Relevant Pages

    • Re: ILC2005: McCarthy denounces Common Lisp, "Lisp", XML, and Rahul
      ... While fixed standards benefit industrial programming ... I'm seeing a different industry than you). ... example if I want a web application server for Python, the answer is Zope, ... If I tell my boss: "oh there's a solution A for doing B ...
    • Re: Both sides of join?
      ... conventions and done minimal research on the proper sizes and industry ... standards for your data elements, would your schema look like this? ... (specialty_id INTEGER NOT NULL PRIMARY KEY, ... disc_id INTEGER NOT NULL, -- references another table? ...
    • Re: Educating HP employees on the nettiquette
      ... > that is setting the industry standards. ... No single vendor dictates it. ... arbitrates choices then uses ...
    • Re: Accuweather video mentions VMS (TWICE!)
      ... Do you mean INDUSTRY standards (negotiated industry-wide ... > can't show them the video, ... > promoting VMS is a video promoting VMS. ...
    • Re: [Full-disclosure] Re: Not telling enough - ethics/shmethics
      ... > towards industry crybabies. ... The standards will always be hard to set, ... With regard to certifications for individuals, ... Microsoft walks all over governments ...