RE: Should webservers, eg. IIS 6 have anti--virus installed on them?
From: Joe Marsh (nonleg_at_hotmail.com)
Date: 07/21/05
- Previous message: Harlan Carvey: "RE: Should servers have anti--virus installed on them?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-ms@securityfocus.com Date: Thu, 21 Jul 2005 12:46:29 -0500
If you are in an industry that is subject to audits like the SAS70, it is
incumbent to prove why you are *not* taking "industry standard" or "best
practice" precautions. You don't justify an installation of A/V, for
instance, you justify why you don't have it. Certain MS patches cause
Metaframe XP to implode; it gets documented, and auditors nod rather than
scowl.
If all your (internal and externally facing) web servers are configured to a
baseline, and you can document that x, y, and z do not have access to the
file structure on the box itself or on the machine holding the web content,
and you can prove default deny with 1/2/3 open inbound ports, UNC paths are
not available, and...
Or, you can take the tack that it impacts performance too much... Well,
we've seen examples of how to minimize it. If AV causes that big of a
performance drain, and it's not a configuration issue, then your capacity
planning is a suspect that will be examined more closely by your auditors.
Or, you can install it, configure it to do at least a nightly scan on all
but content, and pay your $35 per license and check the box.
A/V isn't a panacea, of course, nothing ever is. It's about defense in
depth. A perfectly secured web server will have a incident occurence rate
of 2%. Great, that may be a risk you accept. But to establish that as the
occurrence rate, you have to be sure to the six nines that everything else
is right. Can you guarantee that if anybody besides you touches anything?
To return to my original point, A/V is too cheap, and is too easy to
configure properly for classes of servers, to have much of a reasonable hope
of justifying why it's *not* installed. In regulated or sensitive
industries, you must justify deviation from certain standards. If you can,
great. Write your specific reasons down, and you've justified *not*
installing it. Having principle based discussions with a team of auditors,
in an attempt to justify best practice deviation flies about as far as a
lead balloon.
If you're not being audited, great. If you never think you'll be sued,
fantastic. I've always been a big believer that it's possible to be a small
"world-class" company, as long as you meet the standards. Trickle down:
you're a world class employee when you think like you work at a world class
organization.
Joe Marsh
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Harlan Carvey: "RE: Should servers have anti--virus installed on them?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
