OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Should webservers, eg. IIS 6 have anti--virus installed on them?

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpapacbell.net)
Date: Wed Jul 20 2005 - 02:31:50 CDT

Not to mention ..if you were anywhere near a live system at 3:45 p.m
Pacific time on a certain Friday when someone didn't do their due
diligence and flatlined every single one of my workstations and even
nailed my server....you might make you look at antivirus in a new light....

A/V is just introduction of new... possibly untested code on a machine
.... possibly every hour on the hour....

http://silverstr.ufies.org/blog/archives/000844.html

Harlan Carvey wrote:

>So far, this is has been an interesting discussion,
>but beneath it all, I'm seeing what I think is a
>disturbing trend.
>
>
>
>>Antivirus needs to be part of the overall security
>>plan for all Windows machines - it's just part of
>>the cost of doing business - the cost of the
>>software, maintenance, and CPU overhead.
>>
>>
>
>I'm seeing absolutist statements like the one above,
>and it bothers me.
>
>If a web server is just a web server, the content is
>served to the client, going outbound...not coming into
>the server. If the purpose of the system is to take
>known-good pages (from the owner) and make them
>available to the public (over ports 80 and 443), then
>what is the point of A/V software?
>
>I'm seeing a lot of people say that A/V software is
>necessary, and that it's part of a 'holistic' or
>'defense in depth' approach, but this really sounds
>more like Dilbert's "buzz word bingo" than anything
>else.
>
>
>
>>Certainly, servers need to be patched, firewalled,
>>isolated, and locked down. Additionally, code
>>should be audited for vulnerability to XSS and SQL
>>injection.
>>
>>
>
>Yes, without a doubt. This is all part of good
>administration.
>
>
>
>>None of these things are perfect. Not that AV is
>>perfect, but it is another layer of defense - making
>>it part of that "Defense in Depth" strategy.
>>
>>
>
>But, defense against what?
>
>
>
>>AV has grown into more than just defense against
>>viruses. It is often effective against worm code,
>>and some AV has identified common hacking tools
>>(e.g. - NetCat) as something that doesn't belong on
>>most systems. You can argue the viability of this
>>move, but most companies - if they have a security
>>team - have less that 0.1% of their machines which
>>maybe should have it there.
>>
>>
>
>"something that doesn't belong on most systems"? How
>does it get there? If a web server is properly
>configured and managed, then perhaps the most likely
>means of infection is from the administrator
>himself...and in such cases, A/V software is useless.
>
>
>
>>AV needs to be part of the cost of running Windows -
>>for better or for worse.
>>
>>
>
>Again, I'm seeing this as an approach that's being
>parrotted, rather than thought out. I'm not saying
>that MS products are perfect...not at all. But what I
>am saying is that using proper administration
>principles, those that have been espoused for well
>beyond the past decade, paying additional money to add
>yet another software package to a web server simply
>doesn't make good business sense.
>
>Why pay more money for another application to
>maintain, and another set of logs that you're not
>reviewing anyway?
>
>Several years ago, Dave LeBlanc set up an IIS 4.0
>server in accordance with simple common sense, and it
>was not vulnerable to Code Red...a full year before
>Code Red was launched.
>
>When Code Red was launched, A/V software would not
>have helped. However, if the .hta script mapping had
>been disabled the day before Code Red came out, then
>guess what? No problems.
>
>Should systems have A/V software in place?
>Maybe...depending upon the function and purpose of the
>system. Does it make sense? Does it make good
>business sense? What's the business
>reason/justification for installing another software
>package (for $$) over disabling current functionality
>(which doesn't cost anything)?
>
>Harlan
>
>
>
>------------------------------------------
>Harlan Carvey, CISSP
>"Windows Forensics and Incident Recovery"
>http://www.windows-ir.com
>http://windowsir.blogspot.com
>------------------------------------------
>
>---------------------------------------------------------------------------
>---------------------------------------------------------------------------
>
>
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------