NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-MS> 2005-q3

RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

From: Harlan Carvey (keydet89yahoo.com)
Date: Wed Jul 20 2005 - 10:30:52 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Brady,

> If what I said was taken to be a cheap shot I
> apologize to all. It was
> meant to be a warning to never take the attitude
> that one is infallible,

Part of the reason I took your comment the way I did
was b/c no one in the thread, that I could see, was
taking the attitude that they were infallible. In
fact, it appears to me that it's quite the
opposite...the prevailing attitude seems to be that
A/V software should be installed "just in case", and
because "you can't possibly cover everything".

All in all, I felt that your warning was about as
appropriate as saying something like, "don't look
directly at the sun"...okay, good advice, but what did
that have to do with the thread?

> I'll digress a bit now and say this. No, an AV
> product is not a
> necessity on an IIS server, but then neither is a
> firewall. They are
> both just ways to minimize risk, and I can not see
> how anyone can oppose one and advocate the other.

Again, I'm not following you. If you've configured
your server so that it's only a web server, and
confirmed that the only open port is port 80 (and
perhaps port 443), what's the point of the firewall?
What ports would you then be blocking?

If a stateful inspection firewall or application proxy
is used, I wouldn't load either one on the same system
as the web server.

With regards to minimizing risk, I have to ask...what
risk? Based on what I'm seeing in the thread so far,
the risks imposed to the system largely occur when it
ceases to be *just* a firewall. Some respondants have
mentioned SMTP servers, file sharing, FTP servers,
etc...at which point, the web server ceases to be
*just* a web server and includes other services. The
function/role of the box has changed, and should be
considered.

> Would I recommend
> running IIS without
> either? No. If the added cost of either is too
> costly then let
> management make that call, but as a sys admin never
> rule out any security measure based on cost.

I think you're making a very valid point here, though
perhaps not the one you intended. You say that the
sys admin should not rule out any security measure
based on cost. In my experience, not a great many
sysadmins are security professionals - though some may
be. My point is that I'm not sure that the
run-of-the-mill sysadmin is really qualified to make
the call. Let's say Joe SysAdmin does install the A/V
software on a web server...what's his reasoning for
doing so? Most of the reasons I've seen so far have
been pretty ethereal...I've read statements about
"unknown threats", but that logic doesn't hold.
Unknown by whom? If it's unknown to the A/V vendor,
then what good is the software product going to do?

I've also received emails/responses from folks talking
about some of the threats we've seen. One respondant
(I'll go out on a limb here and guess that he was/is a
sysadmin) stated to me that he "saw" an A/V product
block a SQL Spida worm infection. IMHO, there are
larger issues at work here, b/c if that admin didn't
understand how Spida does what it does (ie, look for
blank 'sa' accounts), in the larger scheme of things,
A/V software (on a database server in this case) is
only a band-aid solution and doesn't address the real
issue(s).

> What are we trying to protect ourselves from with
> AV? Well, except for
> the obvious viruses, worms and trojan horse answer,
> which seems
> smartass, I do know. What's the next threat going
> to be? No one knows
> that either. My system is fully patched and
> properly secured. Why do I
> need AV? Why do I need a firewall? Answer: To
> minimize risk against
> what you, or your product vendor didn't see coming,
> or the vulnerability
> that is discover and disclosed to the public before
> a patch, or other
> solution was released or found. Yes, they are both
> band-aid approaches,
> but sometimes band-aids is all you have.

Again, I ask you...if the exploit is previously
unknown, how is an A/V product going to protect you?
If it's "unknown", then presumably the A/V vendor
doesn't know about it either...so what good will their
product do you?

> AV software, firewalls, IDS
> systems, (I'm sure more could be named but I'm
> drawing a blank).
> They're all really band-aid approaches. If we could
> guarantee the
> security of our systems, none of them are needed.
> Unfortunately, we can not.

That argument doesn't make any sense at all, really.
You're saying that we can't guarantee security, which
I agree with. Security is not a point solution, it's
a process. But you're recommending point solutions.

If an exploit is previously unknown, how is A/V
software going to help you? If it's not known, and
especially if it's not known by the vendor, what good
is the product going to do you? Firewalls might work,
but if you've already got the port closed on the
system...ie, your web server isn't running an FTP
server, too...then what's the point? And IDS...*if*
you've had the foresight to purchase an IDS based on
heuristics, why would you just put that on the web
server?

> I also think it's being lost that a lot of web
> servers are not single
> admin, or a group of admin/developers posting
> content.

Then that is a security issue in and of itself, and
one in which installing A/V software is NOT the best
approach. After all, when you've got multiple admins
on the system, what is to prevent one of them from
disabling the A/V software all together.

> I work in
> academia and know a few other colleges that use IIS
> to give student
> space to create their own personal web page. Many
> ISPs give clients
> space too. Can it honestly be said that these
> admins don't need to
> install an AV client, or that it might be a good
> idea?

What would be the point? Why not simply set ACLs so
that files can be read but not executed? Or why not
reject all files in which the first two bytes read
"MZ"?

Also, what is the threat of a student uploading a
malware to a web server? If the malware cannot
execute on the web server itself due to ACLs, then to
what risk is the web server exposed? Sure, if someone
else comes along and downloads and executes the
malware, they will be infected, but as long as the
malware is sitting on the system, what harm is it
doing? I have copies of SubSeven on my system at
home...but none of them are running.

Harlan

------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]