Another thing with IIS is it is always good to keep it out of the domain
altogether. Plus, I monitor all traffic to and from the machine. For
example, our email/IIS server doesn't attach to the network, it sits all by
it's lonesome on a completely different hub that doesn't touch any of the
networked machines. Ok, it doesn't really get lonely, I talk to it everyday
and it does sit right next to the other servers. I think I caught it winking
at the big SQL server the other day - people are beginning to talk.
But seriously, you need to check SP everyday and keep all of the holes
filled so yes, you are correct, that is number one. At the same time, I have
found it helpful to pick and choose which patches to install. I have had
hardware updates from Microsoft that caused me nothing but grief.
Other concerns with running a IIS server is data. I don't even like hooking
it's SQL server [smallish - just to run web data with] with our big SQL
server because of security reasons. I even turn off the lights just so that
the other servers won't get jealous
Viruses shouldn't be too much of a trouble with IIS because the vast
majority of all viruses are activated via email, the rest with a few rogue
sites. Don't run an email client on it, don't surf the web with it, keep all
extra ports locked down, keep all of the service packs and security
releases, be careful if you run an email server that saves the emails in
temp files, and just as an extra protection, it wouldn't hurt to have a
anti-virus running.
Ok, I'm going home to start working on the non system admin programming side
of my job - maybe even get some sleep. I hate these 16 hour work days
without sleep. You know it's bad when I enjoy getting a power outages that
knocked off all of the PC's in our network. No power, no PC/server problems!
-----Original Message-----
From: Shyaam
Sent: Monday, July 18, 2005 10:20 AM
To: ssgill@gilltechnologies.com
Cc: focus-ms@securityfocus.com
Subject: Re: Should webservers, eg. IIS 6 have anti--virus installed on
them?
According to my level of knowledge(which is very minimal, in this
especially), I would say that a web server should be patched well first. the
anti-virus is a secondary issue. Ofcourse, you need an antivirus too, but
there should always be good patches implemented which checks for the latest
signatures.
--Shyaam
On 7/17/05, Sarbjit Singh Gill <ssgill@gilltechnologies.com> wrote:
Greetings
Should IIS have anti-virus installed on them. I know I would do it for
a fileserver but for IIS, I rather lock it down.
Thanks.
/Gill
----------------------------------------------------------------------
-----
----------------------------------------------------------------------
-----
--
Thank you in advance for your time and consideration.
Yours Sincerely,
R.S.Shyaam Sundhar
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
