Okay..... so then
no OWA
no WSUS
no Sharepoint
We do get to do file and printing on this server or is that banned as
well? Define 'web server' folks because these days we 'are' running
IIS/web servers in our domains because [at least in the case of WSUS]
it's actually helping us reduce risk and not increase it.
Depp, Dennis M. wrote:
Jeff,
Interesting comments. Especially about not having IIS in a domain.
Gill,
To me the issue of virus protection depends on how you get content
installed on a machine and what type of content is on the machine If you
have a lot of users loading documents to your web servers, you might
want to consider adding virus protection to the servers. Of course you
should also have virus protection on the desktops as well. I would not
configure on access virus scanning, but instead would have scheduled
scanning.
Dennis
-----Original Message-----
From: Jeff [mailto:jeff@turbofish.com]
Sent: Monday, July 18, 2005 4:15 PM
To: focus-ms@securityfocus.com
Subject: RE: Should webservers, eg. IIS 6 have anti--virus installed on
them?
Another thing with IIS is it is always good to keep it out of the domain
altogether. Plus, I monitor all traffic to and from the machine. For
example, our email/IIS server doesn't attach to the network, it sits all
by
it's lonesome on a completely different hub that doesn't touch any of
the
networked machines. Ok, it doesn't really get lonely, I talk to it
everyday
and it does sit right next to the other servers. I think I caught it
winking
at the big SQL server the other day - people are beginning to talk.
But seriously, you need to check SP everyday and keep all of the holes
filled so yes, you are correct, that is number one. At the same time, I
have
found it helpful to pick and choose which patches to install. I have had
hardware updates from Microsoft that caused me nothing but grief.
Other concerns with running a IIS server is data. I don't even like
hooking
it's SQL server [smallish - just to run web data with] with our big SQL
server because of security reasons. I even turn off the lights just so
that
the other servers won't get jealous
Viruses shouldn't be too much of a trouble with IIS because the vast
majority of all viruses are activated via email, the rest with a few
rogue
sites. Don't run an email client on it, don't surf the web with it, keep
all
extra ports locked down, keep all of the service packs and security
releases, be careful if you run an email server that saves the emails in
temp files, and just as an extra protection, it wouldn't hurt to have a
anti-virus running.
Ok, I'm going home to start working on the non system admin programming
side
of my job - maybe even get some sleep. I hate these 16 hour work days
without sleep. You know it's bad when I enjoy getting a power outages
that
knocked off all of the PC's in our network. No power, no PC/server
problems!
-----Original Message-----
From: Shyaam
Sent: Monday, July 18, 2005 10:20 AM
To: ssgill@gilltechnologies.com
Cc: focus-ms@securityfocus.com
Subject: Re: Should webservers, eg. IIS 6 have anti--virus installed on
them?
According to my level of knowledge(which is very minimal, in this
especially), I would say that a web server should be patched well first.
the
anti-virus is a secondary issue. Ofcourse, you need an antivirus too,
but
there should always be good patches implemented which checks for the
latest
signatures.
--Shyaam
On 7/17/05, Sarbjit Singh Gill <ssgill@gilltechnologies.com> wrote:
Greetings
Should IIS have anti-virus installed on them. I know I would do it for
a fileserver but for IIS, I rather lock it down.
Thanks.
/Gill
----------------------------------------------------------------------
-----
----------------------------------------------------------------------
-----
--
Thank you in advance for your time and consideration.
Yours Sincerely,
R.S.Shyaam Sundhar
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
