What are "known good pages"? Unless I wrote them, I can not guarantee
the validity of every page. Many web server admins. are not the
webmaster or the sole web developer, and can't watch everyone 24/7.
Heck, you my not even be the only admin! I had to jointly administer
one once with another guy and I didn't even trust him! Even if you are
they only one, there's no harm in protect yourself. Look at it like
this, the Tour de France has the best cyclists in the world, surely the
know the proper way to ride bike, but yet they all wear helmets. Why?
Because no one is infallible. If you think you are... Well, ignorance
is bliss I guess.
The Code Red example is good, but just because AV wouldn't have helped
in one case, doesn't mean it wouldn't in another. I saw it save someone
from a SQLSpida worm infection. They patched, but apparently not
properly, or applied patches out of order down the road, or who knows,
so they were still vulnerable. Worm got dropped in through the exploit,
but the AV grabbed the file with the payload the second it hit the
drive. Sure, you could blame it on the sys admin. but we all make
mistakes so I could happen to anyone. Although, I admit some are less
likely then others. Ohh... This also is a good example to answer your
"how did it get there?" question.
Now I pose a question. If "servers need to be patched, firewalled,
isolated, and locked down. Additionally, code should be audited for
vulnerability to XSS and SQL injection." is "all part of good
administration." Then why isn't an AV client? None are infallible and
make your web server impervious to compromise, they only minimize risk.
They're just a layered defense. Why balk at another layer?
-----Original Message-----
From: Harlan Carvey [mailto:keydet89@yahoo.com]
Sent: Tuesday, July 19, 2005 11:11 AM
To: focus-ms@securityfocus.com
Cc: jeff@shawgo.com
Subject: RE: Should webservers, eg. IIS 6 have anti--virus installed on
them?
So far, this is has been an interesting discussion, but beneath it all,
I'm seeing what I think is a disturbing trend.
Antivirus needs to be part of the overall security plan for all
Windows machines - it's just part of the cost of doing business - the
cost of the software, maintenance, and CPU overhead.
I'm seeing absolutist statements like the one above, and it bothers me.
If a web server is just a web server, the content is served to the
client, going outbound...not coming into the server. If the purpose of
the system is to take known-good pages (from the owner) and make them
available to the public (over ports 80 and 443), then what is the point
of A/V software?
I'm seeing a lot of people say that A/V software is necessary, and that
it's part of a 'holistic' or 'defense in depth' approach, but this
really sounds more like Dilbert's "buzz word bingo" than anything else.
Certainly, servers need to be patched, firewalled, isolated, and
locked down. Additionally, code should be audited for vulnerability
to XSS and SQL injection.
Yes, without a doubt. This is all part of good administration.
None of these things are perfect. Not that AV is perfect, but it is
another layer of defense - making it part of that "Defense in Depth"
strategy.
But, defense against what?
AV has grown into more than just defense against viruses. It is often
effective against worm code, and some AV has identified common hacking
tools (e.g. - NetCat) as something that doesn't belong on most
systems. You can argue the viability of this move, but most companies
- if they have a security team - have less that 0.1% of their machines
which maybe should have it there.
"something that doesn't belong on most systems"? How does it get there?
If a web server is properly configured and managed, then perhaps the
most likely means of infection is from the administrator himself...and
in such cases, A/V software is useless.
AV needs to be part of the cost of running Windows - for better or for
worse.
Again, I'm seeing this as an approach that's being parrotted, rather
than thought out. I'm not saying that MS products are perfect...not at
all. But what I am saying is that using proper administration
principles, those that have been espoused for well beyond the past
decade, paying additional money to add yet another software package to a
web server simply doesn't make good business sense.
Why pay more money for another application to maintain, and another set
of logs that you're not reviewing anyway?
Several years ago, Dave LeBlanc set up an IIS 4.0 server in accordance
with simple common sense, and it was not vulnerable to Code Red...a full
year before Code Red was launched.
When Code Red was launched, A/V software would not have helped.
However, if the .hta script mapping had been disabled the day before
Code Red came out, then guess what? No problems.
Should systems have A/V software in place?
Maybe...depending upon the function and purpose of the system. Does it
make sense? Does it make good business sense? What's the business
reason/justification for installing another software package (for $$)
over disabling current functionality (which doesn't cost anything)?
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
