Harlan,
We chatted about this offline, and we sort of agreed to disagree, but besides
the catch-all "good admin practices", what processes, procedures, or hardening
steps are you performing that fully replace Anti-Virus software on any system?
Are you patching your production web server the day of MS and other vendor
patch announcements at day-zero? What about day -1? Do you run full-scale,
multi-engine penetration tests on your IIS box to test all of its components
and connected systems 24/7 to verify that it is attack proof? I've gotta have
these procedures!
It seems to me that A/V vendors are providing value in their products, and that
value is self evident. Security is all about managing risk versus the cost of
doing so. If you have done a risk analysis that shows that A/V and the cost to
purchase, maintain and support it outweigh the benefits of malware risk
reduction on a highly visible, internet facing, critical (in the case of
web-dependant companies) piece of infrastructure, I would love to see it. It
may be true for your environment. No one knows for sure but you.
In my environment, it just does not compute.
Mark
-----Original Message-----
From: Harlan Carvey [mailto:keydet89@yahoo.com]
Sent: Tuesday, July 19, 2005 7:49 PM
To: Steven Hay; focus-ms@securityfocus.com
Subject: RE: Should webservers, eg. IIS 6 have anti--virus installed on
th em?
I have a completely different view. I think that
AV, while not the silver
bullet, is a solid line of defence.
Perhaps, but from what? It won't protect the box from
being broken into, and the argument that it will
protect you from things we don't know about yet just
doesn't hold.
The more
lines of defence you have, the more proactively you
have secured your environment.
And the more things you have to manage, and the more
things you have to look at when troubleshooting an
issue...and yet another set of logs that you have to
review.
In a perfect world everything would be nicely
secured, things like Windows
and TCP/IP would have been designed for security and
we would all be proactive not reactive.
But you can be proactive with Windows...there are a
great number of things you can do to secure a Windows
system proactively. The problem is that few of them
are done.
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
