Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

from [Joe Marsh] Network Security [Permanent Link]
Subject: RE: Should webservers, eg. IIS 6 have anti--virus installed on them?
Date: Thu, 21 Jul 2005 12:46:29 -0500
If you are in an industry that is subject to audits like the SAS70, it is incumbent to prove why you are *not* taking "industry standard" or "best practice" precautions. You don't justify an installation of A/V, for instance, you justify why you don't have it. Certain MS patches cause Metaframe XP to implode; it gets documented, and auditors nod rather than scowl.

If all your (internal and externally facing) web servers are configured to a baseline, and you can document that x, y, and z do not have access to the file structure on the box itself or on the machine holding the web content, and you can prove default deny with 1/2/3 open inbound ports, UNC paths are not available, and...

Or, you can take the tack that it impacts performance too much... Well, we've seen examples of how to minimize it. If AV causes that big of a performance drain, and it's not a configuration issue, then your capacity planning is a suspect that will be examined more closely by your auditors.

Or, you can install it, configure it to do at least a nightly scan on all but content, and pay your $35 per license and check the box.

A/V isn't a panacea, of course, nothing ever is. It's about defense in depth. A perfectly secured web server will have a incident occurence rate of 2%. Great, that may be a risk you accept. But to establish that as the occurrence rate, you have to be sure to the six nines that everything else is right. Can you guarantee that if anybody besides you touches anything?

To return to my original point, A/V is too cheap, and is too easy to configure properly for classes of servers, to have much of a reasonable hope of justifying why it's *not* installed. In regulated or sensitive industries, you must justify deviation from certain standards. If you can, great. Write your specific reasons down, and you've justified *not* installing it. Having principle based discussions with a team of auditors, in an attempt to justify best practice deviation flies about as far as a lead balloon.

If you're not being audited, great. If you never think you'll be sued, fantastic. I've always been a big believer that it's possible to be a small "world-class" company, as long as you meet the standards. Trickle down: you're a world class employee when you think like you work at a world class organization.

Joe Marsh



---------------------------------------------------------------------------
---------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: Should webservers, eg. IIS 6 have anti--virus installed on them?, Joe Marsh <=
Previous by Date:  RE: Peter Gutmann data deletion theaory?, Barbara Lockwood
Next by Date:  RE: Should webservers, eg. IIS 6 have anti--virus installed onthem?, Adrian Marsden
Previous by Thread:  RE: Peter Gutmann data deletion theaory?, Jeremy Epstein
Next by Thread:  RE: Should webservers, eg. IIS 6 have anti--virus installed onthem?, Adrian Marsden
Indexes:  [Date] [Thread] [Top] [All Lists]