> When this discussion began, I started thinking about
> if there were any scenarios where I would want to
> run a Windows server without AV software. After
> giving it much thought, I decided that I would not
> want a conventional server (providing a standard
> TCP/IP service), ever, without AV software.
Okay, since the discussion has moved specifically from
_web servers_ to servers in general, I have taken the
liberty of modifying the subject line accordingly, so
as not to confuse the readers (and most especially,
the moderator).
> There is no doubt there have been many security
> holes in Windows. Some of them have been
> remotely-exploitable without user intervention (RPC
> vulnerabilities, for example).
With respect to web servers, if the system is running
RPC/DCOM, then it is no longer *just* a web server.
This is a point I've been making all along. If you
install IIS 6.0 on a stock installation of Win2K3,
without any modifications, then there exists a flaw in
the security process, for which the installation of
A/V software is a poor band-aid.
WRT servers in general, I would have to wonder why
these servers are being treated in isolation. Do
companies (or any other organization) really put
sensitive information on systems that are simply
plugged into the Internet, with no surrounding
infrastructure at all? If that's the case, then I say
again, A/V software is a poor band-aid b/c something
in the security process is broken. Such breakdowns
cannot be resovled with the installation of software
packages...the process itself must be fixed.
> Without AV software,
> I have no chance of catching anything that comes
> into my server through unexpected means.
If the means are unexpected, then how do they get
caught? IMHO, part of the security process is to
reduce the attack surface, limiting those resources
that are exposed, and securing those that are.
> With AV
> software, the odds improve that I will find the
> virus or worm around the time it is trying to get
> in. The odds may not be 100%, especially for a
> 0-day.
Interesting. If the malware is not 0-day, is it then
known? What's the timeframe? Are we talking about a
scale of weeks or months? If that's the case, then it
is known, and understood...perhaps not by the person
who administers the machine, though.
> However, I have a slim chance that
> heuristics may catch it. I will take a slim chance
> over no chance.
And I choose to take an educated approach,
understanding the purpose of the system, it's
exposures, and what I can do to protect it.
Great comments, thanks.
> When this discussion began, I started thinking about
> if there were any scenarios where I would want to
> run a Windows server without AV software. After
> giving it much thought, I decided that I would not
> want a conventional server (providing a standard
> TCP/IP service), ever, without AV software.
Okay, since the discussion has moved specifically from
_web servers_ to servers in general, I have taken the
liberty of modifying the subject line accordingly, so
as not to confuse the readers (and most especially,
the moderator).
> There is no doubt there have been many security
> holes in Windows. Some of them have been
> remotely-exploitable without user intervention (RPC
> vulnerabilities, for example).
With respect to web servers, if the system is running
RPC/DCOM, then it is no longer *just* a web server.
This is a point I've been making all along. If you
install IIS 6.0 on a stock installation of Win2K3,
without any modifications, then there exists a flaw in
the security process, for which the installation of
A/V software is a poor band-aid.
WRT servers in general, I would have to wonder why
these servers are being treated in isolation. Do
companies (or any other organization) really put
sensitive information on systems that are simply
plugged into the Internet, with no surrounding
infrastructure at all? If that's the case, then I say
again, A/V software is a poor band-aid b/c something
in the security process is broken. Such breakdowns
cannot be resovled with the installation of software
packages...the process itself must be fixed.
> Without AV software,
> I have no chance of catching anything that comes
> into my server through unexpected means.
If the means are unexpected, then how do they get
caught? IMHO, part of the security process is to
reduce the attack surface, limiting those resources
that are exposed, and securing those that are.
> With AV
> software, the odds improve that I will find the
> virus or worm around the time it is trying to get
> in. The odds may not be 100%, especially for a
> 0-day.
Interesting. If the malware is not 0-day, is it then
known? What's the timeframe? Are we talking about a
scale of weeks or months? If that's the case, then it
is known, and understood...perhaps not by the person
who administers the machine, though.
> However, I have a slim chance that
> heuristics may catch it. I will take a slim chance
> over no chance.
And I choose to take an educated approach,
understanding the purpose of the system, it's
exposures, and what I can do to protect it.
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]