Sign in to follow this  
Followers 0

Server Antivirus


9 posts in this topic

Posted

Hi Neowinians!

I have run into a bit of a situation - i am a semi-admin for a small family business (of about 5 people or so). We have recently gotten someone in to design some software for us, and for "security reasons" he suggests installing an Antivirus on the server (specifically SBS 2008).

Currently the server is used as a file server (network shares) and will be used with exchange (2007). It hosts no externally visible web pages (only the local intranet page) and its only externally visible is a (fully updated) RDP server for admin tasks only (that is, its not running RDP for general use). I perform no tasks on it, and someone would log onto it every few months - tops. Only people who are 'tech savvy' have access to the server - and it has UAC on it. As i said, we're a small company, so we're not going to get any directed 'hate attacks', we have no published IP/DNS record. Windows firewall is configured, a hardware firewall (NAT/SPI) is in place, and all clients connecting (via VPN) have AV.

General consensus on the net seems to be to install an AV for the server - however it all seems to be knee-jerk justifications "install AV for securitieeez", without providing an actual reason. I mean i understand it WILL be more secure as it can't make it worse...but i mean, what is the actual attack vector for a virus to a server? It seems like a big overhead for our server, which will already struggle with Exchange (8GB of DDR2 RAM and a 2.66Ghz Core 2 Quad).

What do people think?

Thanks for any advice =)

Regards,

UL

Share this post


Link to post
Share on other sites

Posted

Definitely a knee jerk reaction. If you're happy with how it is keep it that way.

I imagine you're behind a firewall so the only way a virus will make it onto your server is by someone using remote desktop and going to dodgy sites \ using warez.

The main thing is to keep the box up to date with all windows \ exchange updates.

Share this post


Link to post
Share on other sites

Posted

if your server is not directly open for Internet or Internet use, & any USB Vaccination, then you're safe, or you can use any light weight Antivirus (for safe side) like Panda.

Share this post


Link to post
Share on other sites

Posted

if users cannot save to any network shares on the SBS box (including home drives & inc admin$ shares), that reduces the localised risk.

id recc something filtering your exchange services for malware/spam though.

Av serves two purposes in the "admin" role, not only gives realtime protection, it also mitigates risk.

TBH Id run av on the server regardless you could always only have on access scanning on writing to the server and most SBS packages will have an smtp or exchange plugin/agent.

You could do a file scan every night.

Share this post


Link to post
Share on other sites

Posted

I can understand the concern if you are using it as a file server for your business.

If the desktop experience role is added, it should bring Microsoft Windows Defender with it which better than nothing and is non-intrusive and shouldn't cause any noticable performance issues. The only drawback will be if you are monitoring Windows Updates as you will regularly get definition updates.

Share this post


Link to post
Share on other sites

Posted

The main issue with the server has to be how exposed it is to the user network. If it is in its own subnet/broadcast domain and is well firewalled with only specific and explicit ports being allowed in to it (and better yet IPSec for file share access) then the attack vector is lower.

If however you have a user network where all of your users insist in living in administrator accounts on the same LAN segment with the same AD user account that has full access to the server, then you have identified the weak point and are wholly reliant on the AV solution on workstations to protect the server. The next time Sophos, McAfee or Symantec (etc) put out a bad DAT and wreck the AV scanning enging on the workstation, you may be left with nothing between it and the next Java exploit.

The real answer is to cost benefit of it to YOUR business (not mine or anyone else

3 people like this

Share this post


Link to post
Share on other sites

Posted

Thanks for the quick replies people =)

That's was my thought - a can have, but not a must have. If no one actually DOES anything on the server, there is no need for it (i don't think i have actually opened an external website on the server before lol)

Regards,

UL

Edit:

Sorry, didn't see the replies from Mando, Aergen and C:Amie.

None of the users have admin rights to the server, and i don't believe we actually have AD set up (default SBS install, basically). There aren't any domain computers on the network. Even if someone dumps an infected file onto a server share...that won't actually DO anything to the server, will it? i mean yes, it will be on the server...but it cant spontaneously insert itself into any processes.

With regard to exploits, the server doesn't actually run java as a side note, but all software is up to date...and an AV wont actually protect from exploits, will it? In my experience i rarely see an AV actually DO anything - UAC is what really saves. (On a desktop computer i would say turn on UAC and go no AV, rather than have an AV with UAC off)

If i could throw in more RAM, i would...but the server only has 4 slots, and i can't find any 4GB DDR2 sticks =(

I won't "do what im told", but it would be naive not to seek advice from people (likely) more experienced - I am far from an experienced network admin =P

Thanks again! =)

Share this post


Link to post
Share on other sites

Posted

actually yes it can do something to the server if you are not signed on to it. There are ways for the server to get infected even if you are not logged onto it.

The morto worm is just one that would do so using a exploit in rdp.

http://www.infosecur...com/view/27277/

There was a SQL worm virus in 2003 that exploited holes in SQL (again don't have to be logged on into the server to get the virus).

While most viruses and malware you have to be logged onto the server to be able to get infected, there are quite a few that just having a server on the network could get the server infected. I have only listed examples of malware that have previously infected servers in the past without logging into them, this could happen again and if your system is not protected it could happen to you. It is better to have something on the server than not to protect it, esp if opening it up to the internet...the only way to be 100% and not get it infected is if you unplug the network cable and do not have it attached to any wireless network, but then what is the point of central storage when you can't attach to it some way?

Share this post


Link to post
Share on other sites

Posted

[First of all, a disclaimer: I happen to work for a company that develop anti-malware software, so please keep that bias in mind when reading my reply. AG]

Hello,

It's not clear to me from reading the message thread as to whether the network containing the server has Internet access or not. If this is an isolated (non-Internet connected) network, than installing and updating security software on it is probably going to be more for compliance or insurance reasons, than anything else (e.g., install the virus signature database at the same time OS and application patches are brought in on disc).

If the server is connected to the Internet, or other devices attached to the same network it's on are connected to the Internet, than one needs to start thinking about the way in which those systems could be compromised, and what that might lead to for the business if those hosts

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.