How are you protecting your Windows servers against malware? Whether we're talking about Active Directory domain controllers, Exchange or SQL Server-based systems, file servers or even systems serving up basic VPN access or terminal services, what you’re doing may be inadequate at best.
It’s only been in the last couple of years that I’ve started seeing Windows servers running any sort of malware protection. But why is malware protection still not taken seriously at the server level? It could be that administrators think, “It’s the server and no one’s really doing much on it,” or “I may not trust my users in the fight against malware, but I’m confident that I’m not going to have any missteps on the server that could cause a malware infection.” Everyone has his own take on the subject.
If you don’t want to get bitten, you’ve got to be more proactive in protecting your Windows servers. I worked on a recent project where that didn’t happen and a business ended up with thousands of systems, including dozens of Windows servers that were infected by an advanced persistent threat (APT) from halfway around the world. Some servers were protected and some weren’t. It’s this very inconsistency that can work against you. Not only that, but your business may be bound by compliance regulations such as PCI DSS, HIPAA and others. Or perhaps your legal team has agreed to contracts or SLAs that involve malware protection.
It is important to understand that regardless of the intended (or actual) use of your Windows servers, they’re very likely at risk of a malware infection. And it’s not just your highly-visible production systems – it’s all of them. Like I recommend to my clients when it comes to performing information security assessments: why only look at a subset of your environment when, ultimately, anything and everything is fair game? The bad guys and malware know no boundaries so you’re better off protecting everything across the enterprise, including what you believe are strategically unimportant Windows servers.
Here are 10 questions you can ask yourself to help get a handle on malware protection for your Windows servers:
- Which malware threats are we trying to protect against, and have we documented these threats in our incident response plan?
- What regulations, policies and contracts are we accountable for?
- Do we need to perform real-time scanning?
- Are there certain file/folder exclusions we need to incorporate into our anti-malware software configuration to prevent bottlenecks to other problems?
- Do we need additional protection at the Web browser level to thwart phishing and browser-related attacks?
- Are admins checking their email on our servers? Is there a better way to help minimize these risks?
- What’s the best approach to full system scans and/or are they even needed?
- Do we need to protect just the OS volume or do our data volumes have files that can become infected?
- Outside of production, what other physical and virtual Windows servers need to be protected?
- Is our perimeter or cloud-based anti-malware providing enough protection to justify not running anything at the server level?
After answering these questions, you should review Microsoft's set of basic guidelines for anti-malware software running on Windows servers.
If you really dig in and think about these issues you’ll likely find that your servers are under-protected against malware. If you choose to install anti-malware software on your Windows servers, focus on the right target. Rather than worrying about which malware vendor is “best” (I don’t think there is one best solution), focus on the best approach for keeping your servers malware free. This may mean running the same or different anti-malware software that you’re running on your Windows desktops.
Only you’ll know what’s best. Just do something.
Follow searchWindowsServer on Twitter @WindowsTT.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter @kevinbeaver.