So I'm reading Part 2 of Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations, and I see:
"Part 1 of this guide recommends that the SYSVOL folder be excluded from virus scanning. However, excluding SYSVOL increases the risk of a virus attack on a domain controller because viruses tend to attach to files that are executed such as binaries or scripts. The SYSVOL folder contains important executables such as logon and startup scripts.As a counter-measure, implement script signing to protect the integrity of scripts running on domain controllers and administrative workstations. For information on implementing script signing see "Running Antivirus Software on Domain Controllers and Administrative Workstations.," in Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part I" I also come across Q284947 - Antivirus Programs May Modify Security Descriptors and Cause Excessive Replication of FRS Data in Sysvol and DFS. Of course our AV vendor says 'they' never had that problem and don't modify descriptors. Then they later told our AV Product Manager that they recommend excluding "the database files" So I poke around a little more and see a newsgroup post that Tony made a while back saying, "Also, if you're running AV software on your DCs be sure to exclude the SYSVOL. This is a strong recommendation from Microsoft." I don't know if that just had to do with the Q284947 issue or was a more general recommendation... On Trend's site I find- i) Things to Exclude From scanning on Windows 2000 Domain Controllers (1) Do not Scan the Active Directory folders and Exclude the following (a) NTDS.DIT (b) The NTDS folder (c) The SYSVOL Folder "Active Directory is a text based database and cannot store executable code, therefore it does not need to be scanned. The risk in scanning the Active Directory database is a false positive that will quarantine or worse delete or corrupt the database. This is why these are excluded." I also come across a posting by one of the MS guys in the DFS newsgroup that says: "Make sure AV doesn't run against the FRS set and if it does you are using one that is smart enough to not trigger a full replication. Some AV software busts stuff in FRS pretty bad and forces you to rereplicate the files every time the AV touches them. Ouch. The AV software vendor can tell you what their recommendations are in touch of FRS (they will probably talk about SYSVOL, not FRS generally, but same diff)." So I'm wondering what you folks do in your environments and if there is a general best practice that isn't vendor specific. Thanks Bob Free Sr. Network Specialist ISTS/ITUSS/DC/System Server Support PG&E Auburn, Ca List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
