Forgive my ignorance here, but can Microsoft's NAP/NAC implementation operate independently of the DNS/DHCP infrastructure? In my environment, NAP/NAC would be an awesome addition to our security, but if it relies on anything outside an agent-based implementation (DNS,DHCP, routeror switch configuration, etc.), I don't have the ability to implement it.
From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2008 10:44 AM To: NT System Admin Issues Subject: RE: AV on *all* servers...or no? Have you folks looked at NAP (even outside of the ConfigMgr infrastructure)? From: David Lum [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2008 1:39 PM To: NT System Admin Issues Subject: RE: AV on *all* servers...or no? "True, but, how did that virus get inside the domain in the first place? " They had no clue. One conceivable method would be a compromised laptop that was outside the LAN for a while and not updated until hitting the LAN again - DOH! Hit the LAN, infect some servers, then find out the laptop was infected.... We have plenty of laptops that float around (and yes I know with SCCM I can adopt a desired config to keep things off my LAN until they meet x requirements, but we are nowhere near that yet). Good points and yes, I for one am interested in what you guys decide. Dave PS I agree ePO is a major pain in the arse.... From: Sherry Abercrombie [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2008 10:12 AM To: NT System Admin Issues Subject: Re: AV on *all* servers...or no? True, but, how did that virus get inside the domain in the first place? We scan email in multiple places (gateway, Exchange) with mutliple virus scanning engines, workstations have virus scan that scan's on access, on read, on write etc, then it shouldn't ever get in. I'm not necessarily advocating removing virus scan from all servers all the time, I just think that this idea (I'm talking about my local setup) of every server having the same setup/configuration needs to be re-evaluated. I'll let ya'll know what we decide in our meeting this afternoon. On 8/28/08, David Lum <[EMAIL PROTECTED]> wrote: What about viruses (viruii?) that spread via network share? Taking the gateway out won't stop those kind (W32/Sircam, etc). Textron had an issue when as soon as they'd bring up a new server it would get infected as soon as it joined the domain because some other had the virus... Dave From: Sherry Abercrombie [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2008 9:27 AM To: NT System Admin Issues Subject: Re: AV on *all* servers...or no? Ok, this is something that I've been dealing with/battling the powers that be for the last several weeks. Unfortunately, I'm stuck with McAfee Virus Scan Enterprise using EPO to manage it. Over the last several weeks I've had a problem with my backups to various servers failing (Backup Exec v11d) with an error that it cannot connect to the remote agent on the specified server. Then the next day or a day or so later, it's fine for several days, so I KNOW it's not a failure of Backup Exec or the remote agent. In researching the problem, I can pinpoint when it is failing in the BE job log, and pinpoint that McAfee on-demand scan is happening at the same time on the server. Problem goes away when I finally manage to get EPO to stop the on demand scan on the server (don't get me started on EPO, it's a royal pain in the ocola). My argument is that not all servers need to have virus scan on them, and that they can be further secured by removing their gateway. I firmly believe that servers such as file and print that users can write data to absolutely must have a virus scan application on them, regardless of performance hit. Users just can't be trusted. But most servers that are not directly touched by users saving files to it, not surfing the internet (IMNSHO, no servers should ever be used to surf the internet from), have their gateway removed and no or minimal virus scanning on them should be a reasonable approach. BTW, we are having a group meeting this afternoon at 1PM to discuss this subject. I guess I've been a squeaky wheel ;) On 8/28/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: IMHO, it isn't needed on all servers, or even the majority of them, *IF* your clients are up to date with AV software. I sometimes don't want the extra overhead on my servers of having AV installed, management of the software, patching of software, the all-too-often conflict of AV with other software, etc. But, OTOH, I don't necessarily think it's a bad thing to have AV installed on all servers in certain circumstances when done right. Just not NEEDED.... (IMHO). JR Original Message: ----------------- From: David Lum [EMAIL PROTECTED] Date: Thu, 28 Aug 2008 08:53:12 -0700 To: [email protected] Subject: AV on *all* servers...or no? [Cross posted here and on the Vipre Enterprise list] There is some debate among my fellow IS staff here weather AV should be on all 200+ of our servers. From my standpoint my question would be "Why not?" - put it on all servers and exclude what's necessary We are "SQL heavy" and I'm sure performance is the primary concern , but is there any compelling reason to completely leave it off of some servers? Dave Lum - Systems Engineer 971-222-1025 Northwest Evaluation Association - www.nwea.org ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -------------------------------------------------------------------- mail2web LIVE - Free email based on Microsoft(r) Exchange technology - http://link.mail2web.com/LIVE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
