Yeah, I know, but it's a way to keep the peace with the DBA's...... we're taking away their local admin rights on database servers. They are not real happy about that......
On 8/28/08, Sam Cayze <[EMAIL PROTECTED]> wrote: > > As for as web sessions on servers, I just have the support agent webex to > my workstation, and I RDP into the server, and share the RDP session with > them. > > That means you can adhere to no internet and axtivex on your Servers. > > Food for thought. > > ------------------------------ > *From:* Sherry Abercrombie [mailto:[EMAIL PROTECTED] > *Sent:* Thursday, August 28, 2008 2:43 PM > *To:* NT System Admin Issues > *Subject:* Re: AV on *all* servers...or no? > > Hmmm, well, no concrete decisions, but some options to present to the > manager. We will be almost certainly be removing the internet access on > almost all servers most likely using ISA rules to block or allow access. > This will give the DBA's the ability when needed to do web-ex support calls > with Oracle, Siebel, etc, but not have the servers carte blanche internet > access. We're also looking at using ClamAV along with McAfee, letting > McAfee handle on access/write scanning but have ClamAV do the full on-demand > scans, and making on-demand scans a weekly event rather than a daily event > on most servers, (file servers would stay daily because users save files to > them, it would be foolish to open that hole). > > This seems to be a reasonable solution in my opinion but of course, final > decision rests with our manager. > > On 8/28/08, David Lum <[EMAIL PROTECTED]> wrote: >> >> "True, but, how did that virus get inside the domain in the first >> place? " They had no clue. One conceivable method would be a compromised >> laptop that was outside the LAN for a while and not updated until hitting >> the LAN again – DOH! Hit the LAN, infect some servers, then find out the >> laptop was infected…. We have plenty of laptops that float around (and yes I >> know with SCCM I can adopt a desired config to keep things off my LAN until >> they meet x requirements, but we are nowhere near that yet). >> >> >> >> Good points and yes, I for one am interested in what you guys decide. >> >> >> >> Dave >> >> PS I agree ePO is a major pain in the arse…. >> >> >> >> *From:* Sherry Abercrombie [mailto:[EMAIL PROTECTED] >> *Sent:* Thursday, August 28, 2008 10:12 AM >> *To:* NT System Admin Issues >> *Subject:* Re: AV on *all* servers...or no? >> >> >> >> True, but, how did that virus get inside the domain in the first place? >> We scan email in multiple places (gateway, Exchange) with mutliple virus >> scanning engines, workstations have virus scan that scan's on access, on >> read, on write etc, then it shouldn't ever get in. >> >> I'm not necessarily advocating removing virus scan from all servers all >> the time, I just think that this idea (I'm talking about my local setup) of >> every server having the same setup/configuration needs to be re-evaluated. >> >> I'll let ya'll know what we decide in our meeting this afternoon. >> >> On 8/28/08, *David Lum* <[EMAIL PROTECTED]> wrote: >> >> What about viruses (viruii?) that spread via network share? Taking the >> gateway out won't stop those kind (W32/Sircam, etc). Textron had an issue >> when as soon as they'd bring up a new server it would get infected as soon >> as it joined the domain because some other had the virus… >> >> >> >> Dave >> >> >> >> *From:* Sherry Abercrombie [mailto:[EMAIL PROTECTED] >> *Sent:* Thursday, August 28, 2008 9:27 AM >> *To:* NT System Admin Issues >> *Subject:* Re: AV on *all* servers...or no? >> >> >> >> Ok, this is something that I've been dealing with/battling the powers that >> be for the last several weeks. Unfortunately, I'm stuck with McAfee Virus >> Scan Enterprise using EPO to manage it. Over the last several weeks I've >> had a problem with my backups to various servers failing (Backup Exec v11d) >> with an error that it cannot connect to the remote agent on the specified >> server. Then the next day or a day or so later, it's fine for several days, >> so I KNOW it's not a failure of Backup Exec or the remote agent. In >> researching the problem, I can pinpoint when it is failing in the BE job >> log, and pinpoint that McAfee on-demand scan is happening at the same time >> on the server. Problem goes away when I finally manage to get EPO to stop >> the on demand scan on the server (don't get me started on EPO, it's a royal >> pain in the ocola). My argument is that not all servers need to have virus >> scan on them, and that they can be further secured by removing their >> gateway. I firmly believe that servers such as file and print that users >> can write data to absolutely must have a virus scan application on them, >> regardless of performance hit. Users just can't be trusted. But most >> servers that are not directly touched by users saving files to it, not >> surfing the internet (IMNSHO, no servers should ever be used to surf the >> internet from), have their gateway removed and no or minimal virus scanning >> on them should be a reasonable approach. BTW, we are having a group meeting >> this afternoon at 1PM to discuss this subject. I guess I've been a squeaky >> wheel ;) >> >> On 8/28/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> >> IMHO, it isn't needed on all servers, or even the majority of them, *IF* >> your clients are up to date with AV software. I sometimes don't want the >> extra overhead on my servers of having AV installed, management of the >> software, patching of software, the all-too-often conflict of AV with >> other >> software, etc. >> >> But, OTOH, I don't necessarily think it's a bad thing to have AV installed >> on all servers in certain circumstances when done right. Just not >> NEEDED.... (IMHO). >> >> JR >> >> >> Original Message: >> ----------------- >> From: David Lum [EMAIL PROTECTED] >> Date: Thu, 28 Aug 2008 08:53:12 -0700 >> To: [email protected] >> Subject: AV on *all* servers...or no? >> >> >> >> [Cross posted here and on the Vipre Enterprise list] >> >> There is some debate among my fellow IS staff here weather AV should be on >> all 200+ of our servers. From my standpoint my question would be "Why >> not?" >> - put it on all servers and exclude what's necessary We are "SQL heavy" >> and >> I'm sure performance is the primary concern , but is there any compelling >> reason to completely leave it off of some servers? >> >> Dave Lum - Systems Engineer >> 971-222-1025 >> Northwest Evaluation Association - www.nwea.org >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> -------------------------------------------------------------------- >> mail2web LIVE – Free email based on Microsoft(R) Exchange technology - >> http://link.mail2web.com/LIVE >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> >> >> -- >> Sherry Abercrombie >> >> "Any sufficiently advanced technology is indistinguishable from magic." >> Arthur C. Clarke >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> Sherry Abercrombie >> >> "Any sufficiently advanced technology is indistinguishable from magic." >> Arthur C. Clarke >> >> >> >> >> >> >> >> >> >> >> > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > Arthur C. Clarke > > > > > > > > > > > -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
