The server defenses in your environment have a lot in common with your client defenses; both attempt to protect the same basic personal computer environment. The primary difference between the two is that there is generally a much higher expectation level placed on server defenses for reliability and performance. In addition, the dedicated roles that many servers play within an organization’s infrastructure will often lead to a specialized defense solution. The information in the following sections focuses on the primary differences between server defenses and the previously discussed client defenses.

Server Antivirus Protection Steps

Server antivirus configurations vary greatly, depending on the role of the particular server and the services it is designed to provide. The process of minimizing a server’s attack surface is often referred to as hardening. Excellent guidance is available on hardening Windows Server 2003 when it is used in various typical roles in an organization. For more information on this topic, see the Server Security Index page on Microsoft.com at:
http://www.microsoft.com/technet/security/topics/ServerSecurity.mspx.

Four of the basic antivirus steps to defend the servers in your organization are the same as those for your clients.

1.

Reduce the attack surface. Remove unwanted services and applications from your servers to minimize their attack surface.

2.

Apply security updates. Ensure all of your server computers are running the latest security updates, if possible. Perform additional testing as needed to ensure mission-critical servers are not adversely affected by new updates.

3.

Enable the host-based firewall. Windows Server 2003 includes a host-based firewall you can use to reduce the attack surface on your servers, as well as remove unwanted services and applications.

4.

Test using vulnerability scanners. Use the MBSA on Windows Server 2003 to help identify possible vulnerabilities in a server configuration. Microsoft recommends using this and other specialized vulnerability scanners to help ensure as robust a configuration as possible.

In addition to these common antivirus steps, consider using the following server-specific software as part of your overall server antivirus defenses.

 

General Server Antivirus Software

The primary difference between antivirus applications that are designed for client environments (such as Windows XP) and those designed for server environments (such as Windows Server 2003) has been the level of integration between the server-based scanner and any server-based services, such as messaging or database services. Many server-based antivirus applications also offer remote management capabilities to minimize the need for physical access to the server console.

Additional important issues that you should take into account when evaluating antivirus software for your server environment include:

CPU utilization during scanning. In a server environment, CPU utilization is a critical component of the ability of the server to perform its primary role for the organization.

Application reliability. A system crash on an important data center server has a far greater impact than a single workstation crash. Therefore, Microsoft recommends thoroughly testing all server-based antivirus applications to ensure your system reliability.

Management overhead. The ability of the antivirus application to be self-managing could help reduce administrative overhead for the server management teams in your organization.

Application interoperability. You should test the antivirus application with the same server-based services and applications that your production server will be running to ensure there are no interoperability issues.

For a list of antivirus applications that have been certified to work on Windows Server 2003, click the Business Solutions, Security page of the Windows Server Catalog at http://go.microsoft.com/fwlink/?linkid=28510.

 

Role-Specific Antivirus Configurations and Software

There are a number of specialized antivirus configurations, tools and applications now available for specific server roles in the enterprise. Examples of server roles that can benefit from this type of specialized antivirus defense:

Web servers such as Microsoft Internet Information Services (IIS).

Messaging servers such as Microsoft Exchange 2003.

Database servers such as those running Microsoft SQL Server™ 2000.

Collaboration servers such as those running Microsoft Windows SharePoint™ Services, and Microsoft Office SharePoint Portal Server™ 2003.

Application-specific antivirus solutions generally provide better protection and performance because they are designed to integrate with a specific service rather than try to function underneath the service at the file system level. All of the server roles discussed in this section are responsible for information that would not be accessible to an antivirus scanner working at the file system level. Information is also provided on each of these server roles, and how Microsoft recommends using specific antivirus configurations, tools, and applications with them.

 
Web Servers

Web servers in all types of organizations have been the target of security attacks for some time. Whether an attack comes from malware such as CodeRed or a hacker trying to deface an organization’s Web site, it is important that the security settings on your Web servers are sufficiently configured to maximize your defenses against these attacks. Microsoft has produced guidance specifically for systems administrators tasked with protecting servers running IIS on the network in "Chapter 8 – Hardening IIS Servers" of the Windows Server 2003 Security Guide on Microsoft.com at:
/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx.

In addition to this guidance, there are some free tools you can download that will perform a number of security configurations automatically on IIS. For example, the IIS Lockdown Tool is available on Microsoft.com at:
http://www.microsoft.com/technet/security/tools/locktool.mspx.

This tool is used to tune the Web server to provide only those services required for its role, thereby reducing the attack surface of the server to any malware.

UrlScan is another security tool that restricts the types of HTTP requests that IIS will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from reaching the server. You can now cleanly install UrlScan 2.5 on servers running IIS 4.0 or later. For more information on UrlScan, see the UrlScan Security Tool page on Microsoft.com at:
http://www.microsoft.com/technet/security/tools/urlscan.mspx.

 
Messaging Servers

There are two goals to keep in mind when designing an effective antivirus solution for the e-mail servers in your organization. The first goal is to protect the servers themselves from malware. The second goal is to stop any malware from making its way through the e-mail system to the mailboxes of the users in your organization. It is important to ensure the antivirus solution you install on your e-mail servers is capable of achieving both these goals.

Generally speaking, standard file scanning antivirus solutions are not able to prevent an e-mail server from passing malware as attachments to clients. All but the most simple e-mail services store e-mail messages in a database of some type (sometimes referred to as the message store). A typical file scanning antivirus solution cannot access the content of such a database. In fact, a file scanning antivirus solution could possibly corrupt a message store if it is allowed to attempt scanning via a drive mapping (such as the M: drive on Exchange Server 5.5 and Exchange Server 2000).

It is important to match the antivirus solution to the e-mail solution in use. Many antivirus vendors now provide dedicated versions of their software for specific e-mail servers that are designed to scan the e-mail passing through the e-mail system for malware. Two basic types of e-mail antivirus solutions are generally available:

SMTP gateway scanners. These Simple Mail Transfer Protocol (SMTP)-based e-mail scanning solutions are usually referred to as antivirus "gateway" solutions. They have the advantage of working with all SMTP e-mail services rather than being tied to a specific e-mail server product. However, these solutions are limited in some of the more advanced features they can provide due to their reliance on the SMTP e-mail protocol.

Integrated server scanners. These specialized antivirus applications work directly with a particular e-mail server product. These applications do have a number of benefits. For example, they can integrate directly with advanced server features, and they are designed to use the same hardware as the e-mail server.

Microsoft Exchange provides a specific antivirus application programming interface (API) called the Virus API (VAPI), which is also referred to as the Antivirus API (AVAPI), or the Virus Scanning API (VSAPI). This API is used by specialized Exchange Server antivirus applications to help provide full messaging protection in a secure and reliable manner on Exchange e-mail servers. For more information on this API, see the Microsoft Knowledge Base article "328841 – XADM: Exchange and Antivirus Software" on Microsoft.com at:
http://support.microsoft.com/?kbid=328841.

 
Database Servers

There are four main elements to protect when considering the antivirus defenses for a database server:

Host. The server or servers running the database.

Database services. The various applications running on the host that provide the database service to the network.

Data store. The data stored in the database.

Data communications. The connections and protocols that are used between the database host and the other hosts on the network.

As the data inside the data store is not directly executable, it is generally believed that the data stores themselves do not require scanning. There are currently no major antivirus applications written specifically for data stores. However, the host, database services, and data communications elements of the database server should be carefully considered for antivirus configurations.

Host placement and configuration should be reviewed specifically for malware threats. As a general rule, Microsoft does not recommend placing database servers in the perimeter network of an organization’s infrastructure, especially if the servers store sensitive data. However, if you must locate such a database server in your perimeter network, ensure that it is configured to minimize the risk of a malware infection.

If your organization uses SQL Server, see the following guidance for more information on specific malware attack configuration guidelines:

Microsoft Knowledge Base article "309422 – INF: Consideration for a Virus Scanner On a Computer That Is Running SQL Server" on Microsoft.com at:
http://support.microsoft.com/?kbid=309422.

The Security Resources page for Microsoft SQL Server on Microsoft.com at:
http://www.microsoft.com/sql/techinfo/administration/2000/security/.

The "Slammer" worm attack targeted SQL Server directly. This attack showed how important it is to protect your SQL Server database computers, regardless of whether they reside in your perimeter or internal network.

For information and software to help ensure your SQL Server systems are protected from the Slammer worm, see the Finding and Fixing Slammer Vulnerabilities page on Microsoft.com at:
http://www.microsoft.com/security/malwareremove/default.mspx.

 
 
Collaboration Servers

The very nature of collaboration servers makes them vulnerable to malware. When users copy files to and from the servers, they may expose the servers and other users on the network to a malware attack. Microsoft recommends protecting the collaboration servers in your environment (such as those running SharePoint Services and SharePoint Portal Server 2003) with an antivirus application that can scan all files copied to and from the collaboration store. For detailed step-by-step information on protecting these services, see the Configuring Antivirus Protection page of the Administrators Guide for Windows SharePoint Services on Microsoft.com at:
http://www.microsoft.com/resources/documentation/wss/2/all/adminguide/en-us/stse11.mspx.

For information about antivirus software specifically written to integrate with Windows SharePoint Services and SharePoint Portal Server 2003, see the Solutions Directory page on Microsoft Office Online at:
http://go.microsoft.com/fwlink/?linkid=13276.

 

MR..B