Antimalware on Server Core, a strategic choice

Reading Time: 3 minutes

In the past I’ve mentioned a Server Core installation of Windows Server 2008 is less susceptible to attacks than a full installation of Windows Server 2008:

  • It has less code on disk and in memory, resulting in a smaller attack surface
  • It requires less updates
  • It doesn’t offer a built-in way to browse the web
  • It is deployed by professionals that know what they’re doing

Any default installation of Windows Server 2008 is also more secure than a default installation of previous versions of Windows Server:

  • The firewall is on by default, is a bidirectional one and allows no inbound connections
  • Windows Server 2008 was developed under the security initiatives at Microsoft

This information might make you believe installing antivirus or antimalware software on a Server Core installation is not needed. Instead, I feel installing antivirus on a Server Core installation of Windows Server 2008 is a strategic choice. You can chose to install antivirus software on a Server Core installation or not.

 

Antivirus pros and cons

Antivirus software has advantages, but also many disadvantages:

Pros

Antivirus software can protect against malicious code landing on storage, memory or firmware and report on detections. In this role it functions as the last line of defense in what should be a multitier approach where detections are reported centrally. Without the multitier approach failing antivirus software may result in a misplaced feeling of security.

Cons

Antivirus software however is susceptible to exploits. Just like the Operating System and any applications or servers on it, it protects its developers may have overlooked some attack vectors. It’s antivirus code, but it’s code nonetheless. Jim Allchin reflected on this when Windows Vista RTM’ed. Most antimalware products also open up the firewall to allow communication with a central logging and reporting server.

Antivirus software has a negative impact on performance of the Operating System and any applications or servers on it, when the antivirus software is protecting them real-time.

Antivirus software may cause erratic behavior from the Operating Systems and applications installed on it. From the old days the story on missing Outlook calendar items from scanning the Exchange databases exists, but more recently other erratic behavior has emerged like the inability to create or start Virtual machines within the Hyper-V manager due to antivirus software.

Some antivirus software doesn't support virtualization (yet) and can therefore not be used on Microsofts stand-alone Hyper-V Server or Hyper-V enabled installations of Windows Server 2008.

 

The strategic choice

Antivirus software alone will not help you. In that case malicious code will still land once it evolves sufficiently to not be detected by the antivirus software. Remember: antivirus is a cat and mouse game between writers of malicious code and antivirus companies.

Antivirus software on systems needs to be part of a multitier approach. This approach would also consist of:

  • Checking and logging malicious code at the perimeter
  • Checking and logging (un)authorized access at the perimeter of the network and at every host through an automated process. Ideally the approach would be based on needed traffic, not on unwanted traffic. Logging should ideally be centrally.
  • Proactively blocking and logging suspicious network activity on the networks spanning your environment through an automated process. Logging should ideally be centrally.
  • Checking malicious code in places where users are able to modify data (especially on file servers, mail servers, collaboration servers and database servers) through an automated process
  • Systems Management and Implementation based on best practices by certified professionals using up-to-date procedures. A process should be in place to review procedures. Implementation should ideally be automated.
  • An enterprise-wide update procedure (preferably including an OTA environment) for Operating Systems and all software running and/or used by users in your environment. Actual installation of updates should be automatically, centrally and accompanied by logging and reporting
  • Enterprise-wide sweeps for malicious code at a regular interval through an automated process
  • Backups of systems at a regular interval through an automated process and accompanying restore tests at another regular interval. Restore tests should be accomplished using up-to-date procedures and preferably executed by professionals from outside your firm
  • Checking logs and detecting trends by certified professionals using up-to-date procedures and executed preferably by professionals from outside your firm
  • Enterprise-wide training for end-users and administrators
  • Sufficient strategic and financial backing from within the organization

 

Concluding

You can make the choice to install antimalware software on your Server Core installation or not, based on:

  • The Server Role(s) on your Server Core installation
  • The strategic importance of the functionality offered by the Server Core box
  • The kind of network the Server Core box resides on. (DMZ, Internet, Internal)
  • The parts of the multitier antimalware approach described above in place
  • Policies

Further reading

Allchin Suggests Vista Won't Need Antivirus
Jim Allchin: Users Should Run Antivirus Software with Windows Vista
Creating or starting a Hyper-V virtual machine on Windows Server 2008
Virus scanning recommendations for computers that are running Windows

Posted on January 21, 2009 by Sander Berkouwer in Microsoft Windows Server 2008, Server Core, Systems Administration, Virtualization

2 Responses to Antimalware on Server Core, a strategic choice

  1.  

    In my opinion this whole piece applies to all Windows servers in general and not just to Server Core. And i think that the points under Strategic Choice should always be considered.

    from http:// January 22, 2009 at 7:31 AM
  2.  

    Hi Niels!

    In my opinion this whole piece applies to all Windows servers in general and not just to Server Core.

    When dealing with Server Core installations the strategic choice is one, that requires the evaluation of less shades of gray. I'm sure the choice applies to Windows Servers in general, but I'm also noticing it applies to VMWare hosts, so perhaps it's more an industry-specific choice, even?

    And i think that the points under Strategic Choice should always be considered. 

    In an ideal world all the points of a multi-tier antimalware solution would be met, but unfortunately we don't live in such a world. A risk should be met with an appropriate measure. In a time of economic downturn however the appropriate measure might not make sense and a less sensible, less mature and/or less complete measure (or no measure at all) gets implemented.

    from Sander Berkouwer January 22, 2009 at 9:54 AM

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.