Home Forums Small Business Server: antivirus and firewall thoughts

Looking for everyone's perspective on antivirus software on windows server based systems. I run a windows SBS 2011 Essentials machine that requires domain credentials to access it. I'm still paranoid about a virus getting into the system though so want peoples opinions. I'm looking for free stuff and the only one I've really found is ClamAV.

We currently have a sonicwall hardware firewall that I think works pretty well but it's a nightmare to setup any type of port forwarding on it. I have several DD-WRT flashed wireless routers (acting purely as access points to distribute a wifi signal that doesn't seem to work well with AC but oh well...). Is it necessary to have a hardware firewall or should I work to transition over to using one of the DD-WRT enabled devices as my firewall or is that a security risk? I can manage the DD-WRT better where the likelihood of a hole being opened in my sonicwall by accident because of my poor familiarity makes me think of it more as a security risk than anything else. My concerns with the DD-WRT systems is forward GRE protocols if we enable a VPN server on the SBS. (VPN is a complete nightmare from my experiences at home setting it up).

Thoughts:

I personally don't put any antivirus on the server. More often than not they do more damage than help. ClamAV doesn't really have a resident scanner either so it's a retroactive defense protocol. Just make sure no one is using the server as a workstation. There's a reason it comes with IE ESC enabled. Also, make sure you have antivirus on all your clients. Microsoft Security Essentials is a good one and it's free for commercial use up to 10 users.

A hardware firewall isn't necessary but it's a good safety measure. What kind of VPN are you trying to set up?

So I don't have any AV on the server right now which works then. I don't really let anyone into the locked IT room let alone log on the server ;-) physical security is always something that seems to get left out with IT security.

MSE - I had looked into it to install on our multipoint/terminal server and it will probably work but there are licensing issues with it potentially. 10 users on just the terminal server and maybe a 10-12 other standalone systems slightly exceeds the 10 systems in a business.

VPN - I'm considering adding PPTP VPN through the RRAS Role . I'm aware that this can be setup without the SBS running DHCP but I think for the VPN to really work correctly with LAN routing, etc that the SBS needs to control DHCP.

Yep I keep mine in a locked supply closet. You either want it to be in your office or in a locked office.

I'm not sure if you can install MSE on a Terminal Server. Most people just lock them down very heavily (very restricted permissions).

SBS Standard comes with it preconfigured. I prefer the DHCP on the server to the router. Makes it easier to configure. It can also handle it better. For me the router is a simple internet gateway/firewall. DHCP and DNS on the server. Server is has two ports teamed together which connect to the switch (2 Gbps). Everything else goes to the switch.

I'm with Sandeep on the Antivirus. I use ESET for the network which has its central server on the server, but the ESET console runs the whole show. It's very nice. But, Sandeep is correct. AV on the server does more harm than good. I suppose some type of malware could move through the network but up to date antivirus scanners should spot them and then isolate the machine. Susan Bradley, the SBS Diva isn't for AV on servers.

Not sure about your setup, but I do like a hardware firewall. Obviously, you can use a combination firewall router like a Cisco PIX. Linksys is always a good choice now that they are part of Cisco.

Just for fun, what ports are your forwarding?

I am not fond of VPNs at all.

Viruses in almost all cases have to be executed by the user to do any damage, hence one of the main reason we tell people not to work on the main computer/server. Worms on the other hand can take effect without user intervention. It uses holes in the Operating System to do damage. The best way to avoid these to keep the Operating System updated.

I'm with Bert. VPNs have limited benefit with a slow upload speed.

only a few right now, none of which have anything to do with VPN. I'm a complete fan of terminal servers and virtualization but the licensing costs start to creep up and then next thing we're talking about hardware costs going up to support more and more virtual desktops on the terminal server. Remote users can connect through VPN and run AC obviously as they were local users on the network. It also gives me some redundancy because when the terminal server locks up (it was doing this every other day with some of the ram we had in there to max it out until we swapped that out - it's down to only 8gb from 16gb) everyone loses their computers.

Yea if I had a terminal server, I'd probably use SSDs and 16/32GBs of RAM ha. It would most likely end up being cheaper and faster. Combine that server with folder redirection to the main server, then you don't really have anything special on the TS. It can be reinstalled/reformatted easily if any issues pop up.

That's the overall goal. Since I recently formatted the TS it's actually been working much better so I may try putting the 16gb I had in there back in and see if we start having issues again. I would love to add a NAS to redirect user folders and things to also but the existing HD in the SBS will work for now. word docs, excel documents are that much space. We're using some older windows XP boxes as clients to access the TS.

I would die to have a huge server running all my servers in a virtual environment... my SBS 2011 (or whatever I upgrade to by the time this pipe dream of a server is bought) along with virtual TSs running. Oh the possibilities (and complexities).

TS(s) plural?

With the new LGA 2011 Dual Processor Boards, it's actually not even that expensive. $400 for a 6 core processor. Get 2 for $800. 12 Physical/24 Logical. Enough to run 3 high powered VMs. 32GB of RAM is around $250, 64GB for $500. 8 Port RAID Card with double RAID 10 SSD and HDD. Or RAID 1 SSD, RAID 10 HDD. Obviously if you buy it from an OEM like Dell or something you'll be paying a small fortune. Should be in the neighborhood of 3-4K if you build it yourself.

That's sort of what I've been envisioning running something like VMWare's Hypervisor (esxi) or windows hyper-V. Then I can essentially clone a VM daily as a backup and essentially not have any downtime while reducing the server's footprint, decrease power costs and server costs.

Towards that end, I'd suggest that you consider the base OS on CENTOS6 (free version of RH Enterprise). That will allow you to have a solid base OS that can also run all of the services that you might need, while giving you the flexibility to bring whole machines up and down. My Dev/Test box has ~10 VMs on it {e.g. XP, W7, WinServer, RHEL, Ubu, ...} that you can bring up and down, clone, suspend, and quickly tinker with as you need or see fit.

I run SFTP, NFS, Git, KVM, LAMP, services that each VM can access, as well as the network bridging in memory, so the VMs are isolated unless I want/let them get out.

As Wendell would say, "... and did I mention that it is free?"

A basic install is just a few minutes work - mostly disk time.

LOL, this thread is starting to make P2P look rather inviting.

I'd probably use Hyper V just for backup assist. Don't abandon traditional forms of backup just because you have clones/snapshots. Sometimes you just need to restore a component and not the entire system.


This is awesome, but I prefer having powerful workstations. Don't mind virtualizing servers though. That's always nice.

Working with a practice that is paper right now and want to go with AC in our managed environment, they are looking at three local hardware options; standard desktops, Android or Apple tablets to connect directly, or a CENTOS/RH server to host Win VMs.

From an end-user perspective, it all feels about the same or easier than standard P2P.

Completely agree. I would never rely solely on a clone or disc image for backup. only for some redundancy and just one of the layers of data protection.

I personally prefer a high powered workstation for myself with as many monitors as my visual cortex can handle... my office staff can work on thin clients with single widescreens.

I can understand that :P

The big question is do you think that will be enough to run Amazing Charts?

Sandeep,

As discussed above, I don't use antivirus on the server. Too many issues with exceptions. Could take me all week to get them all in. Even then, problems.

And, if not being used, you are pretty safe. My question is the following. The issues with A/V on the server is the real-time scanning and the scans. But, just sitting there waiting for a virus doesn't seem that bad.

But, and this is my real question. Say every month or so, you just wonder if there is a virus sitting on the server waiting to be activated. Would running something like MBAM or SAS be advisable just for peace of mind? Or if that makes sense, is there a better A/V scanner? I am really surprised Microsoft doesn't have an integrated antivirus as it does a firewall?

Thanks.

Microsoft does have an integrated antivirus for Servers. It's very confusing though. It's almost exactly identical to Microsoft Security Essentials. I believe it's 12 dollars/year for 1 Server. It's called Forefront Endpoint Protection 2010. I think they're coming out with a new one called System Center 2012 Endpoint Protection. They keep changing the name. Just make sure you don't get the System Center Configuration Manager version as that's pretty expensive. While it will allow you to manage all the clients. It's something like 1300 dollars.

But do you recommend using an A/V scanner like MBAM every month or so? Or does that cause the same issues?

MBAM is just a file scanner. It's removal methods are aggressive, but it shouldn't hurt to scan. MBAM is more for specialized, very bad viruses/worms/Trojans not a generic virus scanner like ForeFront. However, I have heard of people not being able to boot after installing MBAM so I wouldn't recommend it.

is it worth looking into forefront? I got MSE installed on the multipoint terminal server without any issues...

I don't think you would qualify. It is only for businesses with less than 10 computers. If you have more, you need to jump to the next one, which I am sure is not free.

http://www.microsoft.com/en-us/server-cloud/system-center/endpoint-protection-2012.aspx

I know I talk about Susan all the time, but she is the Diva of all things SBS, and is usually way ahead of Microsoft. If you go to her blog and type "I'm going naked," you will get an interesting article on A/V. Let's just say she is not too enchanged with A/V vendors. Plus, there is enough on her website to read until Microsoft drops the 2012 Server line.

Yea. Personally if you lock down the TS enough to the point where users can't write any files to it, then I wouldn't worry about it. That's the standard practice usually.

Also, no admin rights, the usual.

Yeah people complain regularly that they can't install things because of the admin rights being required. It's annoying but not as annoying as the entire system going down because of a virus that a secretary downloaded while playing bejeweled on some random website was installed...

Bert, I've read Susan's blog a few times in the past. It's always been pretty good information and certainly worth a read. I'm fairly sure she also replied to some posts I've made on the microsoft tech forums before too.

I used to have the staff as all admins. Every few months someone would pick up a virus. Forcing me to reformat and reinstall. Been giving them standard user permissions for the past year. No more malware. It does get annoying sometimes though when the hospital decides to change its system and new Active X plugins and programs need to be installed. But I also got better with group policy too. So it lets me get around that sometimes.

Check out software restriction policy settings if you want to really lock it down. That's why I always keep my additional servers in a separate OU.