From leo at finalresort.org Wed Jun 1 01:43:36 2016 From: leo at finalresort.org (Leo R. Lundgren) Date: Wed Jun 1 01:42:45 2016 Subject: [FX.php List] [OFF] Antivirus software on a Windows web server? In-Reply-To: <8cbdf8af-f11c-62ad-0e62-6159d18c069d@notyourhomework.net> References: <2F5FA070-EC49-4208-8559-9DB627D26D93@jsfmp.com> <8cbdf8af-f11c-62ad-0e62-6159d18c069d@notyourhomework.net> Message-ID: If the machine (in question) just runs a web service, and the application it serves (if it's even an application, might just be a static for all we know) is well written to there's good confidence it's not full of vulnerabilities, then perhaps it might not make as much sense to install a piece of insecure AV software running with the highest privileges possible on the system. Taviso has shown that most common AV software have very serious vulnerabilities. So for that reason one should consider if running that software is needed, when there's things like EMET and other measures you can apply. I'm not saying you never should, I'm just saying that it depends on what you are protecting from and what you need to protect. For example, a targeted attack might very well try to make use of the recent research on AV software security. Regards, Leo 1 jun 2016 kl. 07:11 skrev Malcolm Fitzgerald : > Why would you not? You'll lose a few clock cycles to forensic processes. In return you obtain a higher level of security and decrease the risk of malfeasance. > > The flip side is that you ignore the risk. When an unwanted event occurs you'll have to show that real benefits were obtained during the period before the machine was compromised. That shouldn't be hard, they'll be obvious to everyone and would have been used to rationalise the decision to go without antivirus software in the first place. The appropriate questions at that point will be, was enough benefit obtained to justify the repair costs and the downtime incurred, and will you continue to support the policy of running the server in the same fashion? > > good luck, > > malcolm > > > > On 1/06/2016 2:49 AM, Joel Shapiro wrote: >> Hi all >> >> I?ve got a client that?s just created a brand new Windows Server 2012 VM to act exclusively as a ?vanilla' web server (no FileMaker components installed). >> >> They?ve asked me if they should install antivirus software on it. Googling returns a mixed response. What do y?all think? >> >> Thanks very much, >> -Joel >> >> >> _______________________________________________ >> FX.php_List mailing list >> FX.php_List@mail.iviking.org >> http://www.iviking.org/mailman/listinfo/fx.php_list > > > _______________________________________________ > FX.php_List mailing list > FX.php_List@mail.iviking.org > http://www.iviking.org/mailman/listinfo/fx.php_list From info at jsfmp.com Thu Jun 2 13:42:47 2016 From: info at jsfmp.com (Joel Shapiro) Date: Thu Jun 2 13:41:51 2016 Subject: [FX.php List] [OFF] Antivirus software on a Windows web server? In-Reply-To: References: <2F5FA070-EC49-4208-8559-9DB627D26D93@jsfmp.com> <8cbdf8af-f11c-62ad-0e62-6159d18c069d@notyourhomework.net> Message-ID: <14FAE1C5-1A38-42E7-B9C0-5B55A0413B93@jsfmp.com> Thanks all for the replies. It seems the mixed response I got on google is not unlike the one I got here ;) FWIW: This will be exclusively a web server for FM CWP projects (API). There will be no FM components (WPE, etc) on this machine. Thanks Leo, I?ll pass along the info on EMET to their IT people (although googling about EMET vs Antivirus brings back a similar mixed bag :( ). I guess I was hoping I?d get back a chorus of responses here either like: ?Yes, we use AV on all our web servers and wouldn?t do it any other way? or ?No,we never use AV on our web servers (+ "we use EMET? or ?we use nothing?). I guess it just ain?t that simple, and I guess I shouldn?t be surprised ;) Thanks again, -Joel > On Jun 1, 2016, at 12:43 AM, Leo R. Lundgren wrote: > > If the machine (in question) just runs a web service, and the application it serves (if it's even an application, might just be a static for all we know) is well written to there's good confidence it's not full of vulnerabilities, then perhaps it might not make as much sense to install a piece of insecure AV software running with the highest privileges possible on the system. > > Taviso has shown that most common AV software have very serious vulnerabilities. So for that reason one should consider if running that software is needed, when there's things like EMET and other measures you can apply. > > I'm not saying you never should, I'm just saying that it depends on what you are protecting from and what you need to protect. For example, a targeted attack might very well try to make use of the recent research on AV software security. > > Regards, Leo > > 1 jun 2016 kl. 07:11 skrev Malcolm Fitzgerald : > >> Why would you not? You'll lose a few clock cycles to forensic processes. In return you obtain a higher level of security and decrease the risk of malfeasance. >> >> The flip side is that you ignore the risk. When an unwanted event occurs you'll have to show that real benefits were obtained during the period before the machine was compromised. That shouldn't be hard, they'll be obvious to everyone and would have been used to rationalise the decision to go without antivirus software in the first place. The appropriate questions at that point will be, was enough benefit obtained to justify the repair costs and the downtime incurred, and will you continue to support the policy of running the server in the same fashion? >> >> good luck, >> >> malcolm >> >> >> >> On 1/06/2016 2:49 AM, Joel Shapiro wrote: >>> Hi all >>> >>> I?ve got a client that?s just created a brand new Windows Server 2012 VM to act exclusively as a ?vanilla' web server (no FileMaker components installed). >>> >>> They?ve asked me if they should install antivirus software on it. Googling returns a mixed response. What do y?all think? >>> >>> Thanks very much, >>> -Joel >>> >>> >>> _______________________________________________ >>> FX.php_List mailing list >>> FX.php_List@mail.iviking.org >>> http://www.iviking.org/mailman/listinfo/fx.php_list >> >> >> _______________________________________________ >> FX.php_List mailing list >> FX.php_List@mail.iviking.org >> http://www.iviking.org/mailman/listinfo/fx.php_list > > _______________________________________________ > FX.php_List mailing list > FX.php_List@mail.iviking.org > http://www.iviking.org/mailman/listinfo/fx.php_list From leo at finalresort.org Thu Jun 2 13:48:11 2016 From: leo at finalresort.org (Leo R. Lundgren) Date: Thu Jun 2 13:47:23 2016 Subject: [FX.php List] [OFF] Antivirus software on a Windows web server? In-Reply-To: <14FAE1C5-1A38-42E7-B9C0-5B55A0413B93@jsfmp.com> References: <2F5FA070-EC49-4208-8559-9DB627D26D93@jsfmp.com> <8cbdf8af-f11c-62ad-0e62-6159d18c069d@notyourhomework.net> <14FAE1C5-1A38-42E7-B9C0-5B55A0413B93@jsfmp.com> Message-ID: <40EE5EB7-15A9-47AB-9FEA-DD862630F347@finalresort.org> Yeah, I was having bad feelings already ;) I think that in general I would try to avoid putting AV on the server unless there's a reason for it. The less vectors on it the better, so in my book one would have to justify AV on it rather than the opposite (i.e. AV is not a default). But it totally depends on what it's going to do. If the server is just an API endpoint for the web I would be more concerned about other web exploitations, such as those covered a lot by OWASP security guides. What type of API will it present, a REST endpoint over HTTP(S)? Regards, Leo 2 jun 2016 kl. 21:42 skrev Joel Shapiro : > Thanks all for the replies. > > It seems the mixed response I got on google is not unlike the one I got here ;) > > FWIW: This will be exclusively a web server for FM CWP projects (API). There will be no FM components (WPE, etc) on this machine. > > Thanks Leo, I?ll pass along the info on EMET to their IT people (although googling about EMET vs Antivirus brings back a similar mixed bag :( ). > > I guess I was hoping I?d get back a chorus of responses here either like: ?Yes, we use AV on all our web servers and wouldn?t do it any other way? or ?No,we never use AV on our web servers (+ "we use EMET? or ?we use nothing?). I guess it just ain?t that simple, and I guess I shouldn?t be surprised ;) > > Thanks again, > -Joel > > >> On Jun 1, 2016, at 12:43 AM, Leo R. Lundgren wrote: >> >> If the machine (in question) just runs a web service, and the application it serves (if it's even an application, might just be a static for all we know) is well written to there's good confidence it's not full of vulnerabilities, then perhaps it might not make as much sense to install a piece of insecure AV software running with the highest privileges possible on the system. >> >> Taviso has shown that most common AV software have very serious vulnerabilities. So for that reason one should consider if running that software is needed, when there's things like EMET and other measures you can apply. >> >> I'm not saying you never should, I'm just saying that it depends on what you are protecting from and what you need to protect. For example, a targeted attack might very well try to make use of the recent research on AV software security. >> >> Regards, Leo >> >> 1 jun 2016 kl. 07:11 skrev Malcolm Fitzgerald : >> >>> Why would you not? You'll lose a few clock cycles to forensic processes. In return you obtain a higher level of security and decrease the risk of malfeasance. >>> >>> The flip side is that you ignore the risk. When an unwanted event occurs you'll have to show that real benefits were obtained during the period before the machine was compromised. That shouldn't be hard, they'll be obvious to everyone and would have been used to rationalise the decision to go without antivirus software in the first place. The appropriate questions at that point will be, was enough benefit obtained to justify the repair costs and the downtime incurred, and will you continue to support the policy of running the server in the same fashion? >>> >>> good luck, >>> >>> malcolm >>> >>> >>> >>> On 1/06/2016 2:49 AM, Joel Shapiro wrote: >>>> Hi all >>>> >>>> I?ve got a client that?s just created a brand new Windows Server 2012 VM to act exclusively as a ?vanilla' web server (no FileMaker components installed). >>>> >>>> They?ve asked me if they should install antivirus software on it. Googling returns a mixed response. What do y?all think? >>>> >>>> Thanks very much, >>>> -Joel >>>> >>>> >>>> _______________________________________________ >>>> FX.php_List mailing list >>>> FX.php_List@mail.iviking.org >>>> http://www.iviking.org/mailman/listinfo/fx.php_list >>> >>> >>> _______________________________________________ >>> FX.php_List mailing list >>> FX.php_List@mail.iviking.org >>> http://www.iviking.org/mailman/listinfo/fx.php_list >> >> _______________________________________________ >> FX.php_List mailing list >> FX.php_List@mail.iviking.org >> http://www.iviking.org/mailman/listinfo/fx.php_list > > > _______________________________________________ > FX.php_List mailing list > FX.php_List@mail.iviking.org > http://www.iviking.org/mailman/listinfo/fx.php_list From info at jsfmp.com Thu Jun 2 13:58:21 2016 From: info at jsfmp.com (Joel Shapiro) Date: Thu Jun 2 13:57:25 2016 Subject: [FX.php List] [OFF] Antivirus software on a Windows web server? In-Reply-To: <40EE5EB7-15A9-47AB-9FEA-DD862630F347@finalresort.org> References: <2F5FA070-EC49-4208-8559-9DB627D26D93@jsfmp.com> <8cbdf8af-f11c-62ad-0e62-6159d18c069d@notyourhomework.net> <14FAE1C5-1A38-42E7-B9C0-5B55A0413B93@jsfmp.com> <40EE5EB7-15A9-47AB-9FEA-DD862630F347@finalresort.org> Message-ID: It?s the FileMaker API for PHP, all over https, and all password protected (mostly FM authentication). Currently there are no uploads of any type, although possibly some in the future. Most are projects I?ve built for them, although a few older ones that I don?t know may go on there as well. FWIW: This client has never had any AV on any of their web servers. Their new IT person is asking now about this new VM as he doesn?t know what?d be best, hence my asking here (since I don?t know either :). -Joel > On Jun 2, 2016, at 12:48 PM, Leo R. Lundgren wrote: > > Yeah, I was having bad feelings already ;) > > I think that in general I would try to avoid putting AV on the server unless there's a reason for it. The less vectors on it the better, so in my book one would have to justify AV on it rather than the opposite (i.e. AV is not a default). But it totally depends on what it's going to do. > > If the server is just an API endpoint for the web I would be more concerned about other web exploitations, such as those covered a lot by OWASP security guides. What type of API will it present, a REST endpoint over HTTP(S)? > > Regards, Leo > > > 2 jun 2016 kl. 21:42 skrev Joel Shapiro : > >> Thanks all for the replies. >> >> It seems the mixed response I got on google is not unlike the one I got here ;) >> >> FWIW: This will be exclusively a web server for FM CWP projects (API). There will be no FM components (WPE, etc) on this machine. >> >> Thanks Leo, I?ll pass along the info on EMET to their IT people (although googling about EMET vs Antivirus brings back a similar mixed bag :( ). >> >> I guess I was hoping I?d get back a chorus of responses here either like: ?Yes, we use AV on all our web servers and wouldn?t do it any other way? or ?No,we never use AV on our web servers (+ "we use EMET? or ?we use nothing?). I guess it just ain?t that simple, and I guess I shouldn?t be surprised ;) >> >> Thanks again, >> -Joel >> >> >>> On Jun 1, 2016, at 12:43 AM, Leo R. Lundgren wrote: >>> >>> If the machine (in question) just runs a web service, and the application it serves (if it's even an application, might just be a static for all we know) is well written to there's good confidence it's not full of vulnerabilities, then perhaps it might not make as much sense to install a piece of insecure AV software running with the highest privileges possible on the system. >>> >>> Taviso has shown that most common AV software have very serious vulnerabilities. So for that reason one should consider if running that software is needed, when there's things like EMET and other measures you can apply. >>> >>> I'm not saying you never should, I'm just saying that it depends on what you are protecting from and what you need to protect. For example, a targeted attack might very well try to make use of the recent research on AV software security. >>> >>> Regards, Leo >>> >>> 1 jun 2016 kl. 07:11 skrev Malcolm Fitzgerald : >>> >>>> Why would you not? You'll lose a few clock cycles to forensic processes. In return you obtain a higher level of security and decrease the risk of malfeasance. >>>> >>>> The flip side is that you ignore the risk. When an unwanted event occurs you'll have to show that real benefits were obtained during the period before the machine was compromised. That shouldn't be hard, they'll be obvious to everyone and would have been used to rationalise the decision to go without antivirus software in the first place. The appropriate questions at that point will be, was enough benefit obtained to justify the repair costs and the downtime incurred, and will you continue to support the policy of running the server in the same fashion? >>>> >>>> good luck, >>>> >>>> malcolm >>>> >>>> >>>> >>>> On 1/06/2016 2:49 AM, Joel Shapiro wrote: >>>>> Hi all >>>>> >>>>> I?ve got a client that?s just created a brand new Windows Server 2012 VM to act exclusively as a ?vanilla' web server (no FileMaker components installed). >>>>> >>>>> They?ve asked me if they should install antivirus software on it. Googling returns a mixed response. What do y?all think? >>>>> >>>>> Thanks very much, >>>>> -Joel >>>>> >>>>> >>>>> _______________________________________________ >>>>> FX.php_List mailing list >>>>> FX.php_List@mail.iviking.org >>>>> http://www.iviking.org/mailman/listinfo/fx.php_list >>>> >>>> >>>> _______________________________________________ >>>> FX.php_List mailing list >>>> FX.php_List@mail.iviking.org >>>> http://www.iviking.org/mailman/listinfo/fx.php_list >>> >>> _______________________________________________ >>> FX.php_List mailing list >>> FX.php_List@mail.iviking.org >>> http://www.iviking.org/mailman/listinfo/fx.php_list >> >> >> _______________________________________________ >> FX.php_List mailing list >> FX.php_List@mail.iviking.org >> http://www.iviking.org/mailman/listinfo/fx.php_list > > _______________________________________________ > FX.php_List mailing list > FX.php_List@mail.iviking.org > http://www.iviking.org/mailman/listinfo/fx.php_list From jonathan at exit445.com Thu Jun 2 13:58:25 2016 From: jonathan at exit445.com (Jonathan Schwartz) Date: Thu Jun 2 13:57:26 2016 Subject: [FX.php List] Current status of using CWP with API on FMS15 with OS X Server? Message-ID: <4CE88913-6498-4789-9CE8-F1485FCEAFBD@exit445.com> Hi Folks, Most of my development has been in FMS12 so far., avoiding the FMS13+ port conflict issues. I?m about to launch a client?s server under OS X Yosemite with FMS 15 and want to use OS X Server to manage multiple websites. I would use the API. What is the current status of being able to get this to work? I?m aware of the easy solution to simply run OS X Server on a separate box. Is there a single-machine way at this point? Thanks, Jonathan Jonathan Schwartz jonathan@exit445.com From bob at patin.com Thu Jun 2 15:12:00 2016 From: bob at patin.com (Bob Patin) Date: Thu Jun 2 15:11:06 2016 Subject: [FX.php List] Current status of using CWP with API on FMS15 with OS X Server? In-Reply-To: <4CE88913-6498-4789-9CE8-F1485FCEAFBD@exit445.com> References: <4CE88913-6498-4789-9CE8-F1485FCEAFBD@exit445.com> Message-ID: <19E1728E-E08D-4D8B-9A03-FB9AA231C0A3@patin.com> I think there is, but I don't use it that way; I have web servers and simply set up WPE on the FMS machine, and then host the web app on a web server and point the web app to the FMS machine. John May said he had a way to do it, but I forget what he did to get it to work. Bob Patin Longterm Solutions bob@longtermsolutions.com 615-333-6858 FileMaker 9, 10, 11, 12 & 13 Certified Developer http://www.longtermsolutions.com - iChat: bobpatin@me.com Twitter: bobpatin ? FileMaker Consulting FileMaker Hosting for all versions of FileMaker PHP ? Full email services ? Free DNS hosting ? Colocation ? Consulting > On Jun 2, 2016, at 2:58 PM, Jonathan Schwartz wrote: > > Hi Folks, > > Most of my development has been in FMS12 so far., avoiding the FMS13+ port conflict issues. > > I?m about to launch a client?s server under OS X Yosemite with FMS 15 and want to use OS X Server to manage multiple websites. I would use the API. > > What is the current status of being able to get this to work? I?m aware of the easy solution to simply run OS X Server on a separate box. > > Is there a single-machine way at this point? > > Thanks, > > Jonathan > > > Jonathan Schwartz > jonathan@exit445.com > > > > _______________________________________________ > FX.php_List mailing list > FX.php_List@mail.iviking.org > http://www.iviking.org/mailman/listinfo/fx.php_list