Re: Run a Virus Scan on DCs?
- From: Florian Frommherz <florian@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 26 Jun 2007 07:43:33 +0200
Howdie Flash!
Flash3200 wrote:
Should I run a dedicated Virus Scan on my Domain Controllers? We have
McAfee Enterprise ViruScan loaded on them and they are enabled to pick
up something as it runs live on the server, but I run a dedicated scan
once a week on all my other servers and I've heard both ways when it
comes to DCs... "no you shouldn't run a scan cause it slows them down
too much (regardless of memory???)" and also "Sure why not.. whats it
going to hurt". So I'd like to get everyone else's opinions!!!!
I'll tell you my opinion on this - maybe you're interested in that as well ;-)
I'm no big fan of antivir applications Domain Controllers. The reason is: why should I scan? See, the Domain Controller is THE part of your domain. I really mean THE part. What will happen if those controllers break? Your business is pretty much like to go down - all the way with your productivity and the big bucks. Not more, not less. I have the philosophy that I lock them down as much as possible - physically as well as technically.
I also think that there shouldn't run any services other than Active Directory and the DNS service. The question then is: how can you nest there any virses or malware, if there are no users logging in to that machine (other than you and your admin-buddies), no services/shares with write-access for people.
From the "what's it going to hurt"-perspective, I've seen environments where the antivoir did block access to the SYSVOL share and broke Group Policy application down. People needed to exclude the SYSVOL folder from scanning in order to have those services run again. This can actually be a time-consuming search if you're not immediately thinking of your antivir while troubleshooting.
If you really consider using an antivir on your domain controllers, be careful when installing and ask the vendor if there are any issues with Active Directory. A loss of a domain controller (a loss may also mean a downtime of a few minutes/hours) can cause your whole network to be unstable (it shouldn't if you have multiple domain controllers - but how frequent do you try that out?).
- Be careful, that's what I'm sayin' ;-)
cheers,
Florian
--
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
.
- Follow-Ups:
- Re: Run a Virus Scan on DCs?
- From: Brad Rutkowski
- Re: Run a Virus Scan on DCs?
- From: Flash3200
- Re: Run a Virus Scan on DCs?
- References:
- Run a Virus Scan on DCs?
- From: Flash3200
- Run a Virus Scan on DCs?
- Prev by Date: Re: Installing activeX automatically?
- Next by Date: Re: Active Directory Replication
- Previous by thread: Run a Virus Scan on DCs?
- Next by thread: Re: Run a Virus Scan on DCs?
- Index(es):
Relevant Pages
|
