Here is the scenario. We have two servers behind a Juniper Networks firewall at a colocation site. That's it. No users at all behind the firewall (except for me at times running remote desktop). We are running Windows Server 2003, IIS 6.0 and all of the latest MS security patches are always installed right away.
Server one is mainly a web server and server two is mainly a database server running SQL Server 2005.
I use remote desktop to manage the servers. My partner and I use the VPN to work with the servers on a daily basis. We have a drop box style FTP server. Our data entry people use ASP.NET pages that interact with our database. Our customers use our website and business intelligence software to access the data in our database indirectly. The only web surfing that ever occurs is when I need to get updates for software on our servers. We are not running a mail server.
So, I have two questions.
1) Should I be running anti-virus software?
2) Should I be running anti-spam software?
I'm not looking for a debate on which pieces of software are best here. I am looking for real reasons as to why I should run either of the two items above since my preference is to not run them (my minimalist approach to keeping it simple).