Re: Ftp server a bit more secure ?

From: Focus-MS Recipient (focusms@brianrea.org)
Date: 10/05/01


Message-ID: <013801c14d9d$ad1c45c0$26c8c8c8@123>
From: "Focus-MS Recipient" <focusms@brianrea.org>
To: Frédéric Médery <fmedery@sympatico.ca>, <focus-ms@securityfocus.com>
Subject: Re: Ftp server a bit more secure ?
Date: Fri, 5 Oct 2001 09:00:14 -0400

it sounds like you're not utilizing IIS in any manner that makes IIS
convenient... you're not integrating with username/passwords of the NT SAM
(you even created your own new users and gave them local logon privileges)

my only question is: if you don't need to use IIS as an FTP server, why not
go with a simpler and less resource-intensive solution? Products like G6FTP
(now BulletProof FTP) and WarFTP are good solutions that are remarkably
simple to setup and use, with a user list independent of the NT user
database. I think that Gene6 FTP had webhancer spyware added once they
became BulletProofFTP (just a mild irritation, you can uninstall the
WebHancer nonsense). While there have been occasional small incidents with
older versions, i've rarely seen either listed on the BugTraq for security
exploits. (G6 had a DoS vulnerability in v 2.0 Beta 5 back in Nov of 1999,
and WarFTP had a problem with a version from way back circa 1998.)

If you don't need IIS, i wouldn't run it.

- Dixieland

----- Original Message -----
From: Frédéric Médery <fmedery@sympatico.ca>
To: <focus-ms@securityfocus.com>
Sent: Thursday, October 04, 2001 7:25 PM
Subject: Ftp server a bit more secure ?

> Hello everybody,
>
> I have to set a FTP server on a DC ! I know it's stupid but I'm not the
> one who decided :-) And I have to disable anonymous access !
>
> What I did :
> Fully patched the Server
> Installed IIS on a different partition.
> Created a group called Web Designer
> Created user who's not member of domain user group (just of web designer
> group). To remove the domain user group, I set the Web designer group as
> the primary group.
> The IIS partition is only available for web designer and the iis admin
> group.
> Of course the users have log on locally.
> I create one ftp root folder and some virtual directory that are not
> childs of the ftp root. So users are unable to see other folder even if
> they try to go to the root of the ftp site.
>
> Can this be a more "secure" or less dangerous ftp server ? Is it good to
> remove the ftp users from the domain user group ?
> If you have some advice :-)
>
> Thank you,
> This ML is one of the best
>
> Have a nice day
>
> Fred
>
>



Relevant Pages

  • Re: EventID 529 Logged 1723 Times in one Day!
    ... I see this on my machines that run an FTP server. ... Logon Process: IIS ...
    (microsoft.public.windows.server.sbs)
  • Re: IIS 6.0 FTP
    ... The IIS is running, along with the FTP ... There is no other FTP service on this server. ... I understand your have the order entry program, ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: IIS 6.0 FTP
    ... Well IIS FTP does have such a feature, how to use it, I do not know. ... clients are using an order entry program created in Microsoft access. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: IIS 6.0 FTP
    ... Internet Information Services (IIS) Manager ... The Security System detected an authentication error for the server ... I doubt IIS FTP has such feature. ... using the clients username and password, ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: IIS 6.0 FTP
    ... does not look like the behavior of an IIS FTP server. ... By default, IIS FTP ... using the clients username and password, ...
    (microsoft.public.inetserver.iis.ftp)