RE: FTP tagging

From: Tommaso Di Donato (t.didonato@sicurweb.it)
Date: 05/09/02


Date: Thu, 09 May 2002 17:17:09 +0200
To: focus-ms@securityfocus.com
From: Tommaso Di Donato <t.didonato@sicurweb.it>

Hi! Firts of all, I think it would be better to change "user" with
"authenticated users", because i read somewhere (I can't remember where,
but I'm quite sure) that anonymous access (to file system and object
enumeration...I don't know if it applies also to FTP) can be disables
changing "Users" with "authenticated users". So, I would try this....
Second... I know the ftp server that comes with IIS is free (well, not
free, but you already payed fot it...), but I think you should consider to
try Bulletproof Ftp (for example...). It is much more secure and
configurable than the one provided by MS...
Hope it helps.
Tom

At 23.20 08/05/2002, you wrote:
>Thank you all for the responses.
>
>Here are some more info:
>IUSR_name is only a member of the Guests group, not the Users.
>
>But "Authenticated Users" is a member of Users group. Maybe IUSR_name is
>"indirectly" a member of the Users Group because of this. I'll try to
>confirm this.
>
>Probably a better way to go is remove "Users" from the ACLs and create a
>new "FTP Users" group with proper access.
>
>Someone warned me about FTP using Basic Authentication. I'm taking this in
>account: none of the users logging to the FTP are admins. But I think this
>is always a thig to remember.
>
>Thanks again to everybody.
>
>Victor.
>
>-----Original Message-----
>From: Garcia Turegano, Victor
>Sent: Tuesday, May 07, 2002 17:39
>To: focus-ms@securityfocus.com
>Subject: FTP tagging
>
>
>Recently I've encountered this problem. I thought that I have covered all
>the weak spots. Obviously not! Can someone give me pointers or tell me why
>is this happenning?
>
>I have a Windows 2000 Pro Box with FTP Service installed and all patches
>listed by HFNetChk. I use ADSL to connect it to the Internet.
>
>This FTP has Anonymous access enabled as well as authenticated. It has
>Read and Write permissions enabled in the IIS Console Propoerties page.
>
>I decided to control Read & Write access via NTFS and these are the
>permissions I have in the FTPROOT folder.
>Administrators = Full Control
>System = Full Control
>Users = Modify
>IUSR_name = Read
>
>The thing is that people logging anonymously are being able to create
>directories and files and to delete them.
>Here's a part of the FTP log that shows it:
>
>#Software: Microsoft Internet Information Services 5.0
>#Version: 1.0
>#Date: 2002-05-03 14:13:03
>#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port
>cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes
>cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
>2002-05-03 14:13:03 80.14.189.197 anonymous MSFTPSVC1 CLAIRE
>200.67.149.201 21 [15]USER anonymous - 331 0 0 0 0 FTP - - - -
>2002-05-03 14:13:03 80.14.189.197 Ugpuser@home.com MSFTPSVC1 CL
>200.67.149.201 21 [15]PASS Ugpuser@home.com - 230 0 0 0 180 FTP - - - -
>2002-05-03 14:13:05 80.14.189.197 Ugpuser@home.com MSFTPSVC1 CL
>200.67.149.201 21 [15]MKD 020503161000p - 257 0 0 0 0 FTP - - - -
>2002-05-03 14:13:05 80.14.189.197 Ugpuser@home.com MSFTPSVC1 CL
>200.67.149.201 21 [15]RMD 020503161000p - 250 0 0 0 0 FTP - - - -
>2002-05-03 14:13:07 80.14.189.197 Ugpuser@home.com MSFTPSVC1 CL
>200.67.149.201 21 [15]closed - - 426 170 0 0 420 FTP - - - -
>
>WHAT AM I MISSING?
>Does someone has a nice FTP response translator?
>
>V i c t o r S G a r c i a T u r e g a n o