FTP server security.
From: Michael Bellears (michael.bellears_at_staff.datafx.com.au)
Date: 11/11/03
- Previous message: Ken Schaefer: "Re: Allowing site redirection with URLScan"
- Next in thread: Ivan Hernandez: "Re: FTP server security."
- Reply: Ivan Hernandez: "Re: FTP server security."
- Maybe reply: Michael Bellears: "RE: FTP server security."
- Maybe reply: John Rothlisberger: "Re: FTP server security."
- Maybe reply: Jim Harrison (ISA): "RE: FTP server security."
- Reply: Jorge Alejandro Olivo Ramirez: "Re: FTP server security."
- Reply: Laura A. Robinson: "RE: FTP server security."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Nov 2003 12:04:32 +1000 To: <focus-ms@securityfocus.com>
We are running 2000 advanced server, hosting multiple virtual domains
for clients, with FTP access via Virtual Directories.
I have noticed that any user connecting via FTP, is dumped into
"/username" - eg.
# ftp xxx.xxx.xxx.xxx
Connected to xxx.xxx.xxx.xxx.
220 iis02 Microsoft FTP Service (Version 5.0).
Name (xxx.xxx.xxx.xxx:mb): craig
331 Password required for craig.
Password:
230 User craig logged in.
Remote system type is Windows_NT.
ftp> pwd
257 "/craig" is current directory.
If I perform a cd ../different_username, I am successfully dropped into
that clients dir:
ftp> cd ../1800contacts
250 CWD command successful.
ftp> pwd
257 "/1800contacts" is current directory.
Once in there, I am able to list, create, and delete - Obviously
something I need to restrict!
Is there anyway to 'jail' each user to there own directory tree? - i.e.
once authenticated, they cannot perform a "cd ../whatever" - If not, is
there a 'recommended' ownership/perms that will restrict access, but
still allow browsing via the web?
Regards,
MB
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
---------------------------------------------------------------------------
- Previous message: Ken Schaefer: "Re: Allowing site redirection with URLScan"
- Next in thread: Ivan Hernandez: "Re: FTP server security."
- Reply: Ivan Hernandez: "Re: FTP server security."
- Maybe reply: Michael Bellears: "RE: FTP server security."
- Maybe reply: John Rothlisberger: "Re: FTP server security."
- Maybe reply: Jim Harrison (ISA): "RE: FTP server security."
- Reply: Jorge Alejandro Olivo Ramirez: "Re: FTP server security."
- Reply: Laura A. Robinson: "RE: FTP server security."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
