RE: Co-Hosting SQL with IIS FTP service

#2 should read: there may be security issues, since FTP does not provide
a secure authentication mechanism NOR a secure tranmission mechanism.

Note I removed IIS out of there. It's the FTP protocol that's insecure,
don't go blaming Microsoft.

If this is a new deployment, I would suggest looking into deploying SFTP
instead of FTP. A bank using FTP kinda scares me. :)

Brady McClenon
Administrative Computer Services
State University College at Oneonta


-----Original Message-----
From: Jim Harrison (ISA) [mailto:Jim.Harrison@xxxxxxxxxxxxx]
Sent: Tuesday, July 25, 2006 10:20 PM
To: Steve Armstrong; chris.dalton@xxxxxxxxxxxxxxxxxx
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Co-Hosting SQL with IIS FTP service

Nope.
His question suggests nothing more than that they're
considering this deployment and that he's asking for advice
before it's built. This "unpatched vulnerabilities" FUD is
applicable to any operating system / application combination.
Such statements are self-defeating as the only logical
conclusion to be drawn from them is "don't use computers".
Not much help, wouldn't you say?

Now to actually answer the question posed:
1. there are no functional conflicts between SQL and IIS;
their network resource demands are unique.
2. there may be security issues, since IIS FTP does not
provide a secure authentication mechanism 3. FTP (IIS or
otherwise) is *always* a target for the script kiddies and
WAREZ folks; deploy this with great care

Your application security is dependent on how you choose to
configure the app; there are many references on
http://microsoft.com/technet and
http://microsoft.com/security for securing IIS and SQL services

If the machine resources are enough, you can also use your
favorite virtualization technology to separate the FTP and
SQL servers and thus avoid the combinational security issues
that public FTP services may impose on the SQL server.

Jim Harrison <blocked::mailto:jmharr@xxxxxxxxxxxxx>
Security Platform Group (ISA SE)
If We Can't Fix It - It Ain't Broke!

________________________________

From: Steve Armstrong [mailto:stevearmstrong@xxxxxxxxxxxxxxxxxxx]
Sent: Tue 7/25/2006 09:25
To: chris.dalton@xxxxxxxxxxxxxxxxxx
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Co-Hosting SQL with IIS FTP service



Chris

Possibly not the best email to send from your employers email server.
It suggests you are using MS servers with IIS and FTP enabled
backending, I would guess "on the same box" to MS SQL.

While you will get some information about the
vulnerabilities, most here would expect you to keep your
banks systems patched. What you will get from this kind of
forum is advise on patches to vulnerabilities that have been
disclosed; However, you will not get info on new exploits
(the zero-day type hackers use against the likes of banks) on
non-publicly disclosed vulnerabilities.

Therefore, you will not be able to prevent exploits that MS
is still working to patch. With a disclosure regarding your
infrastructure on such a public forum, you should watch your
front facing Sy barriers for increased attacks aimed
specifically at MS architecture. Best give the IDS/IPS and
incident staff a nod too. I recognise you may be double
bluffing, but I will bet you will still get a 100% increase
in the MS exploits thrown at your FW and internet gateways.

As to your question, try secunia.com, www.osvdb.org and good
old www.packetstormsecurity.nl

Steve A


-----Original Message-----
From: chris.dalton@xxxxxxxxxxxxxxxxxx
[mailto:chris.dalton@xxxxxxxxxxxxxxxxxx]
Sent: 25 July 2006 15:42
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Co-Hosting SQL with IIS FTP service

Can anyone guide me as to what type of issues with
inter-system dependencies might arise by co hosting IIS FTP
service with SQL?


Anyone know of any articles on the exploits?


--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---


--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------




--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------



---------------------------------------------------------------------------
---------------------------------------------------------------------------

Relevant Pages

  • Re: IIS 6.0 FTP
    ... The IIS is running, along with the FTP ... There is no other FTP service on this server. ... I understand your have the order entry program, ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: IIS 6.0 FTP
    ... Well IIS FTP does have such a feature, how to use it, I do not know. ... clients are using an order entry program created in Microsoft access. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: IIS 6.0 FTP
    ... Internet Information Services (IIS) Manager ... The Security System detected an authentication error for the server ... I doubt IIS FTP has such feature. ... using the clients username and password, ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: IIS 6.0 FTP
    ... does not look like the behavior of an IIS FTP server. ... By default, IIS FTP ... using the clients username and password, ...
    (microsoft.public.inetserver.iis.ftp)
  • RE: Co-Hosting SQL with IIS FTP service
    ... There are FTP server applications that provide relatively secure authentication mechanisms. ... IIS isn't one of them; ... It's also a fact that the FTP protocol doesn't specify any authentication at all; much less a method that anyone would consider "secure". ... Co-Hosting SQL with IIS FTP service ...
    (Focus-Microsoft)
Quantcast