Re: Secure FTP server for Windows

From: Mike Sweeney (mikesweeney_at_packetattack.com)
Date: 12/08/04

  • Next message: Ivan Coric: "Re: switched n/w" 
    To: "Dana Epp" <dana@vulscan.com>, security-basics@lists.securityfocus.com
Date: Tue, 7 Dec 2004 16:36:49 -0800

    Clap..clap..clap..

    Windows 2000 has been certified by the Common Criteria Certification (E4) which is a provable and repeatable world wide test of security. 2003 is not yet (??) certified. These things change all the time so do a google (is google a verb?) to get current information.

    As Smoky Yunick once commented, The engine doesnt know what brand it is (he won with a varity of brands) As long as you stick with proven principles, they all work well.

    Mike Sweeney

    ___________________________________________________________________________
     
    Packetattack.com
    Network Design and Security
    www.packetattack.com
     
    Office (714).637.4235

    "QUIS CUSTODIET IPOS CUSTODES"
        WHO SHALL GUARD THE GUARDS

    > ------------Original Message------------
    > From: "Dana Epp" <dana@vulscan.com>
    > To: "Volker Kindermann" <ml@ps102.de>, security-basics@lists.securityfocus.com
    > Date: Tue, Dec-7-2004 4:11 PM
    > Subject: Re: Secure FTP server for Windows
    >
    > Oh come on now.
    >
    > Comments like this are so unproductive to the conversation. Any
    > operating
    > system, including Windows, can be made secure. WHAT level of security
    > is
    > dependant on the risks you are trying to mitigate. You CAN make Windows
    >
    > secure, just as easily as how you can easily make Unix INSECURE. Its
    > all in
    > how you approach it.
    >
    > It comes down that you need to quit thinking of the technical
    > safeguards as
    > THE solution and instead apply real world infosec policies to reduce
    > the
    > risks and protect the assets you need to by applying the safeguards as
    > part
    > of a bigger process. I blogged about this a year ago when I talked
    > about the
    > "8 rules of Information Security"
    > (http://silverstr.ufies.org/blog/archives/000468.html)
    >
    > In this case, you can definitely set up a secure SSH server on Windows,
    > jail
    > the enviroment and tighten the file ACLs to allow for SCP access for
    > files
    > you wish to exchange. This would be NO different than applying the same
    >
    > thing on a Unix environment. So instead of slagging the operating
    > system
    > think about what assets need to be protected, and what infosec policies
    > need
    > to be applied to effectively give access to those who need access to
    > the
    > asset. Then apply the technical safeguards in the OS as required.
    >
    > I mean no disrespect Volker, but this kind of position doesn't help the
    >
    > situation. It only hinders any progress we can make by applying a
    > higher
    > level of thinking through sound infosec policies. And thats platform
    > neutral.
    >
    >
    > ----- Original Message -----
    > From: "Volker Kindermann" <ml@ps102.de>
    > To: <security-basics@lists.securityfocus.com>
    > Sent: Sunday, December 05, 2004 7:55 AM
    > Subject: Re: Secure FTP server for Windows
    >
    >
    > > Hi Derek,
    > >
    > >
    > >> Can anyone recommend an FTP server for Windows which has been
    > written
    > >> with security in mind? I only really know such things about Linux
    > (where
    > >> vsftpd is the obvious choice) but I've been asked to recommend a
    > >> Windows2000 or WindowsXP product.
    > >
    > > please consider that you can't operate a secure ftp server on top of
    > an
    > > insecure operating system. With this in mind there is no secure ftp
    > server
    > > for windows.
    > >
    > >
    > > -volker
    > >
    >
    >
    >
    >
    >

  • Next message: Ivan Coric: "Re: switched n/w"

    Relevant Pages

    • Re: DB2 queries without using MF.
      ... That Windows data cannot be adequately secured is a canard. ... well now we know how secure the the links are just wonder how the 37 *MILLION* credit card numbers that got stolen... ... Don't confuse the desktop PC with the server. ... I have experienced an auditor trying to do his job and he is twarted at every turn. ...
      (bit.listserv.ibm-main)
    • RE: [OT] M$ collaborates with Suse
      ... Most hosting facilities do allow FrontPage and/or FTP access...FrontPage ... Remote Administration to an actual server can be done with a Terminal ... Secure Administration on the inside can be done with Scripting. ... decent free SSH Servers out there for Windows and I like freeSSHd. ...
      (Debian-User)
    • Re: Viruses
      ... were slow to ship systems that installed secure by default. ... I don't believe it has as many server listener ... practically any time you look at a Windows box sideways. ... users are more vulnerable than average linux users. ...
      (rec.photo.digital)
    • Re: [OT] M$ collaborates with Suse
      ... Just remember this...your OS is only as secure as you are and if you do ... The main problem is that Windows' design facilitates bad security ... I agree that a competent admin can make a windows server ... if you setup a windows server ...
      (Debian-User)
    • Re: General question
      ... but I wouldn't call it a "brand new OS". ... Windows Server 2003 was based on Windows XP. ... If you REALLY want to be technical about this, both XP and Server 2003 were co-developed off the existing NT 4.0 tree. ... I am told that Vista has a lot of new code, I don't know if mostly is a correct term. ...
      (comp.sys.mac.advocacy)