Re: Locked out users still can ftp

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/06/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Fri, 6 Dec 2002 12:30:18 -0500

"Chris" <cbeazley@cdnpay.ca> wrote in message
news:051d01c29d40$ae3b60f0$cef82ecf@TK2MSFTNGXA08...
> I have an IIS 5 on win2k server. Anonymous users
> disabled and setup local user accounts. I set local
> policy to lockout after 3 failed attempts. If I login 6
> times with bad passwords and check the account it shows me
> the account is locked out. The problem is I can still
> login via ftp. If I restart the IIS services then the
> account is locked out.
>
> Nice security microsoft....not !!!
>
> Any ideas would be appreciated.

I know, I don't like this either. AFAIK this is just the way IIS works. I
think you would need to use a third party FTP server to try to do otherwise.
There are some free ones out there.

Note, however that:

FTP by itself is not very secure, e.g. passwords are passed in sniffable
plain-text, so arguably the issue you brought up is arguably not the largest
security issue with IIS and other FTP servers.

Also, even if you switch from IIS to another FTP server, most of the servers
out there have the same security problems, e.g. you need to install the
latest patches and you need to be careful to remove anonymous user access
from being able to both read and write to any folder.

Relevant Pages

  • RE: SOME Users cannot access OWA others do, error HTTP 500
    ... I understand that some account access OWA ... IIS 6.0 compression corruption causes access violations ... compressed copy of the affected files on the SBS server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Virtual Directory - Permission Denied with fso CopyFile
    ... TestUser (normal user account with same credentials on all machines). ... I logged into the IIS server as vdirUser and simply typed ... open and I had read and write permissions to the share. ... I logged off and back into the IIS server as the administrator and deleted ...
    (microsoft.public.inetserver.iis)
  • RE: SBS 2003/member Web Server and ISUR access
    ... NTFS permissions for the directories and files ... the IIS content directories have the following permissions. ... Server Extensions, ASPNET, SQL Server and other software is installed. ... The IUSR_MachineName account has the following permissions. ...
    (microsoft.public.windows.server.sbs)
  • RE: Anybody seen this error?
    ... This error is caused when the IIS common files fail when making ADSI calls ... account doesn't have the correct access to the IIS metabase. ... I (Admin) have a separate administrative account with all rights. ... | Active Directory Services cannot find the web server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Anonymous Account not working
    ... the Iusr_ you are using may have been defined before the final ... IIS install on that box. ... I think the problem may be with the local account. ... built the server there was another server that was named WEB02, ...
    (microsoft.public.inetserver.iis.security)
Loading