Re: Locked out users still can ftp

From: Mark Ingalls [MS] (marking@online.microsoft.com)
Date: 12/06/02 

From: "Mark Ingalls [MS]" <marking@online.microsoft.com>
Date: Fri, 6 Dec 2002 13:09:59 -0800

for performance reasons, IIS caches user tokesn after login. the amount of
time that IIS will cache these values is configurable. see

http://support.microsoft.com/default.aspx?scid=kb;en-us;152526

for more information.

thanks,
mark 

--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:OAplr1UnCHA.2428@TK2MSFTNGP08...
>
> "Chris" <cbeazley@cdnpay.ca> wrote in message
> news:051d01c29d40$ae3b60f0$cef82ecf@TK2MSFTNGXA08...
> > I have an IIS 5  on win2k server.  Anonymous users
> > disabled and setup local user accounts.  I set local
> > policy to lockout after 3 failed attempts.  If I login 6
> > times with bad passwords and check the account it shows me
> > the account is locked out.  The problem is I can still
> > login via ftp.  If I restart the IIS services then the
> > account is locked out.
> >
> > Nice security microsoft....not !!!
> >
> > Any ideas would be appreciated.
>
> I know, I don't like this either.  AFAIK this is just the way IIS works.
I
> think you would need to use a third party FTP server to try to do
otherwise.
> There are some free ones out there.
>
> Note, however that:
>
> FTP by itself is not very secure, e.g. passwords are passed in sniffable
> plain-text, so arguably the issue you brought up is arguably not the
largest
> security issue with IIS and other FTP servers.
>
> Also, even if you switch from IIS to another FTP server, most of the
servers
> out there have the same security problems, e.g. you need to install the
> latest patches and you need to be careful to remove anonymous user access
> from being able to both read and write to any folder.
>
>
>
>
>

Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... Just as a check I used NET USER /ADD on my test account and as expected ... The password dialog is supposed to appear for Basic authentication ... Thinking more esoterically now -- what are the login rights assigned ... IIS uses a specific login type, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... The password dialog is supposed to appear for Basic authentication ... Thinking more esoterically now -- what are the login rights assigned ... IIS uses a specific login type, ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Merge Replilcation issue
    ... As far as the IIS user account open up your "configure connectivity support ... publication share and the manager sets the permissions. ... login are what gets you hooked up (assuming the login and pwd you setup are ...
    (microsoft.public.sqlserver.ce)
  • Re: Locked out users still can ftp
    ... > the account is locked out. ... If I restart the IIS services then the ... think you would need to use a third party FTP server to try to do otherwise. ...
    (microsoft.public.inetserver.iis.security)
  • Re: custom page for user credentials?
    ... With "no impersonation of IIS" I mean: the application should use the same ... windows account for all users. ... the user enters at the client side match a specific windows account - and I ... So I've implemented an additional "login provider" - ...
    (microsoft.public.inetserver.iis.security)