Re: Locked out users still can ftp

From: Alun Jones (alun@texis.com)
Date: 12/06/02

• Next message: Tim Greene: "RE: Domain name prefix in Integrated Windows security"
• Previous message: Alun Jones: "Re: How do I remove files after Warez on FTP?"
• In reply to: Mark Ingalls [MS]: "Re: Locked out users still can ftp"
• Next in thread: BB: "Re: Locked out users still can ftp"
• Reply: BB: "Re: Locked out users still can ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: alun@texis.com (Alun Jones)
Date: Fri, 06 Dec 2002 21:49:07 GMT

In article <OmFHTvWnCHA.2408@TK2MSFTNGP10>, "Mark Ingalls [MS]"
<marking@online.microsoft.com> wrote:
>for performance reasons, IIS caches user tokesn after login. the amount of
>time that IIS will cache these values is configurable. see

Wow. For security reasons, we don't cache user tokens in WFTPD Pro. Or file
handles, for that matter (another sore point). If it's to be cached, it
should usually be the operating system that does it, not the application. The
OS knows about all the nitty-gritty bits of security, the application
shouldn't have to (unless it knows an _awful_ lot more than the OS).

The OP may find that a change of FTP server gives the security he/she needs
(along with allowing for SSL, to correct the problem that Karl Levinson noted,
that usernames and passwords are normally transmitted in clear text).

Not, mind you, that there's anything wrong with IIS - it's good for beginning
an FTP site, and some people find it serves their needs very well.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

-- 
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.

---

• Next message: Tim Greene: "RE: Domain name prefix in Integrated Windows security"
• Previous message: Alun Jones: "Re: How do I remove files after Warez on FTP?"
• In reply to: Mark Ingalls [MS]: "Re: Locked out users still can ftp"
• Next in thread: BB: "Re: Locked out users still can ftp"
• Reply: BB: "Re: Locked out users still can ftp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Mac Server Hacked In Less Than 6 Hours ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ... (sci.crypt) Re: DCOM calls fails - access denied ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ... (microsoft.public.dotnet.framework.aspnet.security) Re: How to secure IIS? ... XP as well, because even if you don't install IIS, there are still a number ... If you think Windows 98 is secure, ... easy to attack, if there's no firewall... ... IIS security checklists] 3) install firewall and antivirus, ... (microsoft.public.inetserver.iis.security) RE: .pdf security using ASP.NET security... ... I am wondering if using the aspnet_isapi.dll to handle PDF files security ... IIS has a list of Application Mappings which dictate whether a particular ... entries that tell aspnet_isapi.dll what to do with various file types. ... Files that do have app mappings require all the same steps, ... (microsoft.public.dotnet.framework.aspnet.security) Re: impact of mapping .??? to ASP.NET ISAPI??? ... security issue, either from ASP.NET or IIS (this is something that my ISP ... > entries that tell aspnet_isapi.dll what to do with various file types. ... > process the request. ... (microsoft.public.dotnet.framework.aspnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)