Re: FTP Security
From: x y (levinson_k@excite.com)
Date: 01/17/03
- Next message: ROSEMARY: "FIREWALL"
- Previous message: Joel: "STRANGE: Web Site Accessible by Some, Not Others"
- In reply to: BB: "Re: FTP Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y" <levinson_k@excite.com> Date: Fri, 17 Jan 2003 09:57:36 -0500
Also note that with the default settings, a locked out account can still be
used to log into FTP. There was a discussion of this here within the past 2
months. See here:
http://groups.google.com/groups?threadm=OmFHTvWnCHA.2408%40TK2MSFTNGP10
This is not the first thing I would worry about when making an FTP server.
User password guessing is I guess theoretically possible, but would be
extremely slow, is not very common to my knowledge and could definitely be
discovered way before the hacking was by enabling auditing and by monitoring
the security event log either using www.IPSentry.com or by using a home
written batch file with the tools DUMPEL and BLAT [DUMPEL is from the
Microsoft Windows Resource Kit, which is free if you have Technet].
http://securityadmin.info/faq.htm#auditing
However, if some of your users have weak passwords, password guessing like
this could be successful. You can fix this with your Windows account
policy.
A much much bigger problem is that if you are using IIS FTP with user
accounts, those user accounts and passwords are being passed in plain text
across the network or the internet. Given that, making the accounts lock
out seems not so serious at all. Note that network switches do NOT prevent
sniffing of passwords.
Perhaps you already have done these, but be very sure the anonymous ftp user
[usually iusr by default, unless you also run a web server and you decide it
is a security issue to use the same account for both] does not have both
read and write permission to any folder.. and also remove the posix
subsystem.
Other things you should consider doing:
http://securityadmin.info/faq.htm#harden
http://securityadmin.info
www.cert.org/tech_tips
"BB" <Bernard_at_3exp.com> wrote in message
news:#IG4FfhvCHA.2060@TK2MSFTNGP11...
> This is not supported. the RFC IIS FTP based on
> don't have such standard. the logout only apply to
> windows environment and ftp is not one of it.
>
> Rgds.
>
>
> "Mat G" <djmg2@lycos.co.uk> wrote in message
> news:4d46a596.0301170156.5a806f23@posting.google.com...
> > I am fairly new to web server admin (although I have been doing NT4
> > domain admin since 1997) and have two web servers to look after. One
> > of which runs IIS5 on Win2k.
> >
> > I need to make the ftp as secure as I can. I have configured account
> > lockout and expiration on the usernames that our various web
> > developers use to ftp in, and assumed if an incorrect password was
> > entered when ftping in, it would lock out after three attempts.
> >
> > It doesn't. How can I get the account to lock-out after insuccessful
> > password attempts when connecting via ftp.
> >
> > Many thanks,
> > Mat G
> > Birmingham, UK
>
>
- Next message: ROSEMARY: "FIREWALL"
- Previous message: Joel: "STRANGE: Web Site Accessible by Some, Not Others"
- In reply to: BB: "Re: FTP Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
