Re: Question about FTP and privacy
From: Karl Levinson [x y] mvp (levinson_k@despammed.com)
Date: 03/02/03
- Next message: Gross: "Re: Question about FTP and privacy"
- Previous message: Karl Levinson [x y] mvp: "Re: How to secure IIS?"
- In reply to: Gross: "Re: Question about FTP and privacy"
- Next in thread: Gross: "Re: Question about FTP and privacy"
- Reply: Gross: "Re: Question about FTP and privacy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@despammed.com> Date: Sun, 2 Mar 2003 10:11:02 -0500
Good...
Do note that MBSA is not a full security check. I doubt they check to make
sure that the anonymous IUSR account does not have both read and write
access to any given folder. If you leave a folder with both read and write
access for the anonymous FTP user, you will be hacked. To see other people
who were hacked in this way, you can go to
www.google.com/advanced_group_search and search this newsgroup for "ftp" or
"ftp AND delete" IMHO it is a big mistake to fail to close this security
hole.
http://securityadmin.info/faq.htm#ftpfolder
Information on how to set up a user and password in FTP:
http://securityadmin.info/faq.htm#11.20
"Gross" <martygross@msn.com> wrote in message
news:06e501c2e05f$d4fc1380$a001280a@phx.gbl...
> Now, here's the answer I was looking for:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-
> us;142853
>
>
>
> >-----Original Message-----
> >I would assume they could just log in anonymously to
> your FTP server and use
> >the command to list the directories on your FTP server
> using an FTP client
> >instead of a web browser. This would be trivial.
> >
> >The fixes are to disable the anonymous user account [by
> default, the IUSR
> >account] and set up or use your own account, and/or
> remove read and write
> >NTFS permissions to the folder from the IUSR account by
> right-clicking on
> >the folder and selecting properties either within the
> IIS MMC or in Windows
> >Explorer. www.iisfaq.com has more information on how to
> set up a user.
> >
> >Do note that passwords with IIS FTP by default are
> passed across the network
> >in clear text, so that someone who compromised a
> computer or device between
> >you and the server [or the server itself] could install
> a free sniffer and
> >get your password. The fix is to use a third party FTP
> server AND client
> >that uses encryption, or use the anonymous FTP and just
> don't store anything
> >sensitive there.
> >
> >PS with any FTP server, never never let the anonymous
> user have both read
> >and write permissions to any folder, or you'll be hacked.
> >
> >Other things you should do to secure the IIS www service
> and windows:
> >
> >http://securityadmin.info/faq.htm#harden
> >
> >
> >
> >"Gross" <martygross@msn.com> wrote in message
> >news:c21c5c9c.0303010813.17efec1@posting.google.com...
> >> I've set up the FTP service in XP PRO. My question
> is, since the
> >> files are viewed using the ftp://servername/virtual
> dir name, will
> >> anyone be able to access my files if they did NOT know
> the virtual
> >> directory name?
> >>
> >> I'm sure if they guessed the name, they could, but how
> else could they
> >> access my files if they did not know the name of the
> virtual
> >> directory?
> >
> >
> >---
> >Outgoing mail is certified Virus Free.
> >Checked by AVG anti-virus system
> (http://www.grisoft.com).
> >Version: 6.0.449 / Virus Database: 251 - Release Date:
> 1/27/2003
> >
> >
> >.
> >
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003
- Next message: Gross: "Re: Question about FTP and privacy"
- Previous message: Karl Levinson [x y] mvp: "Re: How to secure IIS?"
- In reply to: Gross: "Re: Question about FTP and privacy"
- Next in thread: Gross: "Re: Question about FTP and privacy"
- Reply: Gross: "Re: Question about FTP and privacy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
