Re: Turning off the FTP Banner

From: Alun Jones [MS MVP] (alun_at_texis.com)
Date: 06/11/03 

Date: Wed, 11 Jun 2003 12:43:30 GMT

In article <O8IjBl5KDHA.2312@TK2MSFTNGP09.phx.gbl>, "Neil Owens"
<neil_o@ntlworld.com> wrote:
>I've looked high and low to try and turn off the IIS5 FTP banner announcing
>my machine name and which version of IIS I'm running.
>
>So, please, how do I turn it off?

Think about what that will gain you. I presume you are trying to protect
against hackers.

Okay, so let's start with a blinding observation or two:

1. Most hackers aiming their tools at FTP sites don't bother to check the
banner, and just fire off the hack-du-jour.
2. Some of them don't even care whether it's FTP or not - they fire off
their favourite exploit of the moment at all open ports on any IP address
they find. Set up a sacrificial FTP server, and you'll find it's hit by
several requests for HTTP proxies.
3. Many graphical FTP clients key off the greeting banner to determine how
they present certain features. Changing the banner would reduce the
usefulness of such a client, and make the user experience less comfortable.

The only answer I've heard to those two points is to suggest that maybe
there's a hacker who is specifically targetting your organisation. Okay,
let's assume that, and we'll come to blinding observation number four:

4. A targetted hacker, who cares what system you're running, can determine
it from any number of sources - the responses given to certain commands, IP
fingerprinting, or even social engineering. He may even be well aware of
what version you're running before the banner even displays. Even so, most
targetted hackers will simply run every known exploit at you, because it's
quicker.

Changing the greeting message is not a significant security protection, in
my view. I hope I've adequately explained above why I believe this.

Alun.
~~~~

Relevant Pages

  • RE: plugging old IIS FTP holes
    ... the IIS5 FTP service using the ISM. ... There is an option to configure the banner, ... > If you want to stop nessus reporting this, ... > The patch in question is superseeded by / included in SP3. ...
    (Focus-Microsoft)
  • proftpd on 4.0F
    ... I have a 4.0F machine that is slated for retirement but needs to run an ftp ... message and/or banner. ... The daemon runs, or is launched by inetd, but for some reason it cannot ...
    (Tru64-UNIX-Managers)
  • RE: plugging old IIS FTP holes
    ... Has anyone been successful in removing the "Microsoft FTP Service" part ... The patch in question is superseeded by / included in SP3. ... to change the banner of the FTP service. ...
    (Focus-Microsoft)
  • Re: IIS Banner Change?
    ... Check out the following site they have a tool for FTP, HTTP and SMTP ... > I am not sure if you can adjust the FTP Server's banner ... > Chris Crowe [IIS MVP] ...
    (microsoft.public.inetserver.iis.security)
  • Re: 100s of logon errors for MSFTPSVC, event id: 100
    ... You have FTP exposed to the outside world, hackers have seen it listening on port 21, and are trying a variety of common passwords to see if they can fluke it. ... Its easy for a script to scan thousands of IP addresses for an FTP server, ...
    (microsoft.public.windows.server.sbs)
Quantcast