|
Focus on Microsoft
FTP server security. Nov 11 2003 02:04AM Michael Bellears (michael bellears staff datafx com au) (3 replies) Re: FTP server security. Nov 12 2003 05:09AM Jorge Alejandro Olivo Ramirez (jorge alestraidc net mx) |
|
 Privacy Statement |
There are kludgy methods to make it work in Win2K, but this is an inherent
part of FTP in Win2K3.
Laura
> -----Original Message-----
> From: Michael Bellears [mailto:michael.bellears (at) staff.datafx.com (dot) au [email concealed]]
> Sent: Monday, November 10, 2003 9:05 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: FTP server security.
>
>
> We are running 2000 advanced server, hosting multiple virtual
> domains for clients, with FTP access via Virtual Directories.
>
> I have noticed that any user connecting via FTP, is dumped
> into "/username" - eg.
>
> # ftp xxx.xxx.xxx.xxx
> Connected to xxx.xxx.xxx.xxx.
> 220 iis02 Microsoft FTP Service (Version 5.0).
> Name (xxx.xxx.xxx.xxx:mb): craig
> 331 Password required for craig.
> Password:
> 230 User craig logged in.
> Remote system type is Windows_NT.
> ftp> pwd
> 257 "/craig" is current directory.
>
> If I perform a cd ../different_username, I am successfully
> dropped into that clients dir:
>
> ftp> cd ../1800contacts
> 250 CWD command successful.
> ftp> pwd
> 257 "/1800contacts" is current directory.
>
> Once in there, I am able to list, create, and delete -
> Obviously something I need to restrict!
>
> Is there anyway to 'jail' each user to there own directory
> tree? - i.e. once authenticated, they cannot perform a "cd
> ../whatever" - If not, is there a 'recommended'
> ownership/perms that will restrict access, but still allow
> browsing via the web?
>
> Regards,
> MB
>
> --------------------------------------------------------------
> -------------
> Network with over 10,000 of the brightest minds in
> information security at the largest, most highly-anticipated
> industry event of the year. Don't miss RSA Conference 2004!
> Choose from over 200 class sessions and see demos from more
> than 250 industry vendors. If your job touches security, you
> need to be here. Learn more or register at
> http://www.securityfocus.com/sponsor/RSA_focus> -ms_031027
> and
> use priority code SF4.
>
> --------------------------------------------------------------
> -------------
>
------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
------------------------------------------------------------------------
---
[ reply ]