|
|
Focus on Microsoft
FTP on IIS Jan 18 2008 06:57PM lauren malhoit tylertech com (6 replies) RE: FTP on IIS Jan 18 2008 10:20PM Lucas, Mark J. (mjlucas caltech edu) (3 replies) RE: FTP on IIS Jan 21 2008 06:15AM Ken Schaefer (Ken adOpenStatic com) (2 replies) Re: FTP on IIS Jan 18 2008 08:02PM Andrea Gatta (andrea gatta gmail com) (1 replies) |
|
Privacy Statement |
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Thor (Hammer of God)
Sent: Tuesday, 22 January 2008 5:25 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: FTP on IIS
> Indeed - I've been running 2008 for a while now. There are some very
> cool security mechanisms built in - but, they will no doubt trip some
> people up... (like how you can't copy content to web source directories
> over the network, or how you can't directly edit web content in those
> directories).
Can you elaborate on this please? There's nothing special about "web source directories" (I assume you mean folders that store files that are published via IIS 7.0 over HTTP)?
> Native FTPS in 2008 IIS is quite nice, actually.
Yes - it supports FTPS so you can encrypt your username/password (or optionally, everything) - this is assuming you download/install the FTP 7.0 module from www.iis.net.
> But, IIS6 is still a fine option - it is and has been secure OOB for a while
But you have to send your username/password in clear text across the network.
Cheers
Ken
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Ken Schaefer
> Sent: Sunday, January 20, 2008 10:15 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: FTP on IIS
>
> Alternatively, if you can wait a few weeks, then Windows Server
> 2008/IIS 7.0 supports FTPS
>
> Cheers
> Ken
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Lucas, Mark J.
> Sent: Saturday, 19 January 2008 9:21 AM
> To: lauren.malhoit (at) tylertech (dot) com [email concealed]; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: FTP on IIS
>
> IIS 6, which comes with Windows Server 2003, is quite secure out of
the
> box. Most of the evil holes that were present in IIS 5 and earlier
> have
> been patched. If you're forced to use IIS 5 or lower, I agree with
all
> the other comments. Use something else.
>
> When you select to install IIS, the minimum components needed for
> static
> HTML pages are already selected. For FTP, just deselect the web
> components and install the minimal FTP components.
>
> I would suggest using local GUEST accounts for authentication. I
would
> also suggest placing the FTP root on a separate partition with no
other
> files. Do not place the FTP root on the system partition.
>
> Do a Google search on "windows ftp security" for articles on setting
up
> Windows 2003 FTP.
>
> > -----Original Message-----
> > From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of
> > lauren.malhoit (at) tylertech (dot) com [email concealed]
> > Sent: Friday, January 18, 2008 10:58 AM
> > To: focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: FTP on IIS
> >
> > I'm preparing to build a new FTP server using IIS (or an IIS server
> using FTP??? I'm not
> > sure). Anyway, I was wondering if anyone could recommend some good
> sources on how to lock
> > it down. I need to configure it for an FTP site that anyone can get
> to and one that is
> > password protected. Thanks in advance!
[ reply ]