Focus on Microsoft
FTP on IIS Jan 18 2008 06:57PM
lauren malhoit tylertech com (6 replies)
RE: FTP on IIS Jan 18 2008 10:20PM
Lucas, Mark J. (mjlucas caltech edu) (3 replies)
RE: FTP on IIS Jan 21 2008 08:48AM
Antti Laatikainen santen fi
RE: FTP on IIS Jan 21 2008 06:15AM
Ken Schaefer (Ken adOpenStatic com) (2 replies)
RE: FTP on IIS Jan 21 2008 06:39PM
Nick Wells (nick clandestineresearch com)
RE: FTP on IIS Jan 21 2008 06:25PM
Thor (Hammer of God) (thor hammerofgod com) (2 replies)
RE: FTP on IIS Jan 22 2008 09:13PM
Geekwench (geekwench hotmail com)
RE: FTP on IIS Jan 22 2008 08:01AM
Ken Schaefer (Ken adOpenStatic com) (1 replies)
RE: FTP on IIS Jan 22 2008 05:11PM
Thor (Hammer of God) (thor hammerofgod com) (1 replies)
Hey Ken --

inline:

> > Indeed - I've been running 2008 for a while now. There are some
very
> > cool security mechanisms built in - but, they will no doubt trip
some
> > people up... (like how you can't copy content to web source
> directories
> > over the network, or how you can't directly edit web content in
those
> > directories).
>
> Can you elaborate on this please? There's nothing special about "web
> source directories" (I assume you mean folders that store files that
> are published via IIS 7.0 over HTTP)?

You know, when I wrote that, I knew it wasn't as clear as it could have
been. I will certainly elaborate:

Indeed, I mean the directories where web content is stored on the file
system, such as "c:\inetpub\wwwroot\YourStuffHere".
By default, you can't copy files to these directories from any network
source, "such as "copy networksource c:\inetpub\wwwroot\YourStuffHere"
via cmd or UI. Nor can you edit content directly in these directories
(like using notepad to edit and save a file) even if in as Admin -- the
operation fails... You have to edit content a directory you have access
to (a local file) and then copy from local to the web directories.

Note that this has been in the last couple of beta's I've been running
-- if MSFT have changed this in the release, then obviously you'll see
different behavior. The reason for this makes total sense: to stop an
exploit from copying content from a network source to your web directory
-- you'd have to work a good bit harder to do so now. I've not really
documented too much of this as we're still in beta...

Is this not the behavior you've seen? If not, what build are you on?
And if I've made some stupid mistake and am relating different behavior,
please let me know...

>
> > Native FTPS in 2008 IIS is quite nice, actually.
>
> Yes - it supports FTPS so you can encrypt your username/password (or
> optionally, everything) - this is assuming you download/install the
FTP
> 7.0 module from www.iis.net.
>
> > But, IIS6 is still a fine option - it is and has been secure OOB for
> a while
>
> But you have to send your username/password in clear text across the
> network.

Sure - just like with any FTP solution, or any HTTP solution (as you
well know). And while default support for FTPS is great thing, it will
be some time before "global" client support is there, and before people
can deploy it without fear of "breaking" many things. When people ask
about FTP, I tend to stick with the OP and not immediately suggest FTPS
as the solution, no more than I would suggest using IPSec to secure FTP.
Both are great solutions, as is VPN, etc, but in many cases
(particularly for "global" support) one can't deploy it.

t

> Cheers
> Ken
>
>
>
>
>
> > -----Original Message-----
> > From: listbounce (at) securityfocus (dot) com [email concealed]
> > [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Ken Schaefer
> > Sent: Sunday, January 20, 2008 10:15 PM
> > To: focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: RE: FTP on IIS
> >
> > Alternatively, if you can wait a few weeks, then Windows Server
> > 2008/IIS 7.0 supports FTPS
> >
> > Cheers
> > Ken
> >
> > -----Original Message-----
> > From: listbounce (at) securityfocus (dot) com [email concealed]
> > [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Lucas, Mark J.
> > Sent: Saturday, 19 January 2008 9:21 AM
> > To: lauren.malhoit (at) tylertech (dot) com [email concealed]; focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: RE: FTP on IIS
> >
> > IIS 6, which comes with Windows Server 2003, is quite secure out of
> the
> > box. Most of the evil holes that were present in IIS 5 and earlier
> > have
> > been patched. If you're forced to use IIS 5 or lower, I agree with
> all
> > the other comments. Use something else.
> >
> > When you select to install IIS, the minimum components needed for
> > static
> > HTML pages are already selected. For FTP, just deselect the web
> > components and install the minimal FTP components.
> >
> > I would suggest using local GUEST accounts for authentication. I
> would
> > also suggest placing the FTP root on a separate partition with no
> other
> > files. Do not place the FTP root on the system partition.
> >
> > Do a Google search on "windows ftp security" for articles on setting
> up
> > Windows 2003 FTP.
> >
> > > -----Original Message-----
> > > From: listbounce (at) securityfocus (dot) com [email concealed]
> > [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of
> > > lauren.malhoit (at) tylertech (dot) com [email concealed]
> > > Sent: Friday, January 18, 2008 10:58 AM
> > > To: focus-ms (at) securityfocus (dot) com [email concealed]
> > > Subject: FTP on IIS
> > >
> > > I'm preparing to build a new FTP server using IIS (or an IIS
server
> > using FTP??? I'm not
> > > sure). Anyway, I was wondering if anyone could recommend some
good
> > sources on how to lock
> > > it down. I need to configure it for an FTP site that anyone can
> get
> > to and one that is
> > > password protected. Thanks in advance!

[ reply ]
RE: FTP on IIS Jan 23 2008 07:08AM
Ken Schaefer (Ken adOpenStatic com) (2 replies)
IIS 7 Application Pool isolation WAS RE: FTP on IIS Jan 31 2008 11:36AM
Ken Schaefer (Ken adOpenStatic com)
RE: FTP on IIS Jan 23 2008 06:18PM
Thor (Hammer of God) (thor hammerofgod com)
RE: FTP on IIS Jan 19 2008 03:34AM
Nick Wells (nick clandestineresearch com)
RE: FTP on IIS Jan 18 2008 10:10PM
Smith, Ryan (rsmith cff org)
RE: FTP on IIS Jan 18 2008 09:39PM
Nick Wells (nick clandestineresearch com)
Re: FTP on IIS Jan 18 2008 08:57PM
Alexander Gran (Alexander Gran web de)
Re: FTP on IIS Jan 18 2008 08:02PM
Andrea Gatta (andrea gatta gmail com) (1 replies)
Re: FTP on IIS Jan 18 2008 08:46PM
Kosala Atapattu (kosala atapattu gmail com) (1 replies)
Re: FTP on IIS Jan 19 2008 04:39PM
pinowudi (pinowudi gmail com)
Re: FTP on IIS Jan 18 2008 07:44PM
Ali, Saqib (docbook xml gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus