Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Security reduction FTP service on NT4
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security reduction FTP service on NT4

  • Subject: Re: Security reduction FTP service on NT4
  • From: David LeBlanc <dleblancMINDSPRING.COM>
  • Date: Sat, 5 Sep 1998 12:26:24 -0400
  • Comments: To: Tim Chilton <Tim_ChiltonSFI.CO.UK>
  • In-Reply-To: <199809042201.SAA24901camel26.mindspring.com>
  • Reply-To: David LeBlanc <dleblancMINDSPRING.COM>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

At 04:03 PM 9/4/98 +0100, Tim Chilton wrote:
>I've just found what I consider a major reduction in overall security
>resulting from the implementation differences of FTP under 3.51 vs 4.0

I'm not sure I agree that what you point out is a big deal (after all,
physical security is really important), but something else that changed
between 3x and 4 was that under earlier versions, only anonymous FTP logins
were allowed by default.  Under the current version, non-anonymous logins
are allowed by default, and anyone using it would be passing user-password
pairs in clear text.  IMHO, this shouldn't be the default.  The change may
also catch people by surprise (did me), as they may assume it works the
same way it used to.

Oh - one other impact - the rcmd service depends on the right to log on
locally as well, so if it is present on an FTP server, you may be opening
it up a lot more than you intended.

David LeBlanc