OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: FTP on IIS servers
From: sozni (sozniXATO.NET)
Date: Fri Sep 22 2000 - 23:42:44 CDT


> I am looking for any reason not to have FTP on an IIS
> server other than the lear text. Are there any other
> holes created because of FTP being installed? What
> about also having FP Extentions?

I assume on the second question you are asking about having FTP and the FP
extensions installed at the same time.

One risk of having them both installed is that if you can access the web
root via FTP, one could bypass the restrictions of not being able to upload
executables via the FrontPage extensions.

In some versions of the FrontPage extensions on Windows platforms one could
possibly replace the server extensions with mailicious executables. Also,
in some Unix versions of the FP extensions, you could create your own trojan
copies of the FrontPage binaries in other directories and the FrontPage
extensions would allow you execute them instead of the built-in extensions
(and still treat them as if they were the legitimate extensions).

Now addressing both questions, a general risk of opening any service is that
you greatly increase your security risk. Opening two more services
certainly isn't good. I would choose one and go with it. Further security
would be to highly restrict access to such services through built-in or
third-party methods.

.sozni
Xato Network Security, Inc.
IIS, NT, and FrontPage Security Consulting
www.xato.net