OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Michael Mann (michael.mannbbs.no)
Date: Fri Oct 05 2001 - 06:42:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Why the reliance on MS IIS for FTP services?
    If you need integrated Web services then I'd recommend IPlanet or even
    ApacheWin32 before IIS.

    Also: Why not use a small dedicated FTP service?
    WFTPD is quite nice to work with, and has SSL also http://www.wftpd.com/

    I have a suspicion of IIS these days..I'm waiting for the next big
    hole...

    M.

    -----Opprinnelig melding-----
    Fra: Frédéric Médery [mailto:fmederysympatico.ca]
    Sendt: 5. oktober 2001 01:26
    Til: focus-mssecurityfocus.com
    Emne: Ftp server a bit more secure ?

    Hello everybody,

    I have to set a FTP server on a DC ! I know it's stupid but I'm not the
    one who decided :-) And I have to disable anonymous access !

    What I did :
    Fully patched the Server
    Installed IIS on a different partition.
    Created a group called Web Designer
    Created user who's not member of domain user group (just of web designer
    group). To remove the domain user group, I set the Web designer group as
    the primary group.
    The IIS partition is only available for web designer and the iis admin
    group.
    Of course the users have log on locally.
    I create one ftp root folder and some virtual directory that are not
    childs of the ftp root. So users are unable to see other folder even if
    they try to go to the root of the ftp site.

    Can this be a more "secure" or less dangerous ftp server ? Is it good to
    remove the ftp users from the domain user group ?
    If you have some advice :-)

    Thank you,
    This ML is one of the best

    Have a nice day

    Fred

    **********************************************************************
     This email and any files transmitted with it are confidential and
     intended solely for the use of the individual or entity to whom they
     are addressed. If you have received this email in error please notify
     the system manager.

     This footnote also confirms that this email message has been swept by
     tools utilized in our company for the presence of computer viruses.

     System manager : postmasterbbs.no

    **********************************************************************