OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Focus-MS Recipient (focusmsbrianrea.org)
Date: Fri Oct 05 2001 - 08:00:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    it sounds like you're not utilizing IIS in any manner that makes IIS
    convenient... you're not integrating with username/passwords of the NT SAM
    (you even created your own new users and gave them local logon privileges)

    my only question is: if you don't need to use IIS as an FTP server, why not
    go with a simpler and less resource-intensive solution? Products like G6FTP
    (now BulletProof FTP) and WarFTP are good solutions that are remarkably
    simple to setup and use, with a user list independent of the NT user
    database. I think that Gene6 FTP had webhancer spyware added once they
    became BulletProofFTP (just a mild irritation, you can uninstall the
    WebHancer nonsense). While there have been occasional small incidents with
    older versions, i've rarely seen either listed on the BugTraq for security
    exploits. (G6 had a DoS vulnerability in v 2.0 Beta 5 back in Nov of 1999,
    and WarFTP had a problem with a version from way back circa 1998.)

    If you don't need IIS, i wouldn't run it.

    - Dixieland

    ----- Original Message -----
    From: Frédéric Médery <fmederysympatico.ca>
    To: <focus-mssecurityfocus.com>
    Sent: Thursday, October 04, 2001 7:25 PM
    Subject: Ftp server a bit more secure ?

    > Hello everybody,
    >
    > I have to set a FTP server on a DC ! I know it's stupid but I'm not the
    > one who decided :-) And I have to disable anonymous access !
    >
    > What I did :
    > Fully patched the Server
    > Installed IIS on a different partition.
    > Created a group called Web Designer
    > Created user who's not member of domain user group (just of web designer
    > group). To remove the domain user group, I set the Web designer group as
    > the primary group.
    > The IIS partition is only available for web designer and the iis admin
    > group.
    > Of course the users have log on locally.
    > I create one ftp root folder and some virtual directory that are not
    > childs of the ftp root. So users are unable to see other folder even if
    > they try to go to the root of the ftp site.
    >
    > Can this be a more "secure" or less dangerous ftp server ? Is it good to
    > remove the ftp users from the domain user group ?
    > If you have some advice :-)
    >
    > Thank you,
    > This ML is one of the best
    >
    > Have a nice day
    >
    > Fred
    >
    >