[prev in list] [next in list] [prev in thread] [next in thread] 

List:       best-of-security
Subject:    BoS: Re: [ntsec] NT-ftp server
From:       David LeBlanc <dleblanc () iss ! net>
Date:       1996-05-31 15:51:42
[Download RAW message or body]

At 09:11 5/29/96 +100, you wrote:
>
>I'm setting up an NT-ftp server (anonymous ftp) using the ftp-server shipped 
>together with NT.

The default FTP server that ships with NT is a major security headache.  The
problem is that you can set up your FTP site in c:\ftp, but when a user
connects, they can then execute a cd c:\winnt35\system32, and be in your
system directory (assuming they have permissions).  There are a few ways you
can get around this difficulty - if you can repartition, the safest thing to
do is put the FTP directory at the root of a partition, and give the FTP
service no access to any other drive.  Failing that, you can go through
(command line is best) and remove all permissions from "everyone", and then
make sure the FTP anon user has no access to anywhere outside the ftp tree.

The good news is that there are a couple of 3rd party shareware FTP servers
for NT that do a better job, and that the FTP server which will be in NT 4.0
doesn't have these problems.  Also, since you are running the server, you
can download IIS, which also has a much better FTP server.

IMHO, I wouldn't use the NT 3.5x FTP server for serious use.


David LeBlanc                   | Voice: (404)252-7270
dleblanc@iss.net                | Fax:   (404)252-2427
Internet Security Systems, Inc. | E-Mail:  dleblanc@iss.net  
Ste. 115, 5871 Glenridge Dr,    | www: http://www.iss.net/
Atlanta, GA 30328               |

[prev in list] [next in list] [prev in thread] [next in thread]