[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: Co-Hosting SQL with IIS FTP service
From:       "Jim Harrison (ISA)" <Jim.Harrison () microsoft ! com>
Date:       2006-07-26 21:51:08
Message-ID: B8689BD03E887E4C914B4B873259BE5F0336D282 () RED-MSG-11 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]

I'd hardly be the one to "go blaming Microsoft"... :-p
There are FTP server applications that provide relatively secure authentication \
mechanisms. IIS isn't one of them; that's a fact.
It's also a fact that the FTP protocol doesn't specify any authentication at all; \
much less a method that anyone would consider "secure".  The fact that some FTP \
servers do provide this is more of an anomaly than anything else.  
I do agree that there are far better alternatives to FTP (WebDav, etc.) for data \
transfers, but many financial applications would have you running for the hills with \
your money.  
Jim Harrison <blocked::mailto:jmharr@microsoft.com> 
Security Platform Group (ISA SE)
If We Can't Fix It - It Ain't Broke!

________________________________

From: mcclenbw@oneonta.edu [mailto:mcclenbw@oneonta.edu]
Sent: Wed 7/26/2006 11:13
To: Jim Harrison (ISA); Steve Armstrong; chris.dalton@capitalonebank.com
Cc: focus-ms@securityfocus.com
Subject: RE: Co-Hosting SQL with IIS FTP service



#2 should read: there may be security issues, since FTP does not provide
a secure authentication mechanism NOR a secure tranmission mechanism.

Note I removed IIS out of there.  It's the FTP protocol that's insecure,
don't go blaming Microsoft.

If this is a new deployment, I would suggest looking into deploying SFTP
instead of FTP.  A bank using FTP kinda scares me. :)

Brady McClenon
Administrative Computer Services
State University College at Oneonta


> -----Original Message-----
> From: Jim Harrison (ISA) [mailto:Jim.Harrison@microsoft.com]
> Sent: Tuesday, July 25, 2006 10:20 PM
> To: Steve Armstrong; chris.dalton@capitalonebank.com
> Cc: focus-ms@securityfocus.com
> Subject: RE: Co-Hosting SQL with IIS FTP service
> 
> Nope.
> His question suggests nothing more than that they're
> considering this deployment and that he's asking for advice
> before it's built.  This "unpatched vulnerabilities" FUD is
> applicable to any operating system / application combination.
> Such statements are self-defeating as the only logical
> conclusion to be drawn from them is "don't use computers". 
> Not much help, wouldn't you say?
> 
> Now to actually answer the question posed:
> 1. there are no functional conflicts between SQL and IIS;
> their network resource demands are unique.
> 2. there may be security issues, since IIS FTP does not
> provide a secure authentication mechanism 3. FTP (IIS or
> otherwise) is *always* a target for the script kiddies and
> WAREZ folks; deploy this with great care
> 
> Your application security is dependent on how you choose to
> configure the app; there are many references on
> http://microsoft.com/technet and
> http://microsoft.com/security for securing IIS and SQL services
> 
> If the machine resources are enough, you can also use your
> favorite virtualization technology to separate the FTP and
> SQL servers and thus avoid the combinational security issues
> that public FTP services may impose on the SQL server.
> 
> Jim Harrison <blocked::mailto:jmharr@microsoft.com>
> Security Platform Group (ISA SE)
> If We Can't Fix It - It Ain't Broke!
> 
> ________________________________
> 
> From: Steve Armstrong [mailto:stevearmstrong@logicallysecure.com]
> Sent: Tue 7/25/2006 09:25
> To: chris.dalton@capitalonebank.com
> Cc: focus-ms@securityfocus.com
> Subject: RE: Co-Hosting SQL with IIS FTP service
> 
> 
> 
> Chris
> 
> Possibly not the best email to send from your employers email server.
> It suggests you are using MS servers with IIS and FTP enabled
> backending, I would guess "on the same box" to MS SQL.
> 
> While you will get some information about the
> vulnerabilities, most here would expect you to keep your
> banks systems patched.  What you will get from this kind of
> forum is advise on patches to vulnerabilities that have been
> disclosed;  However, you will not get info on new exploits
> (the zero-day type hackers use against the likes of banks) on
> non-publicly disclosed vulnerabilities.
> 
> Therefore, you will not be able to prevent exploits that MS
> is still working to patch.  With a disclosure regarding your
> infrastructure on such a public forum, you should watch your
> front facing Sy barriers for increased attacks aimed
> specifically at MS architecture.  Best give the IDS/IPS and
> incident staff a nod too.  I recognise you may be double
> bluffing, but I will bet you will still get a 100% increase
> in the MS exploits thrown at your FW and internet gateways.
> 
> As to your question, try secunia.com, www.osvdb.org and good
> old www.packetstormsecurity.nl
> 
> Steve A
> 
> 
> -----Original Message-----
> From: chris.dalton@capitalonebank.com
> [mailto:chris.dalton@capitalonebank.com]
> Sent: 25 July 2006 15:42
> To: focus-ms@securityfocus.com
> Subject: Co-Hosting SQL with IIS FTP service
> 
> Can anyone guide me as to what type of issues with
> inter-system dependencies might arise by co hosting IIS FTP
> service with SQL?
> 
> 
> Anyone know of any articles on the exploits?
> 
> 
> --------------------------------------------------------------
> ----------
> ---
> --------------------------------------------------------------
> ----------
> ---
> 
> 
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
> 
> 
> 
> 
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
> 
> 



---------------------------------------------------------------------------
---------------------------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]