[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ms
Subject: RE: Co-Hosting SQL with IIS FTP service
From: "Jim Harrison (ISA)" <Jim.Harrison () microsoft ! com>
Date: 2006-07-26 21:51:08
Message-ID: B8689BD03E887E4C914B4B873259BE5F0336D282 () RED-MSG-11 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]
I'd hardly be the one to "go blaming Microsoft"... :-p
There are FTP server applications that provide relatively secure authentication \
mechanisms. IIS isn't one of them; that's a fact.
It's also a fact that the FTP protocol doesn't specify any authentication at all; \
much less a method that anyone would consider "secure". The fact that some FTP \
servers do provide this is more of an anomaly than anything else.
I do agree that there are far better alternatives to FTP (WebDav, etc.) for data \
transfers, but many financial applications would have you running for the hills with \
your money.
Jim Harrison <blocked::mailto:jmharr@microsoft.com>
Security Platform Group (ISA SE)
If We Can't Fix It - It Ain't Broke!
________________________________
From: mcclenbw@oneonta.edu [mailto:mcclenbw@oneonta.edu]
Sent: Wed 7/26/2006 11:13
To: Jim Harrison (ISA); Steve Armstrong; chris.dalton@capitalonebank.com
Cc: focus-ms@securityfocus.com
Subject: RE: Co-Hosting SQL with IIS FTP service
#2 should read: there may be security issues, since FTP does not provide
a secure authentication mechanism NOR a secure tranmission mechanism.
Note I removed IIS out of there. It's the FTP protocol that's insecure,
don't go blaming Microsoft.
If this is a new deployment, I would suggest looking into deploying SFTP
instead of FTP. A bank using FTP kinda scares me. :)
Brady McClenon
Administrative Computer Services
State University College at Oneonta
> -----Original Message-----
> From: Jim Harrison (ISA) [mailto:Jim.Harrison@microsoft.com]
> Sent: Tuesday, July 25, 2006 10:20 PM
> To: Steve Armstrong; chris.dalton@capitalonebank.com
> Cc: focus-ms@securityfocus.com
> Subject: RE: Co-Hosting SQL with IIS FTP service
>
> Nope.
> His question suggests nothing more than that they're
> considering this deployment and that he's asking for advice
> before it's built. This "unpatched vulnerabilities" FUD is
> applicable to any operating system / application combination.
> Such statements are self-defeating as the only logical
> conclusion to be drawn from them is "don't use computers".
> Not much help, wouldn't you say?
>
> Now to actually answer the question posed:
> 1. there are no functional conflicts between SQL and IIS;
> their network resource demands are unique.
> 2. there may be security issues, since IIS FTP does not
> provide a secure authentication mechanism 3. FTP (IIS or
> otherwise) is *always* a target for the script kiddies and
> WAREZ folks; deploy this with great care
>
> Your application security is dependent on how you choose to
> configure the app; there are many references on
> http://microsoft.com/technet and
> http://microsoft.com/security for securing IIS and SQL services
>
> If the machine resources are enough, you can also use your
> favorite virtualization technology to separate the FTP and
> SQL servers and thus avoid the combinational security issues
> that public FTP services may impose on the SQL server.
>
> Jim Harrison <blocked::mailto:jmharr@microsoft.com>
> Security Platform Group (ISA SE)
> If We Can't Fix It - It Ain't Broke!
>
> ________________________________
>
> From: Steve Armstrong [mailto:stevearmstrong@logicallysecure.com]
> Sent: Tue 7/25/2006 09:25
> To: chris.dalton@capitalonebank.com
> Cc: focus-ms@securityfocus.com
> Subject: RE: Co-Hosting SQL with IIS FTP service
>
>
>
> Chris
>
> Possibly not the best email to send from your employers email server.
> It suggests you are using MS servers with IIS and FTP enabled
> backending, I would guess "on the same box" to MS SQL.
>
> While you will get some information about the
> vulnerabilities, most here would expect you to keep your
> banks systems patched. What you will get from this kind of
> forum is advise on patches to vulnerabilities that have been
> disclosed; However, you will not get info on new exploits
> (the zero-day type hackers use against the likes of banks) on
> non-publicly disclosed vulnerabilities.
>
> Therefore, you will not be able to prevent exploits that MS
> is still working to patch. With a disclosure regarding your
> infrastructure on such a public forum, you should watch your
> front facing Sy barriers for increased attacks aimed
> specifically at MS architecture. Best give the IDS/IPS and
> incident staff a nod too. I recognise you may be double
> bluffing, but I will bet you will still get a 100% increase
> in the MS exploits thrown at your FW and internet gateways.
>
> As to your question, try secunia.com, www.osvdb.org and good
> old www.packetstormsecurity.nl
>
> Steve A
>
>
> -----Original Message-----
> From: chris.dalton@capitalonebank.com
> [mailto:chris.dalton@capitalonebank.com]
> Sent: 25 July 2006 15:42
> To: focus-ms@securityfocus.com
> Subject: Co-Hosting SQL with IIS FTP service
>
> Can anyone guide me as to what type of issues with
> inter-system dependencies might arise by co hosting IIS FTP
> service with SQL?
>
>
> Anyone know of any articles on the exploits?
>
>
> --------------------------------------------------------------
> ----------
> ---
> --------------------------------------------------------------
> ----------
> ---
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic