Docstoc

msg00059

Document Sample
msg00059 Powered By Docstoc
					                             Re: FTP users and their Websites, security ?

Re: FTP users and their Websites, security ?

Source:
http://www.tech−archive.net/Archive/Internet−Server/microsoft.public.inetserver.iis.ftp/2005−06/msg00059.html



      • From: "Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx>
      • Date: Wed, 8 Jun 2005 18:20:29 +0800

Your analysis and assumption is correct. You don't have much control if both
ftp and web is sharing the same anonymous account. Hence, they only way to
block this is either
a) disable ftp anonymous access
b) change the anonymous access account for either ftp or web.



−−
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/


"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:72A1EF31−F5E6−434C−A3B5−EE52A56B05BE@xxxxxxxxxxxxxxxx
> My new FTP user is sucessfully updating their own website on our IIS 6
> box.
> I followed what I think are the well published procedures to make it
> happen.
>
> − New Windows Level User: JoeFTPUser (no group memberships, just FTP)
> − New Folder: C:\Inetpub\ftproot\LocalUser\JoeFTPUser
> − New Folder: C:\Inetpub\ftproot\LocalUser\JoeFTPUser\JoeWebsite
> − New Virtual Folder "JoeWebSite" which points to
> C:\Inetpub\wwwroot\JoeWebsite
> − Full Control permissions for JoeFTPUser to the Virtual Folder.
>
> So far so good. Joe is able to upload changes to his website without any
> assistance, and website visitors see his changes immediately.
>
> Only Problem: How to restrict Anonymous ftp access to
> ftp://ftp.WebBox.com/JoeWebSite ?? Anonymous users, if they know this
> path
> name, can view all of his files, including default.asp. We need to
> continue


Re: FTP users and their Websites, security ?                                                            1
                             Re: FTP users and their Websites, security ?
> to allow general usage Anonymous FTP access.
>
> I tried to change/restrict the permission for IUSER_WEBBOX of the ftp
> Virtual Folder and quickly learned the hard way about how this really is
> the
> permissions for the target folder , thus rendering the website 550 access
> denied for web surfing visitors.
>
> THE QUESTION: Is there a way to Restrict anonymous FTP folder viewing
> when
> that folder is a virtual folder pointing to a website which needs public
> access??
>
> I must be missing something simple! Please tell me ! I got to believe
> that many small shops like ours have user modify their websites via ftp,
> hopefully everyone is not exposing their users source code web pages.
>
>
> One thought I had was to change the FTP Anonymous account from
> IUSER_WEBBOX
> to something else like IUSERFTP_WEBBOX, and restrict that UserID
> permissions,
> hopefully not messing with IUSER_WEBBOX and his normal http visitors.
> I'm
> assuming that ftp:// visitors are gaining read access via the same built
> in
> IUSER_WEBBOX user account as http:// visitors. Please correct me if I'm
> wrong.
>
> Any comments are appreciated.
>
>


.



      • References:
             ♦ FTP users and their Websites, security ?
                    ◊ From: John

      • Prev by Date: Re: Can TFTP transfer file within one computer.
      • Next by Date: Re: Can TFTP transfer file within one computer.
      • Previous by thread: FTP users and their Websites, security ?
      • Next by thread: Re: FTP users and their Websites, security ?
      • Index(es):
             ♦ Date
             ♦ Thread



Re: FTP users and their Websites, security ?                                  2

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:10/27/2011
language:English
pages:2