Locked out users still can ftp
![Karl Levinson [x y] mvp's profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Karl Levinson [x y] mvp
"Chris" <cbea...@cdnpay.ca> wrote in message
news:051d01c29d40$ae3b60f0$cef82ecf@TK2MSFTNGXA08...
> I have an IIS 5 on win2k server. Anonymous users
> disabled and setup local user accounts. I set local
> policy to lockout after 3 failed attempts. If I login 6
> times with bad passwords and check the account it shows me
> the account is locked out. The problem is I can still
> login via ftp. If I restart the IIS services then the
> account is locked out.
>
> Nice security microsoft....not !!!
>
> Any ideas would be appreciated.
I know, I don't like this either. AFAIK this is just the way IIS works. I
think you would need to use a third party FTP server to try to do otherwise.
There are some free ones out there.
Note, however that:
FTP by itself is not very secure, e.g. passwords are passed in sniffable
plain-text, so arguably the issue you brought up is arguably not the largest
security issue with IIS and other FTP servers.
Also, even if you switch from IIS to another FTP server, most of the servers
out there have the same security problems, e.g. you need to install the
latest patches and you need to be careful to remove anonymous user access
from being able to both read and write to any folder.
Mark Ingalls [MS]
time that IIS will cache these values is configurable. see
http://support.microsoft.com/default.aspx?scid=kb;en-us;152526
for more information.
thanks,
mark
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Karl Levinson [x y] mvp" <levin...@excite.com> wrote in message
news:OAplr1UnCHA.2428@TK2MSFTNGP08...
Alun Jones
>for performance reasons, IIS caches user tokesn after login. the amount of
>time that IIS will cache these values is configurable. see
Wow. For security reasons, we don't cache user tokens in WFTPD Pro. Or file
handles, for that matter (another sore point). If it's to be cached, it
should usually be the operating system that does it, not the application. The
OS knows about all the nitty-gritty bits of security, the application
shouldn't have to (unless it knows an _awful_ lot more than the OS).
The OP may find that a change of FTP server gives the security he/she needs
(along with allowing for SSL, to correct the problem that Karl Levinson noted,
that usernames and passwords are normally transmitted in clear text).
Not, mind you, that there's anything wrong with IIS - it's good for beginning
an FTP site, and some people find it serves their needs very well.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place | http://www.wftpd.com or email al...@texis.com
Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.
BB
Just a question, If I may have say that this is what suppose the
RFC that IIS FTP support, right ?
just like the plain text password, not able to change password,
not support 'user must change password in next logon' and etc
so, I would configure the user token to fix this.
Rgds.
"Alun Jones" <al...@texis.com> wrote in message
news:nX8I9.1992$0n1.113...@newssvr12.news.prodigy.com...
chris
performance impact isn't a problem. The funny thing is
that the 15 min default cache value never worked.
Oh well all is good now.
>.
>