Re: Blocking FTP by username
- From: "Phillip Windell" <philwindell@xxxxxxxxxxx>
- Date: Tue, 2 Dec 2008 17:48:03 -0600
No. It cannot.
The Publishing is based on Reverse NAT and NAT is not capable of handling
the authentication.
It works with web sites because publishing Web Sites is based on Reverse Web
Proxying instead of NAT and that is capable of handling the authentication.
FTP's authentication is based on the NTFS Permissions of the File System in
the FTP Service Path and you can't really prevent the Administrator from
accessing the file system.
I don't remember if there is any kind of System Policy on the FTP Server to
deny FTP to the Administrator,...but I kinda doubt there is.
This is why (or one of the "whys") FTP is not considered a very secure way
of file transfer over the internet. It was originally designed to be
operated within a closed system before the internet was "invented".
What you might do is combine FTP with VPN where the user has to VPN in first
then transfer the files. Of course you could do it without FTP at that
point, but you could still use the FTP. You would have to run duel FTP
Sites over the same file system location. One is read only and is published
by ISA. The second one allows uploads but is restricted to accepting only
LAN IP#s and would not be published by ISA which forces the user to use the
VPN if they want to upload. The VPN with ISA can be very very granular in
who can do what when and where.
That's a lot more work to setup but is all I can think of at the moment.
You can do it with a web site but it requires commercial componenets
embedded within the site to handle the transfer. What few free methods
there are do not work very well, so you have to spend $$$.
Before you ask,....ISA cannot publish SFTP and the IIS's FTP Service cannot
do SFTP. There is no Application Filter for SFTP due to the encryption and
trying to do it without an Application Filter is very very messy if not
impossible.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
"Justin James" <JustinJames@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F59C42E9-9B6C-401E-98D3-70D2F98B2504@xxxxxxxxxxxxxxxx
Is there any way in ISA 2006 to disconnect an FTP session when they
*attempt*
to authenticate as a particular user? What we want to do, is to detect
that
someone is trying to connect as "Administrator" and cut them off
immediately.
It looks like doing a user-based Deny in the rule will wait until they are
authenticated, we do not want the attempt to even get to our FTP server.
Thanks!
J.Ja
.
- Follow-Ups:
- Re: Blocking FTP by username
- From: Justin James
- Re: Blocking FTP by username
- References:
- Blocking FTP by username
- From: Justin James
- Blocking FTP by username
- Prev by Date: Port Forward to External NIC
- Next by Date: Re: Port Forward to External NIC
- Previous by thread: Blocking FTP by username
- Next by thread: Re: Blocking FTP by username
- Index(es):
Relevant Pages
|
Loading
