Re: ftp hidden folders not hidden via smart ftp

From: Alun Jones [MSFT] (alunj_at_online.microsoft.com)
Date: 03/01/05 

Date: Tue, 1 Mar 2005 15:46:19 -0800

"D@dli" <Ddli@discussions.microsoft.com> wrote in message
news:10881ACF-D1F3-455B-A0C8-61F617A1A4AC@microsoft.com...
> On our public ftp site, we have used the "hidden" attribute to provide a
> very
> basic form of security. It seemed to have worked for some time. We ran
> into
> an ftp application that shows all the hidden folders. Other applications
> like I.E. and Cute FTP, etc. the user would have to be told what hidden
> folder to navigate to in order for them to get into the intended folder.
>
> There are other 3rd party applications that will hide "hidden" folders but
> I
> would like a MS solution - is there one?
>
> I want to use a common logon but provide some sort of basic level of
> security with out having to use virtual directories and/ or individual
> logons
> with NT security to restrict access.

Just as "dir /a" at the command line will list directories and files,
including hidden files, so too will some options provided to the FTP LIST
command.

Hiding files is not a security measure. It is, at best, an obscurity
measure, and should really be viewed as a means to reduce the amount of
unnecessary clutter in directory listings.

If you want to make sure that users cannot see certain files or directories,
you will need to use user isolation. If you want to prevent them from
reading from or writing to certain files or directories, you will need to
use NTFS permissions.

Hidden files are not what you are looking for.

Alun.
~~~~ 

-- 
Software Design Engineer, Internet Information Server (FTP)
This posting is provided "AS IS" with no warranties, and confers no rights.

Relevant Pages

  • ftp hidden folders not hidden via smart ftp
    ... On our public ftp site, we have used the "hidden" attribute to provide a very ... basic form of security. ... There are other 3rd party applications that will hide "hidden" folders but I ... security with out having to use virtual directories and/ or individual logons ...
    (microsoft.public.inetserver.iis)
  • RE: Mitigate FTP
    ... Yes, using ssh/sftp will help; ... For your customer base, I assume they are mostly Windows users; ... Security may be able to fine tune the threshold accordingly. ... Subject: Mitigate FTP ...
    (Pen-Test)
  • [NT] Windows FTP Client Allows File Transfer Location Tampering (MS05-044)
    ... Get your security news from a reliable source. ... A tampering vulnerability exists in the Windows FTP client. ... * Microsoft Windows Server 2003 for Itanium-based Systems - ...
    (Securiteam)
  • [NEWS] Symantec Enterprise Firewall FTP Bounce Vulnerability (Patch Available)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Raptor Firewall FTP Bounce Vulnerability. ... PORT command referenced a destination that doesn't ...
    (Securiteam)
  • [NEWS] Hi-Resolution Systems MacAdministrator Hidden Files Disclosure and Access Vulnerability
    ... Hi-Resolution System's MacAdministrator Hidden Files Disclosure and Access Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... administrator control, for large and small networks independent of server ...
    (Securiteam)