Re: FTP External Intranet Access

---

• From: "Michael Jenkin (mickyj.com)" <mickyj@xxxxxxxxxx>
• Date: Tue, 06 Jan 2009 12:52:02 +1000

---

Hello,

having seen this myself and back in the days when you could walk the IIS
tree, gain CMD access to the server and change things around on the OS
partition, I have always steered clear of these things. Now that IIS6/7
are much more secure and partitioned, things are more secure but users
arn't.

I like Susan's idea of a third party, non AD integrated FTP service.
Users do not pick the best passwords. Brute force attacks against FTP's
are common. I once had a network with 70 users. I ran pwdump5 and
LOphtCrack (no longer available) to brute force the passwords. I did it
in front of the business owner (not my original plan). 90% of the
passwords appeared in front of us in the first 3 seconds. The poor guy
almost fainted.

the policy was, change every 20 days, history kept for 24 passwords and
must be over 8 characters with a capital / number etc.

Still, most of them selected nice simple passwords. We even tried to
tell the users to use pass phrases.

This is not a policy easy to monitor and it turned out to be useless at
this site. Unfortunately the client needed ftp for each AD member. They
were wide open to attack :(

It makes you think.

(Humans are still the weak link, always factor that in to what you are
going to impliment).

Thanks


SBS Golfer wrote:

OK I'll throw my 2 cents in on this only because I am experiencing the
reasons not too. We're a small company so our resources are limited. We
pretty much do everything on the SBS 2003 server which it was specifically
designed to be. Hosting "intranet" sites on your SBS box is not as much as a
risk as hosting your FTP site on the SBS box. Reason being is that the
intranet sites (at least mine do) are configured to use SSL and you can also
apply a public SSL certificate to it. FTP is another story. We need FTP
occasionally so I do have it set up on my SBS 2003 server. Bad thing about
this is we get attacked by hackers who know what the FTP port is and are
trying to hack through using common login names such as "administrator" or
"guest" or "support" and so on all of which are valid. I did rename the
administrator account years ago though. So if they have a login name then
that's half the equation. Now all they need is a password and they use
random passwords dictionary type scripts that constantly run using
diffferent variations. Chances are it will take them time to correctly come
up the proper password but all they need is the username and the port and
the logins are all self automated using a password dictionary script. My
security logs are constantly filled with these failed attempts. So now I
only turn on FTP when needed.

"Liam" <Liam@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D04CC669-0B49-4AF7-B6E8-3F2CB50D8A42@xxxxxxxxxxxxxxxx

I am hoping that someone can clearly explain why I should not host an FTP
on
my SBS 2003 box.
As well I need an explanation why I should not allow my intranet to be
acecssible over the internet.

I understand that FTP passwords go in clear text but if I lock down the
FTP
to one directory and its sub folders why not do it.

For years I have just taken this as a given: DO NOT HOST FTP on SBS 2003.
It sounds like a no brainer to not host FTP on a domain controller.
but
the other day a senior (read smarter than I) technical lead said "How does
it pose a risk?"
I was at a loss for a good detailed explanation.

Can you help me?

liam

--
Michael J. Jenkin, Senior Systems Engineer

Director - Business Technology Partners Pty Ltd (Australia) - Microsoft
Small Business Specialists
Webmaster - http://www.mickyj.com, Community website with SBS answers,
blog and AntiMalware Tools.

Follow me on Twitter - http://twitter.com/mickyj


.

---

• References:
  • FTP External Intranet Access
    • From: Liam
  • Re: FTP External Intranet Access
    • From: SBS Golfer

• Prev by Date: Re: Blackberry support on SBS 2008
• Next by Date: Re: NO POP3 Connector in SBS2003 R2
• Previous by thread: Re: FTP External Intranet Access
• Next by thread: Re: FTP External Intranet Access
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Client Computers cannot upload or download from Remote FTP ser ... This newsgroup only focuses on SBS technical issues. ... Client Computers cannot upload or download from Remote FTP ... | SBS External NIC - Cannot FTP From this server ... (microsoft.public.windows.server.sbs) RE: Client Computers cannot upload or download from Remote FTP ser ... SBS External NIC - Cannot FTP From this server ... SBS Internal NIC ... FTP server is Checked in Routing and Remote Access - Internet Connection - ... (microsoft.public.windows.server.sbs) Re: SBS, Internet Only - Questions ... ftp and email hosting. ... hence you won't find much sbs specific documentation/publication ... > So the company has SBS Premium installed to a server machine with 1 nic. ... > configuration of this setup should work. ... (microsoft.public.windows.server.sbs) RE: FTP Problems ... 825763 How to configure Internet access in Windows Small Business Server ... Please try to use IE on your SBS server to access the FTP server. ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) RE: Client Computers cannot upload or download from Remote FTP ser ... Only FTP via the MS DOS FTP Client ... The server that works is a member of the SBS's Domain, BUT as I indicated, ... the router, not the SBS server. ... The client event log has nothing related logged. ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2009-01