Bugtraq mailing list archives
Re: Security hole in Win2K's FTP server
From: bgreenbaum () SECURITYFOCUS COM (Ben Greenbaum)
Date: Fri, 14 Jul 2000 16:03:13 -0700
There are 3 MS KB articles that refer to restrictions in IIS 5.0 on W2K Pro, they are at: http://support.microsoft.com/support/kb/articles/Q263/8/57.ASP http://support.microsoft.com/support/kb/articles/Q262/6/32.ASP http://support.microsoft.com/support/kb/articles/Q263/1/21.ASP The 'downgrade' for W2K Pro is obviously not an optimal setup, and the reasons for these intentional limitations are not made clear in the articles although certain theories do spring to mind quickly. However, it is documented and works as intended, so I don't think it can be considered a bug. At most, an inconvenient frustration. Ben Greenbaum Director of Site Content Security Focus http://www.securityfocus.com ------Original Message----- To: BugTraq Subject: Security hole in Win2K's FTP server Date: Tue Jul 11 2000 05:59:41 Author: Bob Kline Message-ID: <Pine.LNX.4.10.10007111743450.19134-100000 () rksystems com> Microsoft has introduced a security hole in the FTP server on Windows 2000 Professional. The properties panel for the service has controls for specifying "accept" or "deny" lists, and the online help explains how to use these controls to explicitly prohibit specific hosts from connecting to the service, or restrict access to an enumerated set of hosts. What the online help does not explain is that this security functionality has been turned off for the Professional version of Windows 2000. The intentional disabling of this feature (which was supported in NT Workstation 4.0, the predecessor of Windows 2000) is confirmed by an internal KnowledgeBase article within Microsoft. Most vendors improve functionality with later releases of their software, but I suppose there's an exception to every rule. -- Bob Kline
Current thread:
- Re: Security hole in Win2K's FTP server Ben Greenbaum (Jul 14)
- Re: Security hole in Win2K's FTP server Bob Kline (Jul 14)
- Administrivia: LISTSERV downtime Elias Levy (Jul 17)
- <Possible follow-ups>
- Re: Security hole in Win2K's FTP server Russ (Jul 18)