Re: Security hole in Win2K's FTP server

[bgreenbaum () SECURITYFOCUS COM (Ben Greenbaum)]

There are 3 MS KB articles that refer to restrictions in IIS 5.0 on W2K
Pro, they are at:

http://support.microsoft.com/support/kb/articles/Q263/8/57.ASP
http://support.microsoft.com/support/kb/articles/Q262/6/32.ASP
http://support.microsoft.com/support/kb/articles/Q263/1/21.ASP

The 'downgrade' for W2K Pro is obviously not an optimal setup, and the
reasons for these intentional limitations are not made clear in the
articles although certain theories do spring to mind quickly. However, it
is documented and works as intended, so I don't think it can be considered
a bug. At most, an inconvenient frustration.

Ben Greenbaum
Director of Site Content
Security Focus
http://www.securityfocus.com

------Original Message-----
To: BugTraq
Subject: Security hole in Win2K's FTP server
Date: Tue Jul 11 2000 05:59:41
Author: Bob Kline
Message-ID: <Pine.LNX.4.10.10007111743450.19134-100000 () rksystems com>

Microsoft has introduced a security hole in the FTP server on Windows
2000 Professional.  The properties panel for the service has controls
for specifying "accept" or "deny" lists, and the online help explains
how to use these controls to explicitly prohibit specific hosts from
connecting to the service, or restrict access to an enumerated set of
hosts.  What the online help does not explain is that this security
functionality has been turned off for the Professional version of
Windows 2000.  The intentional disabling of this feature (which was
supported in NT Workstation 4.0, the predecessor of Windows 2000) is
confirmed by an internal KnowledgeBase article within Microsoft.

Most vendors improve functionality with later releases of their
software, but I suppose there's an exception to every rule.

--
Bob Kline