Re: Secure FTP server for Windows

["Mike Sweeney" <mikesweeney () packetattack com>]

Clap..clap..clap..

Windows 2000 has been certified by the Common Criteria Certification (E4) which is a provable and repeatable world wide 
test of security. 2003 is not yet (??) certified. These things change all the time so do a google (is google a verb?) 
to get current information.

As Smoky Yunick once commented, The engine doesnt know what brand it is (he won with a varity of brands) As long as you 
stick with proven principles, they all work well.

Mike Sweeney

___________________________________________________________________________
 
Packetattack.com
Network Design and Security
www.packetattack.com
 
Office (714).637.4235

"QUIS CUSTODIET IPOS CUSTODES"
    WHO SHALL GUARD THE GUARDS 


> ------------Original Message------------
> From: "Dana Epp" <dana () vulscan com>
> To: "Volker Kindermann" <ml () ps102 de>, security-basics () lists securityfocus com
> Date: Tue, Dec-7-2004 4:11 PM
> Subject: Re: Secure FTP server for Windows
>
> Oh come on now.
>
> Comments like this are so unproductive to the conversation. Any 
> operating 
> system, including Windows, can be made secure. WHAT level of security 
> is 
> dependant on the risks you are trying to mitigate. You CAN make Windows 
>
> secure, just as easily as how you can easily make Unix INSECURE. Its 
> all in 
> how you approach it.
>
> It comes down that you need to quit thinking of the technical 
> safeguards as 
> THE solution and instead apply real world infosec policies to reduce 
> the 
> risks and protect the assets you need to by applying the safeguards as 
> part 
> of a bigger process. I blogged about this a year ago when I talked 
> about the 
> "8 rules of Information Security" 
> (http://silverstr.ufies.org/blog/archives/000468.html)
>
> In this case, you can definitely set up a secure SSH server on Windows, 
> jail 
> the enviroment and tighten the file ACLs to allow for SCP access for 
> files 
> you wish to exchange. This would be NO different than applying the same 
>
> thing on a Unix environment. So instead of slagging the operating 
> system 
> think about what assets need to be protected, and what infosec policies 
> need 
> to be applied to effectively give access to those who need access to 
> the 
> asset. Then apply the technical safeguards in the OS as required.
>
> I mean no disrespect Volker, but this kind of position doesn't help the 
>
> situation. It only hinders any progress we can make by applying a 
> higher 
> level of thinking through sound infosec policies. And thats platform 
> neutral.
>
>
> ----- Original Message ----- 
> From: "Volker Kindermann" <ml () ps102 de>
> To: <security-basics () lists securityfocus com>
> Sent: Sunday, December 05, 2004 7:55 AM
> Subject: Re: Secure FTP server for Windows
>
>
> > Hi Derek,
> >
> >
> > > Can anyone recommend an FTP server for Windows which has been 
> written 
> > > with security in mind? I only really know such things about Linux 
> (where 
> > > vsftpd is the obvious choice) but I've been asked to recommend a 
> > > Windows2000 or WindowsXP product.
> >
> > please consider that you can't operate a secure ftp server on top of 
> an 
> > insecure operating system. With this in mind there is no secure ftp 
> server 
> > for windows.
> >
> >
> >  -volker