Bugtraq mailing list archives
Re: Security hole in Win2K's FTP server
From: Russ.Cooper () RC ON CA (Russ)
Date: Tue, 18 Jul 2000 11:07:05 -0400
When NT 4.0 was in beta Microsoft implemented a licensing model on TCPIP connections, such that NT 4.0 Workstation would not be viable as a platform for anything other than a small personal web server. Tim O'Reilly, of O'Reilly and Associates and WebSite, spoke widely about the problems such a mechanism would impose on his company (as did others.) Since they did not rely on IIS, and their code worked efficiently even on NT WS, they felt the licensing was going to drive up the cost of using their web server software by forcing the use of NT Server. It would appear that MS have found another way to "encourage" the use of Server for anything of note in the web space. Far from a Security hole, the disabling of security features on W2K Professional would appear to be a marketing vehicle to sell W2K Server. I think its reasonable to say that basic security features should not be used in this fashion, but its equally unlikely that an average W2K Professional user is going to implement IP Filtering on an FTP server. It could be argued that a corporate LAN might implement personal FTP servers on all of its desktops, but I'd suggest its highly uncommon to do so. So MS' expectation is that they are probably discouraging the use of W2K Pro on public facing, larger volume, sites in favor of W2K Server. They likely suspected that if they introduced licensing again in W2K like they tried in NT 4.0, the hue and cry would come again. By disabling features more commonly looked for in more professional environments (or at least more savvy environments), they've provided a more acceptable (to them) way of differentiating their products. The alternatives might be to performance hobble W2K Pro (been done before by them.) Chances are their marketing determined that their target customer base for W2K Pro wanted performance over security (if anyone's surprised, I have land in Florida to talk about.) Call it a hole if you like, I doubt it will make a difference. Cheers, Russ - NTBugtraq Editor
Current thread:
- Re: Security hole in Win2K's FTP server Ben Greenbaum (Jul 14)
- Re: Security hole in Win2K's FTP server Bob Kline (Jul 14)
- Administrivia: LISTSERV downtime Elias Levy (Jul 17)
- <Possible follow-ups>
- Re: Security hole in Win2K's FTP server Russ (Jul 18)