Browse by Tags
All Tags »
FTP (
RSS)
We recently released fixes for the publicly disclosed FTP vulnerabilities. One of the after-effects of applying this update will be that recursive list commands to IIS FTP 5.x, 6.0 will return the non-recursive listing. To make it clear, this feature does not exist on IIS FTP 7.x either, and that is why I did not include those versions in the previous statement. For those that will miss this feature, there is a workaround on Robert McMurray’s blog . Read More...
Microsoft has released security bulletin MS09-053 that will address the FTP vulnerabilities that were publicly disclosed a couple of weeks ago. The information in this bulletin supercedes the previous advisory. Read More...
One of my coworkers, Vijay Sen, just forwarded the following eWeek review of IIS 7.5 to me: http://www.eweek.com/c/a/Windows/REVIEW-Microsoft-IIS-75-Improves-Management-Deployment-Options-822018/ The review was written by Jim Rapoza , and he said some great things about IIS 7.5, which ships with both Windows Server 2008 R2 and Windows 7 client. But what really made my day was the following things that he said about FTP 7.5: Another welcome change in IIS 7.5 is the elevation of FTP as a full-fledged...( read more ) Read More...
In earlier blog posts I have mentioned that I written the several walkthroughs to help developers get started writing providers for the FTP 7.5 service, all of which available on Microsoft's learn.iis.net Web site under the " Developing for FTP 7.5 " section. In each of these walkthroughs I wrote the steps as if you were using Visual Studio 2008. Following up on that, I received a great question yesterday from a customer, Paul Dowdle, who wondered if it was possible to write an extensibility provider...( read more ) Read More...
As evidenced by my How to Use Managed Code (C#) to Create an FTP Authentication Provider with Dynamic IP Restrictions walkthrough and my other FTP authentication extensibility walkthroughs, I spend a lot of time trying to find ways to prevent unauthorized access to my FTP server while still allowing valid users to have easy access to their site content. Today's blog discusses several of the ideas that I like to use on my FTP servers. Preventing Unauthorized Access To start things off, I globally...( read more ) Read More...
One of the changes that we made in FTP 7.0 and FTP 7.5 was to remove recursive directory listings, which are commonly retrieved by typing " ls -lR " from a command-line FTP client, which should send a command like " NLST -lR " over FTP to the server. There were several reasons why we decided to remove recursive directory listings, but the main reason was simply to reduce CPU usage on the server; recursive directory listing requests take a lot of resources to fulfill. With that in mind, both FTP 7...( read more ) Read More...
There have been two recently publicly disclosed vulnerabilities for FTP 5, FTP 5.1 and FTP 6. Wade has gone through great detail to explain what platforms are affected by each vulnerability in his blog post . Microsoft has released and refreshed an advisory that covers the details, mitigations and workarounds for the vulnerability. The Microsoft Security Research and Defense team has a blog about the exploit details for the original vulnerability. Here is the summary including both vulnerabilities: Affected platforms: Windows Server 2000, Windows XP and Windows Server 2003, Windows Vista (FTP 6 only), Windows Server 2008 (FTP 6 only). Non-affected platforms: Windows 7, Windows Server 2008 R2. Windows Server 2008 and Windows Vista ships with FTP 6 by default and is affected by only one of the two disclosed vulnerabilites. The vulnerabilities does not affect FTP 7 or FTP 7.5 that ships out-of-band fro Windows Vista or Windows Server 2008. Windows 7 and Windows Server 2008 R2 are entirely...
The public exposure of another vulnerability in the FTP stack has caused a revision in the Microsoft advisory. Please refer the advisory @ http://www.microsoft.com/technet/security/advisory/975191.mspx to get updated information on exposure and impact of vulnerabilities. I have previously discussed this information in an earlier blog post and have updated this post as well. Microsoft Security Response Center (MSRC) has a revised blog as well. The one thing I want to clarify before hand is that in the Mitigations section it mentions that FTP is not installed by default on Windows 2000, Windows XP and Windows Server 2003. Please add Windows Vista and above to this list as well. This is probably obvious to most, but I wanted to call it out anyway. Also there has been a lot of confusion about FTP versions and what is affected. Refer to Wade's blog post on the topic to help clarify things. Read More...
I had not intended to do a series on this subject when I wrote my original Merging FTP Extensibility Walkthroughs blog post, but I came up with a scenario that I felt was worth sharing. I recently posted the following walkthrough on the learn.iis.net web site: How to Use Managed Code (C#) to Create an FTP Authentication Provider with Dynamic IP Restrictions We have had many customer requests for a dynamic IP restrictions provider for the FTP server, and I wanted to get that out to customers as soon...( read more ) Read More...
Years ago I wrote an article on setting up a blind drop FTP server I was searching for some information and ran across an updated article using FTP 7.5. Funny thing I recently setup a blind drop using FTP 7.5 and referred to my article on permissions. http://blogs.msdn.com/vivekkum/archive/2009/05/10/blind-drop-ftp-in-iis-7-7-5.aspx btw - here is a Blind Get , I've not tried on FTP 7.5, the permissions should be similar. http://www.iislogs.com/articles/blindget/ Hope this helps Steve Schofield Microsoft...( read more ) Read More...
More Posts
Next page »