MS FTP and WWW
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: MS FTP and WWW

  1. #1
    Senior Member
    Join Date
    Apr 2004
    Posts
    157

    MS FTP and WWW

    We are just gonna have a network security scan made by an outside company. They are gonna scan our servers in the DMZ, which are mostly IIS servers (Win2k servers), with web and FTP services running.

    I have used IIS Lockdown tool to try to tighten it as much as possible. The one thing I'm having a hard time finding out on how to tighten is the FTP service...?
    Seems to be hard to do anything at all with MS FTP, other than lockout after so many password tries and stuff...
    You can change the Administrator user, but if somebody figures out what the name of it is, you can brute force attack that account since it never gets locked out... ?!

    Any good ideas?!

    Thanks!

    oh.. anyone knows anything about this security company: Quaddisin ??

  2. #2
    Banned
    Join Date
    Nov 2003
    Posts
    182
    Quaddisin - Sounds shady to me.

  3. #3
    Banned
    Join Date
    Sep 2001
    Posts
    522
    sounds like a subset of Al Quada

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    SawPer:

    The Quaddisin: Twin angels who, together with the twin Irin, constitute the supreme
    judgment council of the heavenly court.
    Four hits total on Google.... None contain a computer security company..... In fact, none have a link to computers anywhere. So, let's see.... Two people, who think they are angels on the supreme court are going to run pen tests or just scans?

    I can scan your network for free. I have done it for others here... no big thing.... or are they running an actual pen test? How much are they charging? What are their deliverables? What are their restrictions? What tools are they using and how?

    Have you interviewed them, investigated them, requested and checked references if you don't know them, ('cos no-one else seems to).......

    Is your name Bill and do you live in Denver? I know, a lot of questions..... but they are quite important.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    I'll bite...

    I don't suggest you use IIS FTP but to go commercial or *NIX instead.

    If you must..

    One of many things you can do is create a VERY SMALL NTFS partition with a directory called nowhere. Put nothing else in it and make it read only. Make this your default FTP dir so if/when users attempt to move higher up the file tree they are placed in your worthless directory called nowhere.

    Disable anonymous FTP under all circumstances.

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Disabling anonymous is not an option for some people..... If you disable anonynous and then publish the login and password you might as well allow anonymous..... If you need anonynous you need it locked down.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    I never allow anonymous FTP.

    For systems that require it, I install a script to monitor directory and alert of new files or folders. Especially on older IIS based FTP installs. Many times have I gotten the call about a mysterious folder showing zero bytes yet actual HDD space is shrinking. Dang WAREZ!!

  8. #8
    Senior Member
    Join Date
    Apr 2004
    Posts
    157

    Qaddisin

    Very sorry.. heh!!

    The security company that is likely to get the job to scan our college is called: Qaddisin

    http://www.qaddisin.com

    The CIO has informed us we have to get an outside company to scan our network. And it obviously has to be a real thorough scan by a fairly big security company... because of all the rules and politics the college is under...

    I would glady suggest you Tigershark, if you think you would meet the colleges "requirements" heh.. ?!

    Oh yeah.. Qaddisin wants money... $9500 to scan 23 servers... ! (wish I could do it myself!)
    If you check their website out, I think you can find some more info on how they go about it. In their proposal they mention using several different applications including their own created applications. Somehow they are obviously even supposed to be able to discover problems in configurations of the network as far as firewalls, routers etc. goes...

    Since the scan is to be made before the end of next month, it's not likely we would change FTP servers.
    Still wondering if there is any way you can avoid the administrator account to be brute forced.. ?
    Actually there is no anonymous access to any of the FTP servers, everybody has their own username/password.

    Guess that gives you a little more detailed info.

    Thanks!!

  9. #9
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    Oh yeah.. Qaddisin wants money... $9500 to scan 23 servers... ! (wish I could do it myself!)
    I need to get into this business!
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  10. #10
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421

    Re: Qaddisin

    Still wondering if there is any way you can avoid the administrator account to be brute forced.. ?
    Actually there is no anonymous access to any of the FTP servers, everybody has their own username/password.

    Guess that gives you a little more detailed info.

    Thanks!! [/B]

    Rename the administrator account(s) to something very obscure.
    Create an account called administrator with zero privs to keep brute forcers from trying to guess actual admin account name.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •