|
|
|
Question : FTP server on Windows Server 2003 and IIS6: how to restrict user from accessing ftproot?
|
|
Dear Experts:
Current my FTP server is in this way.
1. All the FTP files are in D:\Inetput\ftproot, which has the following security permissions:
Localhost\Administrators Group -- full control (Inherited to all the subfolders and files)
System -- full control (Inherited to all the subfolders and files)
User Group -- read (Inherited to all the subfolders and files)
2. Then I added some local accounts to the system for each FTP user. For example: Localhost\adem
3. Then I create one folder under ftproot for each FTP user, and allow the account to access its folder. For example, I create D:\Inetput\ftproot\adem for the account Localhost\adem, and let this account have full control (inherited to subfolders and files) to this folder.
Then I found there is a security leak. A user (say, adem) can see other user's file names in this way:
1. run "cmd.exe" command
2. in the command line window, run "ftp.address.com" and login with his user name and password
3. execute "cd ..", then he can user "dir" to display all the folder names for all the users.
4. if there is another user with folder "bob", adem can use "cd bob" to get inside and run "dir".
I tried Windows Explorer and Internet Explorer, and adem cannot access anything outside his own folder, but with the above command line ftp client a leak is found.
Can you tell me how to pervent this leak?
Thank you!
|
Answer : FTP server on Windows Server 2003 and IIS6: how to restrict user from accessing ftproot?
|
|
You have to create a virtual directory with the user's name on the FTP site. This way the user will be limited to that directory only as the root so that cd .. will not be valid. Note the directory for the infividual users does not have to reside within the d:\inetpub\ftproot directory structure.
i.e. the user's directory can be on e:\ftpusers\username which is what the virtual FTP directory will reference.
|
|
|
|
|
|
|
