Hey Ken -- inline:
> > Indeed - I've been running 2008 for a while now. There are some very > > cool security mechanisms built in - but, they will no doubt trip some > > people up... (like how you can't copy content to web source > directories > > over the network, or how you can't directly edit web content in those > > directories). > > Can you elaborate on this please? There's nothing special about "web > source directories" (I assume you mean folders that store files that > are published via IIS 7.0 over HTTP)? You know, when I wrote that, I knew it wasn't as clear as it could have been. I will certainly elaborate: Indeed, I mean the directories where web content is stored on the file system, such as "c:\inetpub\wwwroot\YourStuffHere". By default, you can't copy files to these directories from any network source, "such as "copy networksource c:\inetpub\wwwroot\YourStuffHere" via cmd or UI. Nor can you edit content directly in these directories (like using notepad to edit and save a file) even if in as Admin -- the operation fails... You have to edit content a directory you have access to (a local file) and then copy from local to the web directories. Note that this has been in the last couple of beta's I've been running -- if MSFT have changed this in the release, then obviously you'll see different behavior. The reason for this makes total sense: to stop an exploit from copying content from a network source to your web directory -- you'd have to work a good bit harder to do so now. I've not really documented too much of this as we're still in beta... Is this not the behavior you've seen? If not, what build are you on? And if I've made some stupid mistake and am relating different behavior, please let me know... > > > Native FTPS in 2008 IIS is quite nice, actually. > > Yes - it supports FTPS so you can encrypt your username/password (or > optionally, everything) - this is assuming you download/install the FTP > 7.0 module from www.iis.net. > > > But, IIS6 is still a fine option - it is and has been secure OOB for > a while > > But you have to send your username/password in clear text across the > network. Sure - just like with any FTP solution, or any HTTP solution (as you well know). And while default support for FTPS is great thing, it will be some time before "global" client support is there, and before people can deploy it without fear of "breaking" many things. When people ask about FTP, I tend to stick with the OP and not immediately suggest FTPS as the solution, no more than I would suggest using IPSec to secure FTP. Both are great solutions, as is VPN, etc, but in many cases (particularly for "global" support) one can't deploy it. t > Cheers > Ken > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer > > Sent: Sunday, January 20, 2008 10:15 PM > > To: [email protected] > > Subject: RE: FTP on IIS > > > > Alternatively, if you can wait a few weeks, then Windows Server > > 2008/IIS 7.0 supports FTPS > > > > Cheers > > Ken > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Mark J. > > Sent: Saturday, 19 January 2008 9:21 AM > > To: [EMAIL PROTECTED]; [email protected] > > Subject: RE: FTP on IIS > > > > IIS 6, which comes with Windows Server 2003, is quite secure out of > the > > box. Most of the evil holes that were present in IIS 5 and earlier > > have > > been patched. If you're forced to use IIS 5 or lower, I agree with > all > > the other comments. Use something else. > > > > When you select to install IIS, the minimum components needed for > > static > > HTML pages are already selected. For FTP, just deselect the web > > components and install the minimal FTP components. > > > > I would suggest using local GUEST accounts for authentication. I > would > > also suggest placing the FTP root on a separate partition with no > other > > files. Do not place the FTP root on the system partition. > > > > Do a Google search on "windows ftp security" for articles on setting > up > > Windows 2003 FTP. > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > [EMAIL PROTECTED] > > > Sent: Friday, January 18, 2008 10:58 AM > > > To: [email protected] > > > Subject: FTP on IIS > > > > > > I'm preparing to build a new FTP server using IIS (or an IIS server > > using FTP??? I'm not > > > sure). Anyway, I was wondering if anyone could recommend some good > > sources on how to lock > > > it down. I need to configure it for an FTP site that anyone can > get > > to and one that is > > > password protected. Thanks in advance!
