locked
Anonymous FTP RRS feed

  • Question

  • What risk does anonymous FTP pose on a file server in a domain? Does it mean any user in the same domain can technically create an FTP connection onto the Server and access any file on the server, and potentially copy it away? Or is it not that simple?

    Ps, for Telnet, FTP, SNMP etc - are there a specific set of passwords you enter to access the server using these services, ordo you just still use the local administrator password thats stored in the local SAM database to access the server using FTP, Telnet etc. I've never understood whether every service running on a Server requires the same passwords you would just use to log onto a remote server through RDP, or whether each service has its own set of password credentials stored somewhere on the servers hard disc. I.e. an FTP admin password required to FTP onto the Server, an SNMP admin password required to SNMP onto the Server etc.

    Thursday, September 2, 2010 4:58 PM

Answers

  • What risk does anonymous FTP pose on a file server in a domain? Does it mean any user in the same domain can technically create an FTP connection onto the Server and access any file on the server, and potentially copy it away? Or is it not that simple?

    You mean by anonymous FTP the use of anonymous autentication in FTP?

    With the use of anonymous authentication, users are authenticated with an anonymous account. That means that users can establish a FTP connection without authentication.

    With anonymous authentication, all users can access only the FTP site folders and files without authentication. So, they have not access to any file on the server other than FTP site (That is configured for anonymous authentication) files.

    Make sure that you have not important files accessible by FTP for anonymous users.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by ia4560 Thursday, September 2, 2010 6:40 PM
    Thursday, September 2, 2010 5:07 PM
  • "The default folder is drive:\Inetpub\Ftproot, where drive is the drive on which IIS is installed."

    http://support.microsoft.com/kb/323384


    Roy Mayo | MCSE
    • Marked as answer by ia4560 Thursday, September 2, 2010 6:41 PM
    Thursday, September 2, 2010 5:15 PM
  • Ps, for Telnet, FTP, SNMP etc - are there a specific set of passwords you enter to access the server using these services, ordo you just still use the local administrator password thats stored in the local SAM database to access the server using FTP, Telnet etc. I've never understood whether every service running on a Server requires the same passwords you would just use to log onto a remote server through RDP, or whether each service has its own set of password credentials stored somewhere on the servers hard disc. I.e. an FTP admin password required to FTP onto the Server, an SNMP admin password required to SNMP onto the Server etc.


    You can not use local accounts to access servers from a client computer. Local accounts are only used on the local computer.

    You can use domain accounts to use these services.

    You can configure a domain account so that it can have access to certain services and in this case the same password will be used because you can not give the same user more that one password. If you want a password for each service you should create a domain account for each service (One user will have several accounts, each one to access a specified service).

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    • Marked as answer by ia4560 Thursday, September 2, 2010 6:41 PM
    Thursday, September 2, 2010 5:17 PM
  • What I am saying is, for FTP, Telnet, SNMP etc - are there specific passwords associated with these services that differ from the servers local windows password? Or dont you need to enter a password to FTP onto the Server, to Telnet onto the Server, to SNMP onto the Server, as these services only give a client a minimal access onto the Server.

     


    For FTP, you can configure anonymous authentication or force the user to be authenticated (You should use domain accounts). So, both of possible authentication ways are possible.

    For Telnet, as I remember, you should specify a login and a password to access the server (Anonymous authentication is not allowed). Also, as I remember, you can use non-windows accounts to get authenticated when you use Telnet service.

    So, the used accounts and passwords depends of the service and its configuration.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by ia4560 Thursday, September 2, 2010 6:41 PM
    Thursday, September 2, 2010 5:40 PM
  • For the FTP anonymous authentication, the user name used in this kind of authentication is the name of the anonymous user account, which is typically designated as IUSR_computername.

    For telnet, I recommand to you to have a look to this Microsoft article "How Telnet Works":

    http://technet.microsoft.com/en-us/library/cc778139(WS.10).aspx

    Also have a look at this article:

    http://www.windowsnetworking.com/articles_tutorials/configure-telnet-Server-Windows-Server-2008.html

    I think that all should be clear now.

    Please mark as an answer and helpful the replies that helped you.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by ia4560 Thursday, September 2, 2010 6:41 PM
    Thursday, September 2, 2010 6:20 PM

All replies

  • What risk does anonymous FTP pose on a file server in a domain? Does it mean any user in the same domain can technically create an FTP connection onto the Server and access any file on the server, and potentially copy it away? Or is it not that simple?

    You mean by anonymous FTP the use of anonymous autentication in FTP?

    With the use of anonymous authentication, users are authenticated with an anonymous account. That means that users can establish a FTP connection without authentication.

    With anonymous authentication, all users can access only the FTP site folders and files without authentication. So, they have not access to any file on the server other than FTP site (That is configured for anonymous authentication) files.

    Make sure that you have not important files accessible by FTP for anonymous users.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by ia4560 Thursday, September 2, 2010 6:40 PM
    Thursday, September 2, 2010 5:07 PM
  • How can you determine what FTP site folders the remote Server is publishing? Where on the remote Server shows what FTP files are being shared.

     

     

    Thursday, September 2, 2010 5:11 PM
  • "The default folder is drive:\Inetpub\Ftproot, where drive is the drive on which IIS is installed."

    http://support.microsoft.com/kb/323384


    Roy Mayo | MCSE
    • Marked as answer by ia4560 Thursday, September 2, 2010 6:41 PM
    Thursday, September 2, 2010 5:15 PM
  • Ps, for Telnet, FTP, SNMP etc - are there a specific set of passwords you enter to access the server using these services, ordo you just still use the local administrator password thats stored in the local SAM database to access the server using FTP, Telnet etc. I've never understood whether every service running on a Server requires the same passwords you would just use to log onto a remote server through RDP, or whether each service has its own set of password credentials stored somewhere on the servers hard disc. I.e. an FTP admin password required to FTP onto the Server, an SNMP admin password required to SNMP onto the Server etc.


    You can not use local accounts to access servers from a client computer. Local accounts are only used on the local computer.

    You can use domain accounts to use these services.

    You can configure a domain account so that it can have access to certain services and in this case the same password will be used because you can not give the same user more that one password. If you want a password for each service you should create a domain account for each service (One user will have several accounts, each one to access a specified service).

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    • Marked as answer by ia4560 Thursday, September 2, 2010 6:41 PM
    Thursday, September 2, 2010 5:17 PM
  • How can you determine what FTP site folders the remote Server is publishing? Where on the remote Server shows what FTP files are being shared.


    You should go to IIS, then see what are the FTP sites that are created.

    Once you found your FTP sites, you can check what authentication methods are used and what are the folders that are accessible via your FTP sites.

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Thursday, September 2, 2010 5:21 PM
  • What I meant was use the administrator password for the remote server from a client computer to ftp onto the server.

    Not using the local administrator password on the client machine to access the remote server.

    What I am saying is, for FTP, Telnet, SNMP etc - are there specific passwords associated with these services that differ from the servers local windows password? Or dont you need to enter a password to FTP onto the Server, to Telnet onto the Server, to SNMP onto the Server, as these services only give a client a minimal access onto the Server.

     

    Thursday, September 2, 2010 5:25 PM
  • What I am saying is, for FTP, Telnet, SNMP etc - are there specific passwords associated with these services that differ from the servers local windows password? Or dont you need to enter a password to FTP onto the Server, to Telnet onto the Server, to SNMP onto the Server, as these services only give a client a minimal access onto the Server.

     


    For FTP, you can configure anonymous authentication or force the user to be authenticated (You should use domain accounts). So, both of possible authentication ways are possible.

    For Telnet, as I remember, you should specify a login and a password to access the server (Anonymous authentication is not allowed). Also, as I remember, you can use non-windows accounts to get authenticated when you use Telnet service.

    So, the used accounts and passwords depends of the service and its configuration.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by ia4560 Thursday, September 2, 2010 6:41 PM
    Thursday, September 2, 2010 5:40 PM
  • Thanks Mr X. Where is the password for telnet actually stored though on the Windows Server PC.

    For anonymous FTP I think its username: anonymous password: password ??

    Thursday, September 2, 2010 5:52 PM
  • For the FTP anonymous authentication, the user name used in this kind of authentication is the name of the anonymous user account, which is typically designated as IUSR_computername.

    For telnet, I recommand to you to have a look to this Microsoft article "How Telnet Works":

    http://technet.microsoft.com/en-us/library/cc778139(WS.10).aspx

    Also have a look at this article:

    http://www.windowsnetworking.com/articles_tutorials/configure-telnet-Server-Windows-Server-2008.html

    I think that all should be clear now.

    Please mark as an answer and helpful the replies that helped you.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by ia4560 Thursday, September 2, 2010 6:41 PM
    Thursday, September 2, 2010 6:20 PM