Results 1 to 5 of 5
Thread: FTP security issues
-
12-17-2000, 02:02 PM #1Newbie
- Join Date
- Dec 2000
- Posts
- 5
Hi All!
I am dabbling in some multiple domain hosting on my NT server. I have setup individual FTP accounts for each domain, and I noticed something unusual.
For eg. if I FTP using domain1's FTP account, I will of course be directed to domain1's web directory. But by using the Change Directory command, I can actually change the directory to any of the other domains'!
How can I restrict access such that each domain can only access its own directory during FTPing?
Thanks
Mintz
-
12-17-2000, 04:34 PM #2Web Hosting Guru
- Join Date
- Oct 2000
- Posts
- 258
Use the NT explorer to assign correct directory security is a start
-
12-18-2000, 08:47 AM #3Junior Guru
- Join Date
- Sep 2000
- Location
- London, UK
- Posts
- 214
or if you have dedicated IP's, create a new FTP service for each IP and assign appropriate permissions.
Extenting this, each web site you host should have its own anonymous account and only that account should have access to the relevant directory. You should also stop Script.FileSystemObject access (see MS KB) to stop people accessing the server's file system using ASP scripting. Also disable parent includes (include file="../myinclude.inc") so they have to use virtuals which means they can only access includes from their own site.
If this is double dutch, pay someone who knows what they are doing to lock down your machine properly."Woof" said Daisy,
Poor Daisy is not so sure of
her animalility anymore.....
-
02-03-2001, 06:17 AM #4Newbie
- Join Date
- Dec 2000
- Posts
- 5
Well, I am sharing IPs for my multiple domains. Any possible solutions? On most NT hosts I see that they have the same problem, ie when I FTP using my set of userid and passwords I can easily change to the directory of other hosted domains, and am able to delete, upload files.
-
02-03-2001, 04:37 PM #5Junior Guru
- Join Date
- Sep 2000
- Location
- London, UK
- Posts
- 214
OK, lets assume that each site is hosted under d:\users on the machine, with the domain name (without the dot) as the user's directory and their username. The FTPRoot is d:\users, the wwwroot for each site is d:\users\[domain]
E.g.
http://www.domaina.com = d:\users\domaina
set it so the "Users" group has LIST access to the d:\users level only (not subdirectories). Then each user would have CHANGE to their directory. Further more, create a IUSR_[domainname] (e.g.IUSR_domaina) and assign it READ/EXECUTE rights for that part of the tree and assign it as the anonymous user for that virtual webserver. This stops people accessing parts of other user's sites in ASP.
When domaina logs in, their will default to d:\users\defaulta (a feature of the MS FTP Service). They will be able to list all other domains on the server (you need LIST access, of they cannot login) by going up one level, but if they try to access any other part of the tree, they will get ACCESS DENIED.
I highly recommend that you either buy a book on administrating an NT/2000 server, or pay someone to lock down your box for you. The quickest way to lose business in the Internet world is to have very little knowledge about basic security requirements."Woof" said Daisy,
Poor Daisy is not so sure of
her animalility anymore.....