Results 1 to 5 of 5
  1. #1
    Hi All!

    I am dabbling in some multiple domain hosting on my NT server. I have setup individual FTP accounts for each domain, and I noticed something unusual.

    For eg. if I FTP using domain1's FTP account, I will of course be directed to domain1's web directory. But by using the Change Directory command, I can actually change the directory to any of the other domains'!

    How can I restrict access such that each domain can only access its own directory during FTPing?

    Thanks
    Mintz

  2. #2
    Use the NT explorer to assign correct directory security is a start

  3. #3
    Join Date
    Sep 2000
    Location
    London, UK
    Posts
    214
    or if you have dedicated IP's, create a new FTP service for each IP and assign appropriate permissions.

    Extenting this, each web site you host should have its own anonymous account and only that account should have access to the relevant directory. You should also stop Script.FileSystemObject access (see MS KB) to stop people accessing the server's file system using ASP scripting. Also disable parent includes (include file="../myinclude.inc") so they have to use virtuals which means they can only access includes from their own site.

    If this is double dutch, pay someone who knows what they are doing to lock down your machine properly.
    "Woof" said Daisy,
    Poor Daisy is not so sure of
    her animalility anymore.....

  4. #4
    Well, I am sharing IPs for my multiple domains. Any possible solutions? On most NT hosts I see that they have the same problem, ie when I FTP using my set of userid and passwords I can easily change to the directory of other hosted domains, and am able to delete, upload files.

  5. #5
    Join Date
    Sep 2000
    Location
    London, UK
    Posts
    214
    OK, lets assume that each site is hosted under d:\users on the machine, with the domain name (without the dot) as the user's directory and their username. The FTPRoot is d:\users, the wwwroot for each site is d:\users\[domain]

    E.g.

    http://www.domaina.com = d:\users\domaina

    set it so the "Users" group has LIST access to the d:\users level only (not subdirectories). Then each user would have CHANGE to their directory. Further more, create a IUSR_[domainname] (e.g.IUSR_domaina) and assign it READ/EXECUTE rights for that part of the tree and assign it as the anonymous user for that virtual webserver. This stops people accessing parts of other user's sites in ASP.

    When domaina logs in, their will default to d:\users\defaulta (a feature of the MS FTP Service). They will be able to list all other domains on the server (you need LIST access, of they cannot login) by going up one level, but if they try to access any other part of the tree, they will get ACCESS DENIED.

    I highly recommend that you either buy a book on administrating an NT/2000 server, or pay someone to lock down your box for you. The quickest way to lose business in the Internet world is to have very little knowledge about basic security requirements.
    "Woof" said Daisy,
    Poor Daisy is not so sure of
    her animalility anymore.....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •