I'd hardly be the one to "go blaming Microsoft"... :-p There are FTP server applications that provide relatively secure authentication mechanisms. IIS isn't one of them; that's a fact. It's also a fact that the FTP protocol doesn't specify any authentication at all; much less a method that anyone would consider "secure". The fact that some FTP servers do provide this is more of an anomaly than anything else. I do agree that there are far better alternatives to FTP (WebDav, etc.) for data transfers, but many financial applications would have you running for the hills with your money. Jim Harrison <blocked::mailto:[EMAIL PROTECTED]> Security Platform Group (ISA SE) If We Can't Fix It - It Ain't Broke!
________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wed 7/26/2006 11:13 To: Jim Harrison (ISA); Steve Armstrong; [EMAIL PROTECTED] Cc: [email protected] Subject: RE: Co-Hosting SQL with IIS FTP service #2 should read: there may be security issues, since FTP does not provide a secure authentication mechanism NOR a secure tranmission mechanism. Note I removed IIS out of there. It's the FTP protocol that's insecure, don't go blaming Microsoft. If this is a new deployment, I would suggest looking into deploying SFTP instead of FTP. A bank using FTP kinda scares me. :) Brady McClenon Administrative Computer Services State University College at Oneonta > -----Original Message----- > From: Jim Harrison (ISA) [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 25, 2006 10:20 PM > To: Steve Armstrong; [EMAIL PROTECTED] > Cc: [email protected] > Subject: RE: Co-Hosting SQL with IIS FTP service > > Nope. > His question suggests nothing more than that they're > considering this deployment and that he's asking for advice > before it's built. This "unpatched vulnerabilities" FUD is > applicable to any operating system / application combination. > Such statements are self-defeating as the only logical > conclusion to be drawn from them is "don't use computers". > Not much help, wouldn't you say? > > Now to actually answer the question posed: > 1. there are no functional conflicts between SQL and IIS; > their network resource demands are unique. > 2. there may be security issues, since IIS FTP does not > provide a secure authentication mechanism 3. FTP (IIS or > otherwise) is *always* a target for the script kiddies and > WAREZ folks; deploy this with great care > > Your application security is dependent on how you choose to > configure the app; there are many references on > http://microsoft.com/technet and > http://microsoft.com/security for securing IIS and SQL services > > If the machine resources are enough, you can also use your > favorite virtualization technology to separate the FTP and > SQL servers and thus avoid the combinational security issues > that public FTP services may impose on the SQL server. > > Jim Harrison <blocked::mailto:[EMAIL PROTECTED]> > Security Platform Group (ISA SE) > If We Can't Fix It - It Ain't Broke! > > ________________________________ > > From: Steve Armstrong [mailto:[EMAIL PROTECTED] > Sent: Tue 7/25/2006 09:25 > To: [EMAIL PROTECTED] > Cc: [email protected] > Subject: RE: Co-Hosting SQL with IIS FTP service > > > > Chris > > Possibly not the best email to send from your employers email server. > It suggests you are using MS servers with IIS and FTP enabled > backending, I would guess "on the same box" to MS SQL. > > While you will get some information about the > vulnerabilities, most here would expect you to keep your > banks systems patched. What you will get from this kind of > forum is advise on patches to vulnerabilities that have been > disclosed; However, you will not get info on new exploits > (the zero-day type hackers use against the likes of banks) on > non-publicly disclosed vulnerabilities. > > Therefore, you will not be able to prevent exploits that MS > is still working to patch. With a disclosure regarding your > infrastructure on such a public forum, you should watch your > front facing Sy barriers for increased attacks aimed > specifically at MS architecture. Best give the IDS/IPS and > incident staff a nod too. I recognise you may be double > bluffing, but I will bet you will still get a 100% increase > in the MS exploits thrown at your FW and internet gateways. > > As to your question, try secunia.com, www.osvdb.org and good > old www.packetstormsecurity.nl > > Steve A > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: 25 July 2006 15:42 > To: [email protected] > Subject: Co-Hosting SQL with IIS FTP service > > Can anyone guide me as to what type of issues with > inter-system dependencies might arise by co hosting IIS FTP > service with SQL? > > > Anyone know of any articles on the exploits? > > > -------------------------------------------------------------- > ---------- > --- > -------------------------------------------------------------- > ---------- > --- > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > > > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
