>-----Original Message----- >From: Stefan Osterlitz [mailto:[EMAIL PROTECTED]] >To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > >>Platform is not important, can be a UNIX or NT based FTP server. This >>request has obvious security issues but if you knew the client you'd >>agree this is the least of their worries. > >it is. this would be a screaming horror under NT with IIS.. IMHO > >Stefan Osterlitz > Okay, what exactly is the basis for this fear mongering?
For starters, your talking about only facing the FTP to the public and not even a Web interface, so you don't have to worry about extra ISAPI filters being installed. Secondly, the only ISAPI filter you would need for the internal website is ASP to create the dynamic page and interpret the code so you can remove all the rest. Also, the authentication, storage, and management of the ID's are built into the OS and are easily scriptable with built-in functionality easing the implementation. It'd be extremely easy to script, especially once the base FTP site is setup and properly configured; I've done dozens of similar such tasks before. To simply say its a "screaming horror" is outrageous and borders on slander. Any poorly setup system would be vulnerable regardless of underlying OS/Application; they all require knowledge and planning. That all being said, it is dependant on what services and products you're most comfortable with. If you're more familiar with installing, securing, and managing a Unix solution, there are probably hundreds out there (such as pure-ftpd). If you're more familiar with installing, securing, and managing Win32 solutions, there are dozens out there (including NT/IIS and WS_FTP). In the end, go with the one you are more able to aptly setup securely for your customer. -K
