[4818] in WWW Security List Archive
Re: FW: tcp/ip ports to enable on NT, to allow ftp access from browser
daemon@ATHENA.MIT.EDU (Jim Harmon)
Fri Mar 14 16:06:53 1997
Date: Fri, 14 Mar 1997 10:47:57 -0500
From: Jim Harmon <jharmon@telecnnct.com>
To: Fred Patton <fpatton@elecede.com>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I may be wrong, and if so, I'm sure I'll hear about it! :)
In order for the Browser to use FTP on your server, you must explicitly
tell the browser what account and password to use in the ftp:// url (as
shown in the message below, or you absolutely must have an "anonymous
FTP" account set up on the server.
I'm not certain how to setup anonymous ftp on an NT server, and I've
only built anon on one unix server 5 years ago.
The browser will default to using the "anonymous ftp" login for every
ftp session you initiate, unless you explicitly give the url information
to override it.
Hope this helps....
Fred Patton wrote:
>
> -----Original Message-----
> From: Fred Patton
> Sent: Saturday, March 08, 1997 12:54 PM
> To: 'Laurent O. F. Fough, Mgr. Web Development'
> Subject: RE: tcp/ip ports to enable on NT, to allow ftp access from
> browser
>
> I've just encountered that difficulty as well. When connecting
> through the browser, data port 20 hands to request to another port,
> typically over 1024. There are some registry settings for IIS, and
> FTP in particular. I have not found different configuration options
> to avail in this matter. From what I have gleaned, the browser
> implementation of the FTP protocol is rather shallow, and definitely
> incomplete, particularly when it comes to security. In my case, I
> re-thought my particular needs. I have two types of FTP clients: 1)
> pure consumers of information (simple downloading), and 2) those which
> have upload requirements, and thus, access to space on my server. For
> group 1, there is no necessity to go through FTP with a browser, such
> as ftp://username:password@myplace.com when password-protected
> sections of the site can provide the exact same service. On the other
> hand, I leave true FTP clients (non-browsers) the option of going
> through FTP for the same information. With group 2, for uploading,
> they are not using a browser to begin with, and since browser FTP is a
> security issue, I wouldn't want to let them anyway. As you noted,
> there is no difficulty for them, as they use a true FTP client. They
> solved it for me. I am interested to know anything else others have
> to say on the subject. I don't doubt the possibilities of alternative
> solutions or workarounds, but the way I see it, I don't seem to
> absolutely require them in my case. Best of luck.
>
> Cheers.
>
> F. Patton
>
> -----Original Message-----
> From: Laurent O. F. Fough, Mgr. Web Development
> [SMTP:lfough@caribfx.com]
> Sent: Friday, March 07, 1997 10:43 AM
> To: WWW-Security
> Subject: tcp/ip ports to enable on NT, to allow ftp access from
> browser
>
> I am currently enable tcp/ip port filtering on an NT box, running
> 4.0.
>
> The problem when I enable only ports 20,21,80 & 81(the standard ftp
> and
> http ports), I can connect using HTTP(WWW), and FTP(using DOS & UNIX
> clients).
>
> Problem: I cannot connect to the machine's ftp port using a browser.
>
> Can someone enlighten me as all the ports needed for correct &
> efficient
> access to a site that only provides mail, ftp and http service.
>
> P.S.: I am using the Windows NT Security Handbook and it is not
> proving
> to be very useful, there is a listing of available ports, but no
> specific info. on the needed or integral ones.
>
> Thanks in advance.
>
> Regards,
>
> Laurent
--
Jim Harmon The Telephone Connection
jim@telecnnct.com Rockville, Maryland
