[15762] in bugtraq
Security hole in Win2K's FTP server
daemon@ATHENA.MIT.EDU (Bob Kline)
Wed Jul 12 16:43:08 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10007111743450.19134-100000@rksystems.com>
Date: Tue, 11 Jul 2000 17:59:41 -0400
Reply-To: Bob Kline <bkline@RKSYSTEMS.COM>
From: Bob Kline <bkline@RKSYSTEMS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Microsoft has introduced a security hole in the FTP server on Windows
2000 Professional. The properties panel for the service has controls
for specifying "accept" or "deny" lists, and the online help explains
how to use these controls to explicitly prohibit specific hosts from
connecting to the service, or restrict access to an enumerated set of
hosts. What the online help does not explain is that this security
functionality has been turned off for the Professional version of
Windows 2000. The intentional disabling of this feature (which was
supported in NT Workstation 4.0, the predecessor of Windows 2000) is
confirmed by an internal KnowledgeBase article within Microsoft.
Most vendors improve functionality with later releases of their
software, but I suppose there's an exception to every rule.
--
Bob Kline
