Bugtraq mailing list archives

Security hole in Win2K's FTP server

From: bkline () RKSYSTEMS COM (Bob Kline)
Date: Tue, 11 Jul 2000 17:59:41 -0400


Microsoft has introduced a security hole in the FTP server on Windows
2000 Professional.  The properties panel for the service has controls
for specifying "accept" or "deny" lists, and the online help explains
how to use these controls to explicitly prohibit specific hosts from
connecting to the service, or restrict access to an enumerated set of
hosts.  What the online help does not explain is that this security
functionality has been turned off for the Professional version of
Windows 2000.  The intentional disabling of this feature (which was
supported in NT Workstation 4.0, the predecessor of Windows 2000) is
confirmed by an internal KnowledgeBase article within Microsoft.

Most vendors improve functionality with later releases of their
software, but I suppose there's an exception to every rule.

--
Bob Kline

Current thread:

SuSE Security Announcement: tnef Thomas Biege (Jul 11)
- Re: SuSE Security Announcement: tnef Rainer Link (Jul 11)
- Security hole in Win2K's FTP server Bob Kline (Jul 11)
  - CONECTIVA LINUX SECURITY ANNOUNCEMENT - nfs-utils Conectiva Security (Jul 17)
  - Re: Security hole in Win2K's FTP server Dan Kaminsky (Jul 17)
    - Re: Security hole in Win2K's FTP server Adam Muntner (Jul 18)
    - Re: Security hole in Win2K's FTP server David LeBlanc (Jul 18)
    - Re: Security hole in Win2K's FTP server Darren Reed (Jul 18)
- MDKSA-2000:018 dump update Vincent Danen (Jul 11)
- Sun's Java Web Server remote command execution vulnerability stuart.mcclure () FOUNDSTONE COM (Jul 11)
- Attacking Windows 9x with Loadable Kernel Modules Solar Eclipse (Jul 12)