|
Home > Archive > IIS FTP Server > August 2005 > Disabled Account Successfully logs onto MSFTP server
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Disabled Account Successfully logs onto MSFTP server
|
|
|
| i have the following setup:
-Win2003/IIS6 FTP server set to not allow any anonymous connections;
-There is a local FTPUsers group with some local users as members of this
group[and not of any other group].
- Each local user [of FTPUsers] has their own virtual directory off the
default Ftp site.
Now, i assumed that if i disabled the local user account, the account would
not be "authenticable"; however i am still able to logon to the ftp server
successfuly using the disabled account credentials?
Is this by design? And if so, is there a way to disable a specific user's
access to the Ftp server?
| |
| Chris Crowe [MVP] 2005-08-04, 2:48 am |
| I think that you have found a big bug here - I tested this on SBS 2003 using
DOMAIN accounts which are disabled and it worked as you said.
The account is disabled but the user can still log onto the FTP site - which
is a security breech
Using the account via the dos command "RunAs" tells me:
1327: Logon failure: user account restriction. Possible reasons are blank
passwords not allowed, logon hour restrictions, or a policy restriction has
been enforced.
I will forward this up the tree to Microsoft.
Chris
Chris Crowe [IIS MVP]
"bryan" <bryan@discussions.microsoft.com> wrote in message
news:98B2CC2A-26F8-46AD-A329-6D1285754FFD@microsoft.com...
>i have the following setup:
>
> -Win2003/IIS6 FTP server set to not allow any anonymous connections;
> -There is a local FTPUsers group with some local users as members of this
> group[and not of any other group].
> - Each local user [of FTPUsers] has their own virtual directory off the
> default Ftp site.
>
> Now, i assumed that if i disabled the local user account, the account
> would
> not be "authenticable"; however i am still able to logon to the ftp server
> successfuly using the disabled account credentials?
>
> Is this by design? And if so, is there a way to disable a specific user's
> access to the Ftp server?
>
| |
| Bernard Cheah [MVP] 2005-08-04, 2:48 am |
| This should the user token cache in IIS memory. If you disabled account then
restart IIS services, the user will not be able to logon to ftp.
--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
p/s: Chris, long time now see  welcome back.
"Chris Crowe [MVP]" <IISMVP2005@iisfaq.homeip.net> wrote in message
news:esbgt5KmFHA.2860@TK2MSFTNGP15.phx.gbl...
>I think that you have found a big bug here - I tested this on SBS 2003
>using DOMAIN accounts which are disabled and it worked as you said.
>
> The account is disabled but the user can still log onto the FTP site -
> which is a security breech
>
> Using the account via the dos command "RunAs" tells me:
>
> 1327: Logon failure: user account restriction. Possible reasons are blank
> passwords not allowed, logon hour restrictions, or a policy restriction
> has been enforced.
>
> I will forward this up the tree to Microsoft.
>
> Chris
>
> Chris Crowe [IIS MVP]
>
> "bryan" <bryan@discussions.microsoft.com> wrote in message
> news:98B2CC2A-26F8-46AD-A329-6D1285754FFD@microsoft.com...
>
>
| |
| Chris Crowe [MVP] 2005-08-04, 2:48 am |
| I did some testing and noticed that it did indeed appear to be a cache -
approx 10-15 minutes.
--
Cheers
Chris
Chris Crowe [IIS MVP]
ps : cheers Bernard - talk soon if you are going to the summit!
"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
news:eKXj5HLmFHA.1416@TK2MSFTNGP09.phx.gbl...
> This should the user token cache in IIS memory. If you disabled account
> then restart IIS services, the user will not be able to logon to ftp.
>
> --
> Regards,
> Bernard Cheah
> http://www.microsoft.com/iis/
> http://www.iiswebcastseries.com/
> http://www.msmvps.com/bernard/
>
> p/s: Chris, long time now see welcome back.
>
> "Chris Crowe [MVP]" <IISMVP2005@iisfaq.homeip.net> wrote in message
> news:esbgt5KmFHA.2860@TK2MSFTNGP15.phx.gbl...
>
>
| |
|
| thanks for that! for a moment i thought "No way!"
found the registry setting: UserTokenTTL. Pefect!
http://www.microsoft.com/technet/pr...31d0ea0cb4.mspx
cheers!
"Chris Crowe [MVP]" wrote:
> I did some testing and noticed that it did indeed appear to be a cache -
> approx 10-15 minutes.
>
> --
> Cheers
>
> Chris
>
> Chris Crowe [IIS MVP]
>
> ps : cheers Bernard - talk soon if you are going to the summit!
>
>
> "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
> news:eKXj5HLmFHA.1416@TK2MSFTNGP09.phx.gbl...
>
>
>
|
|
|
|
|