|
Home > Archive > IIS FTP Server > September 2005 > Deny Account FTP Access
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Deny Account FTP Access
|
|
| Peter Shaw 2005-08-24, 7:52 am |
| W2003 Web Edition / IIS6 / Default FTP site / Guest account disabled
I have had to add another user account to the server to secure access for
certain web pages. The new user is not a member of any group and only has
read pemissions on a single directory well under the ftproot.
Suprisingly, although the new user has no effective permissions at the
ftproot level, they are still able to login and browse the full FTP
directory stucture using their username and password. Anonyomous access is
turned off. I can explicitly deny the new user access to the FTP root which
then prevents FTP logon, but surely this isn't the correct way to do this?
With no permissions at the ftproot level users shouldn't be able to logon.
Which account privileges are they assuming when they logon?
Peter
| |
| Bernard Cheah [MVP] 2005-08-30, 8:13 am |
| What's the effective ACLs on the ftproot folder......
does the user belong to any group that has permissions over the folder ?
--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"Peter Shaw" <peter-at-websitedevelopment.ltd.uk> wrote in message
news:e5dDHCJqFHA.2776@TK2MSFTNGP10.phx.gbl...
> W2003 Web Edition / IIS6 / Default FTP site / Guest account disabled
>
> I have had to add another user account to the server to secure access for
> certain web pages. The new user is not a member of any group and only has
> read pemissions on a single directory well under the ftproot.
>
> Suprisingly, although the new user has no effective permissions at the
> ftproot level, they are still able to login and browse the full FTP
> directory stucture using their username and password. Anonyomous access is
> turned off. I can explicitly deny the new user access to the FTP root
> which
> then prevents FTP logon, but surely this isn't the correct way to do this?
> With no permissions at the ftproot level users shouldn't be able to logon.
>
> Which account privileges are they assuming when they logon?
>
> Peter
>
>
| |
| Peter Shaw 2005-08-30, 6:00 pm |
| ACL for the FTP root has the following entries (it is the Web Root folder)
Administrators
ASP.NET machine account
IIS_WPG
INTERACTIVE
Internet Guest Account
NETWORK
NETWORK SERVICE
OWS_xxxxxxxxxx_admin
SYSTEM
u3822xxxx
The user who I wish to prevent from FTPing is not in the above list and is
not a member of any groups. Allow Anonymous FTP is not checked.
Peter
"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
news:OnRG7jTrFHA.3080@TK2MSFTNGP15.phx.gbl...
> What's the effective ACLs on the ftproot folder......
> does the user belong to any group that has permissions over the folder ?
>
> --
> Regards,
> Bernard Cheah
> http://www.microsoft.com/iis/
> http://www.iiswebcastseries.com/
> http://www.msmvps.com/bernard/
>
>
> "Peter Shaw" <peter-at-websitedevelopment.ltd.uk> wrote in message
> news:e5dDHCJqFHA.2776@TK2MSFTNGP10.phx.gbl...
for[vbcol=seagreen]
has[vbcol=seagreen]
is[vbcol=seagreen]
this?[vbcol=seagreen]
logon.[vbcol=seagreen]
>
>
| |
| Bernard Cheah [MVP] 2005-09-06, 2:52 am |
| sorry, been very busy...
Mm... interesting.
Restart FTP service and try again. same?
if yes, then somehow and somewhere the user has access permissions. I can't
reproduce your claim. Can you pls verify again...... try a new user that
don't have permission on the path, can the new user able to login as well?
--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"Peter Shaw" <peter-at-websitedevelopment.ltd.uk> wrote in message
news:u06oAGXrFHA.1128@TK2MSFTNGP11.phx.gbl...
> ACL for the FTP root has the following entries (it is the Web Root folder)
>
> Administrators
> ASP.NET machine account
> IIS_WPG
> INTERACTIVE
> Internet Guest Account
> NETWORK
> NETWORK SERVICE
> OWS_xxxxxxxxxx_admin
> SYSTEM
> u3822xxxx
>
> The user who I wish to prevent from FTPing is not in the above list and is
> not a member of any groups. Allow Anonymous FTP is not checked.
>
> Peter
>
>
> "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
> news:OnRG7jTrFHA.3080@TK2MSFTNGP15.phx.gbl...
> for
> has
> is
> this?
> logon.
>
>
|
|
|
|
|