i have the following setup:

-Win2003/IIS6 FTP server set to not allow any anonymous connections;
-There is a local FTPUsers group with some local users as members of this
group[and not of any other group].
- Each local user [of FTPUsers] has their own virtual directory off the
default Ftp site.

Now, i assumed that if i disabled the local user account, the account would
not be "authenticable"; however i am still able to logon to the ftp server
successfuly using the disabled account credentials?

Is this by design? And if so, is there a way to disable a specific user's
access to the Ftp server?

[ Post a follow-up to this message ]

I think that you have found a big bug here - I tested this on SBS 2003 using
DOMAIN accounts which are disabled and it worked as you said.

The account is disabled but the user can still log onto the FTP site - which
is a security breech

Using the account via the dos command "RunAs" tells me:

1327: Logon failure: user account restriction.  Possible reasons are blank
passwords not allowed, logon hour restrictions, or a policy restriction has
been enforced.

I will forward this up the tree to Microsoft.

Chris

Chris Crowe [IIS MVP]

"bryan" <bryan@discussions.microsoft.com> wrote in message
news:98B2CC2A-26F8-46AD-A329-6D1285754FFD@microsoft.com...
>i have the following setup:
>
> -Win2003/IIS6 FTP server set to not allow any anonymous connections;
> -There is a local FTPUsers group with some local users as members of this
> group[and not of any other group].
> - Each local user [of FTPUsers] has their own virtual directory off th
e
> default Ftp site.
>
> Now, i assumed that if i disabled the local user account, the account
> would
> not be "authenticable"; however i am still able to logon to the ftp server
> successfuly using the disabled account credentials?
>
> Is this by design? And if so, is there a way to disable a specific user's
> access to the Ftp server?
>

[ Post a follow-up to this message ]

This should the user token cache in IIS memory. If you disabled account then
restart IIS services, the user will not be able to logon to ftp.

--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/

p/s: Chris, long time now see  welcome back.

"Chris Crowe [MVP]" <IISMVP2005@iisfaq.homeip.net> wrote in message
news:esbgt5KmFHA.2860@TK2MSFTNGP15.phx.gbl...
>I think that you have found a big bug here - I tested this on SBS 2003
>using DOMAIN accounts which are disabled and it worked as you said.
>
> The account is disabled but the user can still log onto the FTP site -
> which is a security breech
>
> Using the account via the dos command "RunAs" tells me:
>
> 1327: Logon failure: user account restriction.  Possible reasons are blank
> passwords not allowed, logon hour restrictions, or a policy restriction
> has been enforced.
>
> I will forward this up the tree to Microsoft.
>
> Chris
>
> Chris Crowe [IIS MVP]
>
> "bryan" <bryan@discussions.microsoft.com> wrote in message
> news:98B2CC2A-26F8-46AD-A329-6D1285754FFD@microsoft.com... 
>
>

[ Post a follow-up to this message ]

I did some testing and noticed that it did indeed appear to be a cache -
approx 10-15 minutes.

--
Cheers

Chris

Chris Crowe [IIS MVP]

ps : cheers Bernard - talk soon if you are going to the summit!


"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
news:eKXj5HLmFHA.1416@TK2MSFTNGP09.phx.gbl...
> This should the user token cache in IIS memory. If you disabled account
> then restart IIS services, the user will not be able to logon to ftp.
>
> --
> Regards,
> Bernard Cheah
> http://www.microsoft.com/iis/
> http://www.iiswebcastseries.com/
> http://www.msmvps.com/bernard/
>
> p/s: Chris, long time now see  welcome back.
>
> "Chris Crowe [MVP]" <IISMVP2005@iisfaq.homeip.net> wrote in message
> news:esbgt5KmFHA.2860@TK2MSFTNGP15.phx.gbl... 
>
>

[ Post a follow-up to this message ]

thanks for that! for a moment i thought "No way!" 

found the registry setting: UserTokenTTL. Pefect!

http://www.microsoft.com/technet/pr...31d0ea0cb4.mspx

cheers!

"Chris Crowe [MVP]" wrote:

> I did some testing and noticed that it did indeed appear to be a cache -
> approx 10-15 minutes.
>
> --
> Cheers
>
> Chris
>
> Chris Crowe [IIS MVP]
>
> ps : cheers Bernard - talk soon if you are going to the summit!
>
>
> "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
> news:eKXj5HLmFHA.1416@TK2MSFTNGP09.phx.gbl... 
>
>
>

[ Post a follow-up to this message ]