Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can I stop executables on my FTP server?

Status
Not open for further replies.
JBruyet

JBruyet

IS-IT--Management
Apr 6, 2001
1,200
0
0
US
Hey all,

I'm getting ready to deploy my FTP server and I've run into what I think is a problem. I have local accounts set up on the server itself for access control, but I just found out that I can FTP an executable file up to the server then run the executable file. I looked at the security tab for that folder on the server and all I had checked for my test account were the "List Folder Contents" and "Read" permissions. Is there a way to stop executable files from being run on my FTP server? This server will only be used by people with legitimate reasons for sending us files (large files) but I'm a little paranoid with stuff like this. I did have a 2k FTP server get hijacked once and I don't want it to happen with this server.

Thanks,

Joe B
 
Sort by date Sort by votes
You could possibly play with NTFS permissions and set one for everyone in the advanced properties/edit/choose files only and DENY execute file. This would make your users copy all files to their computer before they could open any of them though...

But are you saying they are installing FROM your FTP site to their computer or are they somehow actually installing the app/exe located within FTP on to the server itself?
 
Upvote 0 Downvote
TechyMcSe2k, actually it was a test I was performing on the ftp server. I ftp'ed a .exe file to the server, tried to execute the file from my ftp client (wsftp), and the file ran. I was told that my previous server was hijacked due to my allowing executable files to be run remotely. While this server will be locked down to local accounts with passwords, I still want to make sure no one can mess with the server because this server will be facing the internet. <humor> I double-checked and while being paranoid isn't an official title in my job description, it is recommended down in the second paragraph.</humor>

Thanks,

Joe B
 
Upvote 0 Downvote
Quote:"actually it was a test I was performing on the ftp server. I ftp'ed a .exe file to the server, tried to execute the file from my ftp client (wsftp), and the file ran", this means it is only running on your machine that you connected from. As far a remote execution, the hacker would need to have gained backdoor access and exploit some vulnerability in your OS. As long as you have a firewall in front of the FTP and the OS is up to date with all patches and such, you should be fine. I would look into putting an ISA server in front of your FTP if you are that worried. Then only allow FTP Traffic.
 
Upvote 0 Downvote
TechMcSe2k,

To clarify, are you saying that someone can upload an executable but when they actually execute it the file will only run on their local computer? As to the other stuff, I keep all my servers updated (VMware is amazing for testing updates) and I have a Cisco firewall (ASA5510) in front of everything. My plan is to just forward ports 21 & 22 to my ftp server.

Thanks,

Joe B
 
Upvote 0 Downvote
Yes, it is on the FTP server on in file format. But when a user accesses it from their machine, it is ONLY installing it on their machine and not your FTP server.
 
Upvote 0 Downvote
FTP has always been a touchy subject. Just use firewalls, a DMZ, and a well patched server with a bare minimum foot print. I have yet to test, but I hear Windows 2008 has a "lite" version with no GUI for a small footprint. Makes you learn powershell quickly to configure the server and should host IIS....but this is going down another path.

You could find someone else to host the FTP server to make you sleep at night. But I figure we have all been in IT long enough to know that there is no system 100% unhackable, given enough time and resources.
 
Upvote 0 Downvote
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Question
Server Remote Desktop License
Replies
0
Views
181
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
225
Aquiles Vidal
Aquiles Vidal
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
230
DrB0b
DrB0b
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
197
microsGuy16
microsGuy16
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
245
suncit
suncit

Part and Inventory Search

Sponsor

Back
Top