Yesterday, one of my clients came across an interesting scenario. They use FTP to poll sales data from their retail outlets back to a central location. As part of this process, the polling file is renamed to filename.bak; but what if filename.bak already exists from an earlier poll? The existing NT 3.51 FTP Server network component allows the rename with no problem, but XP’s FTP Server (part of IIS 5.1) does not, producing an error:
550 filename.bak: Cannot create a file when that file already exists
A quick search on the ‘net unearthed Microsoft knowledge base article 309634 . Once I had extracted the mdutil.exe utility from a Windows 2000 CD (see Microsoft knowledge base article 240225) I was able to run the following command:
mdutil set msftpsvc/1/AllowReplaceOnRename 1
A restart of the IIS Admin service was all that was needed then to allow the rename to take place within the polling process.
Last week I got hacked.
I’d opened up my previously stealthed firewall to:
- Access my home network when I’m at work;
- Allow one of my friends to post some large files to my FTP server.
The trouble is that I hadn’t been carrying out the best practices that I would advocate for my enterprise clients. Despite last month’s post on securing IIS, I had just opened up the standard ports to a standard IIS server which wasn’t even in a demilitarized zone (DMZ).
I didn’t think I’d be a target for a hacker but within a few days some guys in Italy and Belgium had started abusing my FTP server to dump their files (this article from ZD Net leads me to believe that it’s a common practice). I don’t know what the contents were. I deleted them quickly to be safe and shut down the firewall until I could implement something more secure.
Thankfully, I got off lightly (this time). I checked the logs last night and my new security measures are keeping the intruders out. If you do need to provide an FTP service, you might like to read the windowsecurity.com article with 10 steps to secure an FTP server.
Microsoft have released the Internet Information Services (IIS) 6.0 Migration Tool – a command line tool to automates several of the steps involved in migrating a web application (configuration data, site content, and application settings) from IIS 4.0, IIS 5.0 or IIS 6.0 to a clean installation of IIS 6.0.
One of my clients needed to provide an FTP server service on some of its XP PCs, but as an addition to the existing standard operating environment (i.e without altering the core build). Of course, Internet Information Services (including the FTP Publishing service) may be installed as part of an unattended Windows installation, but the problem here was installing IIS after the operating system had been installed and configured.I did some research, and discovered the system standalone optional component manager (
sysocmgr.exe). This is effectively what sits behind the Add or Remove Programs Control Panel applet (
appwiz.cpl), to provide the Add/Remove Windows Components functionality. Microsoft’s IIS 6.0 technical reference provided the appropriate information to write an answer file and this command file demonstrates the process, taking input from a text file.
Once IIS was installed, the next stage was to configure the FTP Publishing service (create virtual directories, set permissions, etc.). Scripting support varies across the different IIS versions with, not surprisingly, IIS 6.0 providing the most complete support for what I wanted to do (there are a number of IIS-related scripts in the %systemroot%\system32 directory). Unfortunately the IIS 6.0 scripts do not work with previous versions of IIS, the IIS 5.x administration scripts, installed by default in c:\inetpub\adminscripts) did not seem to offer what I needed, and the IIS 4.0 Resource Kit scripts do not work with IIS 5.0 or 5.1.
I was stumped until a contact at Microsoft pointed me in the direction of
adsutil.vbs. This is one of the IIS 5.x administration scripts that I had overlooked because of the filename (which does not imply that it will allow you to create virtual directories etc.). In fact,
adsutil.vbs is pretty comprehensive in its capabilities and allowed me to configure all the FTP site settings I wanted, as demonstrated in this command file.
The main issue (not immediately apparent from the
adsutil.vbs help text) was to create the virtual directory object and then to set the path for the virtual directory as two separate commands. This wasn’t easy to track down (but can be found in a Google Groups thread) and was the final step needed to get everything working.
Whilst researching some IIS issues, I came across a useful checklist for securing IIS courtesy of the University of Washington.