COMMAND

    ftpd

SYSTEMS AFFECTED

    Win2K's FTP server

PROBLEM

    Bob Kline found  following.  Microsoft  has introduced a  security
    hole  in  the  FTP  server  on  Windows  2000  Professional.   The
    properties  panel  for  the  service  has  controls for specifying
    "accept" or "deny" lists, and the online help explains how to  use
    these  controls  to  explicitly   prohibit  specific  hosts   from
    connecting to  the service,  or restrict  access to  an enumerated
    set of hosts.

    What  the  online  help  does  not  explain  is that this security
    functionality has been turned off for the Professional version  of
    Windows 2000.   The intentional disabling  of this feature  (which
    was supported in  NT Workstation 4.0,  the predecessor of  Windows
    2000) is  confirmed by  an internal  KnowledgeBase article  within
    Microsoft.

SOLUTION

    Microsoft outlines the features that are not available in IIS  5.0
    on the Windows 2000 Professional platform in the following  public
    knowledge base  article: Q263857.   This is  less a  security hole
    and  more  a  feature  limitation  of  IIS  5.0  on  Windows  2000
    Professional.

    There are 3 MS KB articles  that refer to restrictions in IIS  5.0
    on W2K Pro, they are at:

        http://support.microsoft.com/support/kb/articles/Q263/8/57.ASP
        http://support.microsoft.com/support/kb/articles/Q262/6/32.ASP
        http://support.microsoft.com/support/kb/articles/Q263/1/21.ASP

    The 'downgrade' for W2K Pro is obviously not an optimal setup, and
    the reasons for these  intentional limitations are not  made clear
    in  the  articles  although  certain  theories  do  spring to mind
    quickly.

    There is, incidentally, a work  around.  FTP operates on  TCP port
    21 (for control, anyway),  and W2K Professional does  support some
    degree of internal firewalling through the Local Security Settings
    admin  control  panel.   There  are  some  strange  constraints to
    it--there's  some  perverse  humor  in  a security policy selector
    that, by default, has no concept of blocking access--but it should
    suffice.

    When NT 4.0  was in beta  Microsoft implemented a  licensing model
    on TCPIP connections,  such that NT  4.0 Workstation would  not be
    viable as a platform for anything other than a small personal  web
    server.   Tim O'Reilly,  of O'Reilly  and Associates  and WebSite,
    spoke widely about the problems  such a mechanism would impose  on
    his company (as did others.) Since  they did not rely on IIS,  and
    their  code  worked  efficiently  even  on  NT  WS,  they felt the
    licensing was going to drive up the cost of using their web server
    software by forcing the use of NT Server.

    It would appear that MS have found another way to "encourage"  the
    use of Server for anything of note  in the web space.  Far from  a
    Security hole, the disabling of security features on W2K Pro would
    appear to be a marketing vehicle to sell W2K Server.