COMMAND

    ftp (IIS)

SYSTEMS AFFECTED

    Win NT with IIS 4.0 ftp service

PROBLEM

    Steven Kastl found following.   The ftp service in  IIS 4.0 has  a
    bug that  requires all  ftp accounts  (locally defined  on the ftp
    server) to be also locally defined on all servers hosting  virtual
    directories.

    When creating a virtual  directory mapping you specify  an account
    context  with  which  the  ftp  server  will  access  the   remote
    directory.   MS goes  to great  lengths in  their documentation to
    warn you that whatever access  is granted to this account  will be
    the effective access for all accounts in this directory logged  in
    via  ftp  -->  this  creates  a  nice  little security hole.  ACLs
    created on these directories will not work properly.  Well,  there
    is a bug in IIS  4.0 (re-creatable, but not consistent  across all
    installations)  that  uses  the  credentials  of the logged in FTP
    account and not the account used to define access for the  virtual
    directory.   Since  FTP  accounts  must  be  defined  locally, the
    account is unknown to the  remote server and access is  denied (or
    granted).

    Essentially, this bug runs completely counter to all documentation
    from  MS  regarding  IIS  4.0  FTP  service  and virtual directory
    mappings.   Not to  mention that  IIS 4.0  requirements completely
    deconstruct the purpose of domains (and domain security) entirely.
    The goofiest  nature of  this bug  is that  it only  effects 'GET'
    requests; 'PUT' requests  go through just  fine (if you  have your
    VDirs configured for 'write' access).

SOLUTION

    This bug is covered in one of a KB articles.  Microsoft  currently
    has  no  fix  other  than  to  define additional accounts on those
    machines hosting virtual directories.