Anonymous FTP

Content Authoring
1

(imported topic written by jeko1791)

Can anyone help me develop a Fixlet or Property that will detect Anonymous FTP on Windows systems? The new MS vulnerability in IIS 5.0 FTPd is being actively exploited in the wild and we would like to use Bigfix to easily tell us where our customer may be vulnerable.

Thanks,

2

(imported comment written by NoahSalzman)

Hopefully someone in this Forum will point out a command line tool (such as iisftp) that will cough up this info. Unfortunately it looks like WMI is not a possibility with IIS 5.0:

“IIS 5.1 and earlier: The IIS WMI provider is not available.”

http://msdn.microsoft.com/en-us/library/ms524913.aspx

The setting might be in HKLM\SYSTEM\CurrentControlSet\Services\MSFtpsvc but I did not see anything change when toggling the Anonymous login GUI checkbox.

3

(imported comment written by BenKus)

You can potentially use the metabase inspectors… If anyone knows where to look in metaedit, I can help with the relevance…

Ben

4

(imported comment written by jeko1791)

Ben, IIS6doesn’t require a binary editor to look at the metabase, but here’s what I found for IIS6:

In \inetsrv\metabase.xml

<IIsFtpService Location ="/LM/MSFTPSVC"

AdminACL=“4963…blah, blah, blah”

AllowAnonymous=“TRUE”

AnonymousOnlyĂ"FALSE"

I believe the AllowAnonymous=“TRUE” here indicates if any FTP Site on the IIS server has Anonymous enabled and then a little further down each virtual directory shows the permissions on that directory.:

<IIsFtpVirtualDir Location ="/LM/MSFTPSVC/1/ROOT"

AccessFlags=“AccessRead | AccessWrite”

Path=“c:\inetpub\ftproot”

So, based on my testing, if in metabase.xml, we find both of these things:

  1. AllowAnonymous=“TRUE” under <IIsFtpService Location ="/LM/MSFTPSVC"

and

  1. Find the word “AccessWrite” following any section starting with <IIsFtpVirtualDir Location (there could be multiple FTP Sites, each would have a unique “IIsFtpVirtualDir Location”

then I think we have a potentially vulnerable system. Again, this is for IIS6. Not sure metabase inspectors would work for IIS5, let me know.

5

(imported comment written by NoahSalzman)

This might work:

(values of key “MSFTPSVC” of keys of metabase) whose (identifier of it as string = “5005”)

The result for me is 0 when “Allow Anonymous Connections” property – for the “FTP Sites” folder in MMC – is unselected and 1 when it is selected.

That is IIS 6… I don’t have v5 handy.

6

(imported comment written by jeko1791)

noah,

what is "identifier of it as string = “5005"” looking for specifically in the metabase? I’m testing this on a Win2003 server with 2 FTP sites and I cannot get the “0” result, even with Anonymous disabled on both.

Excerpt from metabase:

7

(imported comment written by nberger91)

Is there a fixlet/task, or does anyone have a script to disable anonymous ftp ? Thanks …

8

(imported comment written by BenKus)

Hey Nick,

I don’t have one pre-built, but if you know the identifier and key of the metabase, we can write some relevance for a Fixlet/property and then maybe find a script to change the setting.

Ben

9

(imported comment written by SystemAdmin)

It seems the metabase inspector doesn’t return the status of ‘AlllowAnonymous’ for FTP sites that are using the “default value” of the MSFTPSVC service. To get the ‘effective’ status, we’d have to do some nested If-Then’s.

One thing worth noting is that even if ‘AllowAnonymous’ is set to ‘false’ for MSFTPSVC, it can still be set to ‘true’ for individual FTP sites. In other words, the ‘site settings’ override the ‘service settings.’

#I have only verified this for IISv6, not sure if previous versions treat this the same way.