Replacement for unsecure telnet/ftp on Windows servers

TheMSsForum.com: The Microsoft Software Forum

When is Microsoft going to make available a secure
replacement ( e.g. ssh/scp ) for telnet and ftp
on their Windows server versions?

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security
Top

Re: Replacement for unsecure telnet/ftp on Windows servers by Malke

Malke
Mon Aug 28 09:23:47 CDT 2006

Gary Flynn wrote:

> When is Microsoft going to make available a secure
> replacement ( e.g. ssh/scp ) for telnet and ftp
> on their Windows server versions?
>

That would be a good question to ask Microsoft. Since this is a
peer-to-peer newsgroup rarely frequented by MS employees, this wouldn't
be the best place to get a definitive MS answer. However, until one of
the extremely knowledgeable regulars (who don't work for the company)
comes along, see:

http://www.openssh.com/windows.html

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Top

Re: Replacement for unsecure telnet/ftp on Windows servers by Steven

Steven
Mon Aug 28 12:25:19 CDT 2006

I don't know but you can use ipsec to encrypt and insure integrity for
traffic between Windows computers that are ipsec aware - Windows
2000/2003/XP Pro. You can encrypt all traffic or for specific
ports/protcols/IP. Special considerations need to be taken for domain
controllers before implementing ipsec policies in a domain however. RDP is
also encrypted including logon.

Steve

http://support.microsoft.com/kb/254949/


"Gary Flynn" <flynngn@jmu.edu> wrote in message
news:44F2F7B7.1030706@jmu.edu...
> When is Microsoft going to make available a secure
> replacement ( e.g. ssh/scp ) for telnet and ftp
> on their Windows server versions?
>
> --
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security


Top

Re: Replacement for unsecure telnet/ftp on Windows servers by Roger

Roger
Mon Aug 28 13:31:22 CDT 2006

Who knows ???

But, my guess is, for the access technologies you
have specifically called out, never.

"They" view Windows as providing inherently
securable alternatives to each of those.

Roger

"Gary Flynn" <flynngn@jmu.edu> wrote in message
news:44F2F7B7.1030706@jmu.edu...
> When is Microsoft going to make available a secure
> replacement ( e.g. ssh/scp ) for telnet and ftp
> on their Windows server versions?
>
> --
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security


Top

Re: Replacement for unsecure telnet/ftp on Windows servers by karl

karl
Mon Aug 28 19:50:10 CDT 2006


"Gary Flynn" <flynngn@jmu.edu> wrote in message
news:44F2F7B7.1030706@jmu.edu...
> When is Microsoft going to make available a secure
> replacement ( e.g. ssh/scp ) for telnet and ftp
> on their Windows server versions?

Terminal Services will do both, with encryption and authentication.


Top

Re: Replacement for unsecure telnet/ftp on Windows servers by Ian

Ian
Tue Aug 29 01:52:02 CDT 2006

IMHO you're better using third-party software for any kind of Internet
service. MS products have always had security issues with buffer-overrun
flaws, and there are so many of those yet-to-be-discovered that I don't see
that situation ever changing.

Web: Apache
FTP: Filezilla Server.
SSH: Open SSH or Zebedee

Total cost : $0.00

Telnet: Even Linux sysadmins are cagey on that one. Reason is you can't
'sandbox' the user like you can with ftp, if they have access they can access
the whole filesystem, so any wrong fs permissions, anywhere, and you've got
trouble.


Top

Re: Replacement for unsecure telnet/ftp on Windows servers by karl

karl
Tue Aug 29 08:31:12 CDT 2006


"Ian" <Ian@discussions.microsoft.com> wrote in message
news:A925EAED-622E-43CA-8041-DF460E9466D2@microsoft.com...
> IMHO you're better using third-party software for any kind of Internet
> service. MS products have always had security issues with buffer-overrun
> flaws, and there are so many of those yet-to-be-discovered that I don't
> see
> that situation ever changing.
>
> Web: Apache
> FTP: Filezilla Server.
> SSH: Open SSH or Zebedee

You mean you're not aware of the security problems OpenSSH and OpenSSL have
had with buffer overflows and the like? They receive security updates
fairly regularly. They just aren't targeted as frequently by worms and make
the news. But if you look at the list of hacked web servers at
www.zone-h.org, and compare it to the number of web sites running IIS versus
Apache at www.netcraft.com, you'll see that Apache is hacked as often if not
more often than Windows, even when you adjust for market share. If you
search www.microsoft.com/technet/security/current.mspx for security patches
for IIS 6.0 on Windows 2003, there isn't a single one, three years after
release.

All OSes require you to install third party security software such as SSH
and antivirus. Red Hat doesn't make an SSH client. They just put somebody
else's SSH client on their install CD, and Microsoft does not. I personally
don't have that much interest in Microsoft making or releasing an SSH
client, because the one used on Red Hat and Windows today works fine for me.
It would be nice if they did, but it's not at the top of my wish list for
Microsoft.


Top

Re: Replacement for unsecure telnet/ftp on Windows servers by Robert

Robert
Tue Aug 29 16:24:13 CDT 2006

Ian wrote:
> IMHO you're better using third-party software for any kind of Internet
> service. MS products have always had security issues with
> buffer-overrun flaws, and there are so many of those
> yet-to-be-discovered that I don't see that situation ever changing.

You do realise that if your criteria for product selection is a total lack
of security flaws then you've just locked yourself out of anything other
than an abacus?

Incidentally, you may want to take a long hard look at IIS 6. Microsoft
took a long hard look at the criticism of their previous web server
efforts prior to IIS 6, and made what appears to be a magnificent
response.

The legend of Microsoft's web servers always being swiss cheese may in
fact be no more.

--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ -
http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked:
"Have you checked (event viewer / syslog)".


Top

Re: Replacement for unsecure telnet/ftp on Windows servers by Roger

Roger
Tue Aug 29 16:34:02 CDT 2006

"Robert Moir" <robspamtrap+msnews@gmail.com> wrote in message
news:eeE96F7yGHA.4968@TK2MSFTNGP05.phx.gbl...
> Ian wrote:
>> IMHO you're better using third-party software for any kind of Internet
>> service. MS products have always had security issues with
>> buffer-overrun flaws, and there are so many of those
>> yet-to-be-discovered that I don't see that situation ever changing.
>
> You do realise that if your criteria for product selection is a total lack
> of security flaws then you've just locked yourself out of anything other
> than an abacus?
>
> Incidentally, you may want to take a long hard look at IIS 6. Microsoft
> took a long hard look at the criticism of their previous web server
> efforts prior to IIS 6, and made what appears to be a magnificent
> response.
>
> The legend of Microsoft's web servers always being swiss cheese may in
> fact be no more.
>

To my understanding that "legend" is due nearly entirely to IIS 4 (and
the FrontPage server extensions). If memory serves correctly, after the
IIS 5 rollup was released (? mid 2002) IIS 5, and IIS 6 have had very
little patchwork logged against them, and what has been is not really for
the webserver but for layered options (asp, webdav).

The posters comments, when I first read them, made me think of an
ostrich, with head hidden in a hole, oblivious to what was going on
around it.

--
Roger


Top

Re: Replacement for unsecure telnet/ftp on Windows servers by karl

karl
Tue Aug 29 21:20:40 CDT 2006


"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OPKIaL7yGHA.4844@TK2MSFTNGP04.phx.gbl...

> To my understanding that "legend" is due nearly entirely to IIS 4 (and
> the FrontPage server extensions). If memory serves correctly, after the
> IIS 5 rollup was released (? mid 2002) IIS 5, and IIS 6 have had very
> little patchwork logged against them, and what has been is not really for
> the webserver but for layered options (asp, webdav).
>
> The posters comments, when I first read them, made me think of an
> ostrich, with head hidden in a hole, oblivious to what was going on
> around it.

... and then most of the vulnerabilities through which IIS 4 and 5 were
hacked could easily have been prevented had the owner of the web server
simply installed patches. If your server admin has trouble installing
Windows patches in a timely manner, then I just don't see that admin having
any better luck at patching Apache on Linux to keep it secure.


Top

Re: Replacement for unsecure telnet/ftp on Windows servers by Gary

Gary
Tue Sep 12 10:31:15 CDT 2006

Getting back to the original topic, one possible solution would
be to use the Unix Services for Windows product.

http://www.microsoft.com/technet/interopmigration/unix/sfu/default.mspx

However, like the Cygwin solution, it involves installing a lot
of functionality and code above that required for an SSH server.
That additional code must be patched and maintained and it
presents unnecessary risk.

While RedHat does not supply the SSH server it ships with its
product, most if not all linux distributions are shipped with
openSSH.

Microsoft ships its own telnet and ftp server. If it ships
them, it should at least ship a secure alternative.

The easiest thing for them to do would probably be to offer a
Microsoft supported Windows port of OpenSSH. Even if its a
separate download or on a resource kit. They'd be doing their
enterprise customers a service and make their platform both
more usable and more secure.

My $0.02 worth.

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security
Top