Automatically Reset the FTP Service in Windows Server 2008

One of the more popular tips I've posted is, "How to automatically reset the FTP service," in Windows Server 2003. This tip is useful for public FTP sites where bad guys are trying to hack in, usually using a dictionary attack.

Doing the same thing in Windows Server 2008 is slightly different and has an important caveat - It will not work with the Microsoft FTP Publishing Service for IIS 7.0 yet. It will work fine if you use the standard FTP Publishing Service, included on the Windows Server 2008 DVD.

As in my original post, create a batch file named C:\Scripts\ResetFTPService.bat, as follows:

net stop msftpsvc
ping -n 10 127.0.0.1
net start msftpsvc

The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

To make the script run automatically on the correct event, use the Windows Server 2008 Task Manager:

• Right-click Task Manager (under Configuration in Server Manager) and select Create a Basic Task


• Name the task, "Reset FTP Service" and click Next


• Choose When a specific event is logged as the Task Trigger, click Next


• Select Log: System, Source: IIS-FTP, and Event ID: 100. Click Next


• Select Start a program and click Next


• Enter C:\Scripts\ResetFTPService.bat for the Program/script and click Next


• Click the checkbox for Open the Properties dialog for this task when I click Finish and then click Finish


• In the Properties window select Run whether user is logged on or not and Run with highest privileges


• Click OK


• Enter the User name and Password for running this task

This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source IIS-FTP is logged in the System event log.

Remember, this will not work with the Microsoft FTP Publishing Service for IIS 7.0 because this service strangely does not log failed logon attempts to the event log. I've posted a request to the IIS7 team for this functionality.

---

Subscribe to my feed  

Subscribe to The EXPTA {blog} by Email

Automatically Reset the FTP Service

[Click here for a Windows Server 2008 version of this article]

A client of mine utilizes the Microsoft FTP service in Windows Server 2003 IIS 6.0 on a public web server.

Unfortunately, the FTP service is notoriously insecure since it transmits passwords in plain text. It also does not offer any way to block brute force or dictionary attacks. Because of this, the client was seeing multiple failed logins from the Administrator account, several times per second. These show up as warnings in the System event log from the MSFTPSVC source with event ID 100. Since I always rename the Administrator account as a standard best practice, it was obvious these attempted logins were coming from an attacker.

Windows Server 2008 will offer Secure FTP (or FTP over SSL) as a separate download for IIS7, which will be the first major improvement to the protocol since it was developed. But being that my client is running Windows 2003, this isn't an option.

The solution I used involves the Windows EventTriggers utility. I created a batch file named C:\Scripts\ResetFTPService.bat, as follows:

net stop msftpsvc
ping -n 10 127.0.0.1
net start msftpsvc

The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

To make the script run automatically on the correct event, I use EventTriggers as follows:

eventtriggers /CREATE /TR "Reset FTP Service" /TK C:\Scripts\ResetFTPSVC.bat /L System /EID 100 /SO MSFTPSVC /RU ""

This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source MSFTPSVC is logged in the System event log. The /RU switch causes the task to run under the Local System account, which has the rights necessary to run unattended.

---

Subscribe to my feed  

Subscribe to The EXPTA {blog} by Email

Good Day Today

Today was a good session day. I got to start and end it with Marcus Murray, who finished the day to a PACKED session in the TLC Library showing how easy it is to perform a buffer overrun exploit. Scary, scary stuff. The guy is a rockstar.

Other sessions included Paul Robichaux, talking about Forefront Security for Exchange, and a good session on architecting and upgrading WSUS 3.0.

I got to see our friends at Sam's Publishing in the vendor booth. Sams publishes the Microsoft "Unleashed" series, including Microsoft Exchange Server 2007 Unleashed and Microsoft Exchange Server 2003 Unleashed, both of which I am a cowriter of. Fellow CCO consultant, Michael Noel was there at the Sams booth on Tuesday. Be sure to check out his sessions on SharePoint 2007 here at TechEd!

I'll post a summary of the items discussed at the WSUS session in a future blog. For now, I'm going to get ready for the Microsoft Influencer's Party at Margaritaville and the Double-Take party at the Hard Rock. Woo-hoo!

---

Subscribe to my feed  

Subscribe to The EXPTA {blog} by Email

Knocked my Socks Off

My first session this morning was "Why I can Hack Your Network in a Day!", by Marcus Murray. The information and demos he gave were absolutely frightening. He showed how to gain full access to almost any domain with ease. Amazing stuff. It's his first US TechEd and I'm sure it won't be his last. Now if he'd only do a session on securing networks, I'll sleep better.

---

Subscribe to my feed  

Subscribe to The EXPTA {blog} by Email