Change Password on FTP Server?

Is it possible programmatically change a User's FTP password on the server?

Scenario:  We had a SAS 70 audit recently, and they mentioned one of the features they would like to see is for our customers to be required to change their FTP password every 30 days, and have the ability to change it themselves.  Currently, we set the passwords internally, and then let our customers know what they are.  

Is there a way to do that?  Is it possible?

Thanks.
LVL 27
VBRocksAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

abelCommented:
I'm a bit surprised that SAS let's you keep your FTP server.... Unless you use SFTP, FTPS or SCP, the FTP protocol is very insecure. Passwords are send as plaintext and it only takes a little sniffing around to gain access to an FTP site.

On your request: the FTP protocol itself does not have a way of changing the password. The reason is simple, it would allow an attacker to possibly change the password of a user or the administrator, banning access for that user. In most cases, the FTP users are maintained by the FTP server. In Windows, if you use the FTP server for IIS, it is connected with windows usernames (AD), which is just the more a reason not to use it, as it opens a large hole in your windows security. But, AD can be programmed and users can be changed (but I'm no AD expert).

In other cases, like with WS_FTP server or FileZilla Server the server has a different approach and stores the passwords encrypted in its own user db. Whether these are accessible I don't know, though I remember from FileZilla that it has a programmable interface.

As an alternative approach, you can allow users to place a file with a new password in a special directory (encrypted, I hope), which can be read by the server (monitoring that directory is all it takes). You can automate this with some simple tool on server and client side, but it is not an ideal solution.

-- Abel --
0
abelCommented:
PS: a list of available FTP commands is here: http://www.nsftools.com/tips/RawFTP.htm, so you can check for yourself that something like ChancePassword command does not exist.

If you implement your own FTP server or if you have access to the sources of an FTP server, nothing stops you from adding such commands. But look above on security why that's probably not what you want in the long run....
0
VBRocksAuthor Commented:
Ok, thanks abel.  Let me research it a little more.

We are using FTPS/HTTPS, by the way.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

abelCommented:
Ah, that's hugely different (FTPS instead of FTP, I mean). If you need help with a chosen path, let me know :)
0
VBRocksAuthor Commented:
Well, I've actually already written a windows application that is comparable to File Zilla / WS_FTP, although it's not completely finished.  It is working very nice though.  It uses both FTPS and HTTPS to access my company's (WebDAV) server.

The SAS audit we just had last week, and their recommendation for user password changing got me researching it...

Thanks for your help.
0
abelCommented:
Btw, here's an FTP server that supports changing the password of a user. It recognizes it as an extension and not a standard to the protocol. You may consult the documentation of your ftp server in case it supports something similar: http://wiki.builtbp.com/index.php/Change_Password_Remotely
0
VBRocksAuthor Commented:
abel - How could we go about adding a custom command to our FTP server?

0
abelCommented:
Well, that highly depends on what FTP server you are using and not all of them allow it (which is why I mentioned the workaround with the file). You said you were building one yourself, in which case you have full control, but you aren't using your own implementation yet, correct? (and you should be aware that building a fully fledged FTP server is quite some years work, though the basics are easy).

Can you update with what FTP server you are using?
0
VBRocksAuthor Commented:
Windows Server 2008 / IIS 7.
0
abelCommented:
I'm afraid that IIS does not support creating custom commands in version 7. However, if you can upgrade to the new version 7.5 (only for Windows 2008) you may have some possibilities. I haven't tried this myself, but here are a few guidelines on how to extend FTP 7.5: http://learn.iis.net/page.aspx/590/developing-for-ftp-75/

Alternatively, if you care going to another FTP server, you can consider GlobalScape, which supports hand-written commands natively and easily: http://help.globalscape.com/help/secureserver2/Custom_command_example.htm

I'm sorry that a seemingly simple request is not that simple to solve ... ;-)

-- Abel --
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.