Solved

Change Password on FTP Server?

Posted on 2009-06-29
10
472 Views
Last Modified: 2013-12-17
Is it possible programmatically change a User's FTP password on the server?

Scenario:  We had a SAS 70 audit recently, and they mentioned one of the features they would like to see is for our customers to be required to change their FTP password every 30 days, and have the ability to change it themselves.  Currently, we set the passwords internally, and then let our customers know what they are.  

Is there a way to do that?  Is it possible?

Thanks.
0
Comment
Question by:VBRocks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 39

Expert Comment

by:abel
ID: 24738289
I'm a bit surprised that SAS let's you keep your FTP server.... Unless you use SFTP, FTPS or SCP, the FTP protocol is very insecure. Passwords are send as plaintext and it only takes a little sniffing around to gain access to an FTP site.

On your request: the FTP protocol itself does not have a way of changing the password. The reason is simple, it would allow an attacker to possibly change the password of a user or the administrator, banning access for that user. In most cases, the FTP users are maintained by the FTP server. In Windows, if you use the FTP server for IIS, it is connected with windows usernames (AD), which is just the more a reason not to use it, as it opens a large hole in your windows security. But, AD can be programmed and users can be changed (but I'm no AD expert).

In other cases, like with WS_FTP server or FileZilla Server the server has a different approach and stores the passwords encrypted in its own user db. Whether these are accessible I don't know, though I remember from FileZilla that it has a programmable interface.

As an alternative approach, you can allow users to place a file with a new password in a special directory (encrypted, I hope), which can be read by the server (monitoring that directory is all it takes). You can automate this with some simple tool on server and client side, but it is not an ideal solution.

-- Abel --
0
 
LVL 39

Expert Comment

by:abel
ID: 24738408
PS: a list of available FTP commands is here: http://www.nsftools.com/tips/RawFTP.htm, so you can check for yourself that something like ChancePassword command does not exist.

If you implement your own FTP server or if you have access to the sources of an FTP server, nothing stops you from adding such commands. But look above on security why that's probably not what you want in the long run....
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24738436
Ok, thanks abel.  Let me research it a little more.

We are using FTPS/HTTPS, by the way.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 39

Expert Comment

by:abel
ID: 24738672
Ah, that's hugely different (FTPS instead of FTP, I mean). If you need help with a chosen path, let me know :)
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24738719
Well, I've actually already written a windows application that is comparable to File Zilla / WS_FTP, although it's not completely finished.  It is working very nice though.  It uses both FTPS and HTTPS to access my company's (WebDAV) server.

The SAS audit we just had last week, and their recommendation for user password changing got me researching it...

Thanks for your help.
0
 
LVL 39

Expert Comment

by:abel
ID: 24738720
Btw, here's an FTP server that supports changing the password of a user. It recognizes it as an extension and not a standard to the protocol. You may consult the documentation of your ftp server in case it supports something similar: http://wiki.builtbp.com/index.php/Change_Password_Remotely
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24739486
abel - How could we go about adding a custom command to our FTP server?

0
 
LVL 39

Expert Comment

by:abel
ID: 24739503
Well, that highly depends on what FTP server you are using and not all of them allow it (which is why I mentioned the workaround with the file). You said you were building one yourself, in which case you have full control, but you aren't using your own implementation yet, correct? (and you should be aware that building a fully fledged FTP server is quite some years work, though the basics are easy).

Can you update with what FTP server you are using?
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24739540
Windows Server 2008 / IIS 7.
0
 
LVL 39

Accepted Solution

by:
abel earned 500 total points
ID: 24739658
I'm afraid that IIS does not support creating custom commands in version 7. However, if you can upgrade to the new version 7.5 (only for Windows 2008) you may have some possibilities. I haven't tried this myself, but here are a few guidelines on how to extend FTP 7.5: http://learn.iis.net/page.aspx/590/developing-for-ftp-75/

Alternatively, if you care going to another FTP server, you can consider GlobalScape, which supports hand-written commands natively and easily: http://help.globalscape.com/help/secureserver2/Custom_command_example.htm

I'm sorry that a seemingly simple request is not that simple to solve ... ;-)

-- Abel --
0

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question