Solved

Change Password on FTP Server?

Posted on 2009-06-29
10
467 Views
Last Modified: 2013-12-17
Is it possible programmatically change a User's FTP password on the server?

Scenario:  We had a SAS 70 audit recently, and they mentioned one of the features they would like to see is for our customers to be required to change their FTP password every 30 days, and have the ability to change it themselves.  Currently, we set the passwords internally, and then let our customers know what they are.  

Is there a way to do that?  Is it possible?

Thanks.
0
Comment
Question by:VBRocks
  • 6
  • 4
10 Comments
 
LVL 39

Expert Comment

by:abel
ID: 24738289
I'm a bit surprised that SAS let's you keep your FTP server.... Unless you use SFTP, FTPS or SCP, the FTP protocol is very insecure. Passwords are send as plaintext and it only takes a little sniffing around to gain access to an FTP site.

On your request: the FTP protocol itself does not have a way of changing the password. The reason is simple, it would allow an attacker to possibly change the password of a user or the administrator, banning access for that user. In most cases, the FTP users are maintained by the FTP server. In Windows, if you use the FTP server for IIS, it is connected with windows usernames (AD), which is just the more a reason not to use it, as it opens a large hole in your windows security. But, AD can be programmed and users can be changed (but I'm no AD expert).

In other cases, like with WS_FTP server or FileZilla Server the server has a different approach and stores the passwords encrypted in its own user db. Whether these are accessible I don't know, though I remember from FileZilla that it has a programmable interface.

As an alternative approach, you can allow users to place a file with a new password in a special directory (encrypted, I hope), which can be read by the server (monitoring that directory is all it takes). You can automate this with some simple tool on server and client side, but it is not an ideal solution.

-- Abel --
0
 
LVL 39

Expert Comment

by:abel
ID: 24738408
PS: a list of available FTP commands is here: http://www.nsftools.com/tips/RawFTP.htm, so you can check for yourself that something like ChancePassword command does not exist.

If you implement your own FTP server or if you have access to the sources of an FTP server, nothing stops you from adding such commands. But look above on security why that's probably not what you want in the long run....
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24738436
Ok, thanks abel.  Let me research it a little more.

We are using FTPS/HTTPS, by the way.
0
 
LVL 39

Expert Comment

by:abel
ID: 24738672
Ah, that's hugely different (FTPS instead of FTP, I mean). If you need help with a chosen path, let me know :)
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24738719
Well, I've actually already written a windows application that is comparable to File Zilla / WS_FTP, although it's not completely finished.  It is working very nice though.  It uses both FTPS and HTTPS to access my company's (WebDAV) server.

The SAS audit we just had last week, and their recommendation for user password changing got me researching it...

Thanks for your help.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 39

Expert Comment

by:abel
ID: 24738720
Btw, here's an FTP server that supports changing the password of a user. It recognizes it as an extension and not a standard to the protocol. You may consult the documentation of your ftp server in case it supports something similar: http://wiki.builtbp.com/index.php/Change_Password_Remotely
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24739486
abel - How could we go about adding a custom command to our FTP server?

0
 
LVL 39

Expert Comment

by:abel
ID: 24739503
Well, that highly depends on what FTP server you are using and not all of them allow it (which is why I mentioned the workaround with the file). You said you were building one yourself, in which case you have full control, but you aren't using your own implementation yet, correct? (and you should be aware that building a fully fledged FTP server is quite some years work, though the basics are easy).

Can you update with what FTP server you are using?
0
 
LVL 27

Author Comment

by:VBRocks
ID: 24739540
Windows Server 2008 / IIS 7.
0
 
LVL 39

Accepted Solution

by:
abel earned 500 total points
ID: 24739658
I'm afraid that IIS does not support creating custom commands in version 7. However, if you can upgrade to the new version 7.5 (only for Windows 2008) you may have some possibilities. I haven't tried this myself, but here are a few guidelines on how to extend FTP 7.5: http://learn.iis.net/page.aspx/590/developing-for-ftp-75/

Alternatively, if you care going to another FTP server, you can consider GlobalScape, which supports hand-written commands natively and easily: http://help.globalscape.com/help/secureserver2/Custom_command_example.htm

I'm sorry that a seemingly simple request is not that simple to solve ... ;-)

-- Abel --
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Get id from json Data with NewtonSoft 3 34
Not showing page correctly 3 30
Allow User To Arrange Columns At Datagridview 3 19
logs for inetpub time stamps are off 1 14
More often than not, we developers are confronted with a need: a need to make some kind of magic happen via code. Whether it is for a client, for the boss, or for our own personal projects, the need must be satisfied. Most of the time, the Framework…
Parsing a CSV file is a task that we are confronted with regularly, and although there are a vast number of means to do this, as a newbie, the field can be confusing and the tools can seem complex. A simple solution to parsing a customized CSV fi…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now