…because your personal acceptance level (or ignorance) of risk differs from that of the company you work for.

There are always posts about how draconian IT policies are for users, and responses on why it is that way. This well-written article is another example of the justification for IT restrictions.

It is often the job of IT security folks to do and enforce these things, usually as a blessing from upper management. Getting mad at them is rarely going to get you anywhere, just like getting mad a TSA agent. Sorry, they’re just doing their job; take it up with their superiors or the policy-makers. We’re not (always) trying to be sadists.

The end of this article is a key point: “As a user, are you ready to accept personal responsibility if something you want affects the security of the network?”

In the end, it is all just a balancing act between corporate culture (which includes productivity and happiness) and managing your risk. If we could forget all the endpoints and properly secure the important data while letting people all run as local admins, we’d probably do it. Logical decisions are usually easy for us…

The good folks at Offensive Security have posted a video (camtasia) of the Win2k IIS 5.0/6.0 FTPD exploit in action (found via Andrew Hay). The difference between this version and the kingcope expoit is this sets up a bindshell where the original set up a new Windows user account.

What isn’t mentioned is the exploit does require a valid connection to the FTP server, either through valid credentials, stolen credentials, or anonymous write access. So the old “best practices” of removing anon access, being careful who you let into your server, and enforcing strong passwords helps mitigate this risk. Though that’s really not enough assurance and I expect an MS patch for this soon, this at least should let you sleep at night if you have vulnerable servers. And don’t just think about remote attacks from China but also internally-accessible FTP servers.

Another “best practice” is to flatly not use the IIS FTP server. I think that suggestion has been around for 10 years now…