info: name: FTP Access Control Check author: nukunga[SungHyunJeon] severity: medium description: | Ensure FTP access is restricted by configuring IP address filters. Without these restrictions, unauthorized networks could potentially access FTP services. impact: | Lack of proper IP-based access control allows FTP services to be accessed by unauthorized networks, heightening the risk of data breaches and other security threats. remediation: | Set up IP address restrictions using IIS Manager: - Open IIS Manager. - Go to the FTP site → FTP IP Address and Domain Restrictions. - Add the allowed IP addresses and configure suitable deny rules. reference: - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85 tags: ftp,iis,security,windows,code,windows-audit,kisa
self-contained: true
code: - pre-condition: | IsWindows(); engine: - powershell - powershell.exe args: - -ExecutionPolicy - Bypass pattern: "*.ps1" source: | Import-Module WebAdministration -ErrorAction SilentlyContinue $ftpSites = Get-ChildItem IIS:\Sites | Where-Object { $_.Bindings.Collection.Protocol -eq"ftp" } $vulnerable = $false foreach ($sitein$ftpSites) { $ipSecurity = Get-WebConfigurationProperty-pspath"MACHINE/WEBROOT/APPHOST/$($site.Name)"-filter"system.ftpServer/security/ipSecurity"-name"allowUnlisted"-ErrorAction SilentlyContinue # If allowUnlisted is true, FTP access is open to unlisted IPs (i.e., no proper IP restriction is applied) if ($ipSecurity-eq$true) { $vulnerable = $true break } } if ($vulnerable) { "FTP_IP_ACCESS_CONTROL_NOT_CONFIGURED" } else { "FTP_IP_ACCESS_CONTROL_CONFIGURED" }
matchers: - type: word words: - "FTP_IP_ACCESS_CONTROL_NOT_CONFIGURED"