Can a Windows server be hacked by someone with FTP access?

I don't run a hosting service, just a server for my own business. But I was thinking of sharing the server with a few friends, and wondered about some security issues that hosting services probably worry about all the time. Specifically, if FTP login info for someone on my server falls into the wrong hands, what is the worst that a hacker could do?

This much I have reasoned or assumed:

-- Even if a hacker uploaded malicious code via FTP, the code can't actually be run on the server from an FTP client. It just sits there.

-- All user directories have either no execute permissions or scripts only in IIS, so an evil executable file could not be run from a web browser.

-- On my server, the only interpreter installed (I think) is ASP, which only handles vbscript and jscript. PHP, Perl, and other exotic scripts couldn't be run because IIS doesn't know what to do with them.

-- ASP scripts can run COM objects on the system through the server.createobject method, but only objects that are registered on the system, and nothing uploaded via FTP could get registered (I hope). I wonder, however, what else an ASP script can invoke besides the obvious, benign stuff like ADO.

-- Anything run from a web browser will run with the permissions of web anonymous user, which should limit the damage possible.

I would be grateful for any advice -- if any of the above assumptions are wrong, and on what damage might be done starting just with malicious ASP scripts, or how to protect a server from this threat.

 

 

 

 

Top