Wing FTP Anonymous access
Description
Wing FTP Server is configured to allow anonymous FTP access, enabling users to connect and authenticate using the username 'anonymous' without requiring a valid password. While this feature may be intentional for public file sharing, it creates a security risk when combined with misconfigured directory permissions, potentially exposing confidential files, internal documents, or sensitive system information to unauthenticated users.
Remediation
Disable anonymous FTP access unless there is a specific business requirement for public file sharing. To remediate this issue:
1. Log in to the Wing FTP Server administration console
2. Navigate to the domain settings where anonymous access is enabled
3. Select the 'Users' section and locate the 'anonymous' user account
4. Either delete the anonymous user account entirely or disable it by unchecking the 'Enable this user' option
5. Review all directory permissions to ensure that sensitive folders are not accessible to guest or low-privilege accounts
6. If anonymous access is required for legitimate purposes, restrict it to a dedicated directory containing only public files, and ensure read-only permissions are enforced
7. Implement IP-based access controls to limit anonymous connections to trusted networks only
8. Enable logging and monitoring for all anonymous access attempts to detect potential abuse