We use Windows API "LogonUser" for Windows Authentication (AD Authentication), but there is known security issue in Windows system: if Windows built-in 'Guest' account is enabled, and Windows Authentication is enabled too, then the logon API "LogonUser" will return true for everyone, it means everyone can login even using wrong password.
So the most important thing is to disable the built-in 'Guest' account if you want to use Windows Authentication. BTW, from version 3.6.9, we add a feature for stopping Windows Authentication automatically if Guest account is enabled, you can upgrade to the latest version.
Wing FTP Server - a Secure FTP Server
1129
Tue Sep 29, 2009 6:09 am