Windows FTP Security Tips and Tricks
March 19th, 2010 by Nick CruiseThe file transfer protocol (FTP) is one of the most popular and oldest services used with the Internet to date. In particular, the Windows format itself enjoys this simple and reliable method of transferring files over a network as part of IIS (Internet Information Service) 5.0 and beyond (the latest of which is IIS 7.5 for Windows 7 and Windows Server 2008).
Whether you want to use Windows FTP as a standalone service or combine it with a number of other Windows resources, this classic network tool empowers administrators with a multitude of options that’ll help make file transfer a lot more secure and dependable. Here are several basic yet sound recommendations using options native to Windows operating systems that can be employed to secure FTP operations.
Disable Anonymous Access
Anonymous access is typically enabled by default whenever you first install FTP services to your Windows OS. To put it simply, this option allows most anyone to access your FTP site without needing a user account. Although there are some customer-based businesses that can benefit from this default configuration, most other organizations view this setting as a way for hijackers to easily gain unauthorized access of their FTP site to the point that it’ll be used to house copyrighted material and illegal files for their own personal gain.
Removing the default anonymous access configuration is the very first thing you must do to ensure your FTP security. By doing so, you’ll be able to restrict and control access to your FTP site by only admitting the successful authentications of an approved user account. Meanwhile, your access control list (ACL) handles the configurations of your access controls as described on the FTP home directory using NTFS permissions. To restrict anonymous access, just go the security accounts tab of your FTP site’s properties page and clear the Allow Anonymous Connections box.
Enable Logging
By opting to enable the logging option on your FTP server, you can guarantee that you’ll have precise and accurate logs of which users and IP address have attempted and successfully accessed your site. Regularly maintaining the sound practice of routinely reviewing your records can allow you to identify any security threats or breaches and examine your traffic patterns for posterity’s sake.
To configure your FTP site so that it can enable logging, you should go to the properties page of your site, find the FTP Site tab, and then select the Enable Logging box. Once you do this, the logs will be made in a format of your choice and can be accessed later on for analysis and examination of access controls and/or traffic patterns.
Harden Your ACLS
By using strict ACL restrictions across NTFS permissions, you’ll be able to regulate, control, and safeguard access to your FTP directory. This cannot be emphasized enough; making sure that your FTP directory doesn’t allow most anyone who bothers to access your FTP to have full rights is of the utmost importance to you as an FTP site administrator. Allowing such a circumstance to happen is just asking for trouble, especially since it will be extremely hard for you to control your workgroups this way.
Restricting your workgroups to Read, Write, and List only (i.e., the option where the Execute action is forbidden) is par for the course, but in case of a blind put setting, you should also disallow Read and List and only enable Write access on your directory for optimum security and maximum control over the users accessing your FTP site.