Software

5 Steps to a Secure FTP

FTP [File Transfer Protocol] is one of the oldest and most popular services found on the on the internet today. Serving as an easy and effective method by which to transfer files over a network, Secure FTP has become a standard that is both accepted and widely accessible to users across almost every network and operating system in use today.

Windows 2000 comes with an FTP server as a part of IIS 5.0. Installed as a stand alone service, it is very rich in features. When combined with the other resources available inside Windows 2000 server, administrators are empowered with different options that can help make an FTP site more secure.

Having said that, we will examine 10 options available native in Windows 2000 that can be used to secure an FTP site. Some are pretty obvious but some are creative approaches that aren’t readily thought of by administrators. In addition to the tips below, add-on services such as VPNs or SSH is things to consider since there is the pesky issue of sending passwords clear text over the wire.

TIP # 1: Disable Anonymous Access. Anonymous access is enabled by default when you first install FTP services in Windows 2000. Anonymous Access is a method by which any user can gain access to your FTP site without the need of a user account. There are some customer facing services that can be served effectively by Anonymous FTP sites, but the majority of the time allowing anonymous access will result in the eventual hijacking of your site by individuals wanting to host illegal files and copyrighted material. By removing the capability for anonymous access, you are essentially limiting access to your FTP site to successful authentication by a predefined user account. Access controls are then configured by the use of ACLs [access control list] defined on the FTP home directory using NTFS permissions.

TIP # 2: Enable Logging. By enabling logging your FTP site, you can ensure that you will have an accurate record of which IP addresses and users accessed your site. Maintaining a practice of routine log review can enable you to assess your traffic patterns and identify any security threats and/or breaches.

TIP # 3: Harden your ACLS. Access to your FTP directory should be regulated utilizing ACL restrictions across NTFS permissions. This cannot be stressed enough. Your FTP directory should not have the everyone group with full rights as this will limit your ability to control the user groups that have access into your FTP site.

TIP # 4: Setup your FTP site as Blind Put. If you only need your users to transfer files to your server and not transfer files from your server, consider configuring your FTP site as a “blind put”. What this means is that users are allowed to write files without the having the ability to read from your FTP directory. This will protect the contents of your ftp site in case of an unauthorized user getting access to your ftp directory. Configuring Blind Puts should be done both at the FTP site and on the directory’s NTFS permissions.

TIP # 5: Enable Disk Quotas. Windows 2000 comes with a handy utility that allows for the enforcement of Disk Quotas. Disk Quotas can effectively limit the amount of disk space a user can have ownership of. By default, ownership is granted to whichever user wrote the file. By enabling disk quotas and checking the deny disk space to users exceeding disk quota, you can effectively limit the possible damage caused in case your FTP site gets hijacked. One worst scenario is the abuse of an FTP site to the point that the disk fills up. This of course can have disastrous consequences to other services that might share the partition with the FTP site. Also, by limiting the amount of disk space each FTP user can have, your site becomes an unattractive target for hackers looking for someplace to share their media files.

 

Video Blogging


More Info





Copyright 2006, All Rights Reserved