Best Practices for Securing FTP Services

File Transfer Protocol (FTP) has been used effectively for many years on the Internet. This protocol is very efficient at serving up static documents for download or for anonymously posting material to a folder. With the ease of use comes widespread abuse. Many FTP sites are set up carelessly and left wide open for illegal trading of copyrighted files and hijacked storage space for hackers.

You should know what your FTP sites are going to used for in advance of implementation. Simple downloads can be accomplished safely by imposing a few basic rules. Creating a useful posting space for company employees , clients , or partners can be done quite easily, with some planning and the appropriate settings.

Enabling FTP Services

On Windows Server 2003 and IIS 6.0 the FTP server service is not installed by default. This is due to IIS being locked down by default. Too many IIS servers were installed with FTP services left with the default TO allow Anonymous users read and write access. This is part of the overall plan of leave the service off unless it's going to be used.

To install FTP services you must perform the following steps:

1. Go to the Control Panel and choose Add/Remove Programs. Then choose Add/Remove Windows Components.

2. Next open the Application Server and then Internet Information Services (IIS).

3. Finally, choose File Transfer Protocol (FTP) Service, as shown in Figure 19.4, and then select OK.

   Figure 19.4. Installing FTP Services.

   

Configuring Secure Anonymous FTP Access

In many scenarios documents and drivers are shared with the public from files stored on an FTP server. This can be done safely by locking down the folders with NTFS permissions on the published folder. In the case of public access like this, there should be a minimal number of entries in the permissions on those folders. The Anonymous alias should have read-only access and the group responsible for posting content should have read/write access.

Configuring FTP Logging

FTP logging can be used to track access of the FTP site and for troubleshooting logon issues as well as other valuable statistics.

Choose W3C Extended Log File Format. This format has the most comprehensive list of available logging options.

Move the log file directory to the root of your IIS FTP server folder as a best practice. This will make it easier to find that log file if multiple sites are configured.

Hardening Folder Permissions

When Anonymous is disabled, the permissions on the root folder that the FTP user is accessing grants or denies what that user can do. You should take special care in removing unnecessary users from that folder and propagating permissions to the subfolders .

Configuring FTP Blind-Put Access

Blind-put access describes a method of hosting an FTP site where the user has only write access. Read access is left off at both the Home Directory and the folder being accessed.

Enforcing Disk Quotas

Administrators of IIS FTP servers should take advantage of the operating system storage features. Disk quotas have been available for some time now. One of the best applications of this functionality is to prevent users from filling up hard disk space. In the case of FTP, creating quotas on users of this service minimizes the danger of someone hijacking an account and using the FTP server as a storage point for illegally copied movies, MP3 files, and so on.

Using Logon Time Restrictions

When used in conjunction with FTP services logon time restrictions can help reduce the exposure of the server during nonworking hours when no one is around to monitor the server.

Restricting Access by IP Address or Range

One of the first items IIS checks is the permitted or excluded IP address range of the client requesting data. Protecting FTP from unwanted attack can be narrowed down that much more by limiting the range of allowed IP addresses.

Auditing FTP Events

By monitoring the FTP logging constantly, you can see problems with failed logon attempts and other malicious behavior. By using tools such as Web Trends to analyze user traffic and folder usage, you can block IP addresses or domains that are constantly attempting to logon. You can also use the logging to see when valid users are having trouble opening their home directories or being locked out due to authentication problems.

Enforcing Strong Passwords

Enforcing the use of strong passwords is one of the keys to securing FTP services. Windows Server 2003 allows you to enforce user's compliance with strong password requirements by enabling the Passwords Must Meet Complexity Requirements Policy. This option is located in the Local Security Policy (standalone server), or Group Policy (Domain member).

Enabling Account Lockout and Account Lockout Threshold

FTP server accounts are very popular targets for password cracking programs that often use an exhaustive list of passwords in an attempt to guess the correct password. You can greatly reduce the success of such an attack by enabling the Password Policy settings in either the Local Security Policy or Group Policy. When an attacker tries repeatedly to log in with a valid username and bad password the account should be set to lock.

FTP User Isolation

By limiting the FTP user to her home folder you create yet another barrier of protection for the underlying system. When the user logs on with her FTP username and password she is placed in her home directory and cannot traverse up the directory tree.