Google

Wednesday, December 03, 2003

How to Secure an FTP Server on Windows XP Professional

Last week we went over how to install the Windows XP FTP Server. It will work fine after going through the steps outlined last week, but several of you asked for more information on how to secure the FTP Server because you wanted to connect it to the Internet. It's a very good idea to understand how FTP security works before putting the server on the Internet. Here are some suggestions:

Open the Internet Information Services console from the Administrative Tools menu. In the left pane of the console, expand your server name and then expand the FTP Sites node.
Right click on the Default FTP Site and click the Properties command.
Click on the FTP Site tab. Notice that the default TCP Port is set to 21. This is the well-known port for FTP. You can increase security a bit by changing this port to another value that's in the 1026-65534 range. This secures it from poorly motivated click-kiddies and also allows you to get around your ISP blocking incoming connections to TCP port 21. Friends who connect to your FTP server will need to change the port number on their FTP client software as well.
The Windows XP FTP server has a hard coded limit of 10 simultaneous connections. You might want to change this to a lower number to reduce the chance of a LAN party on the external interface of the FTP server.
Put a checkmark in the Enable Logging checkbox. Click the Properties button to the right of the log format drop-down list box. Click the Daily option button on the General Properties tab. On the Extended Properties tab, select all of the Extended Properties. Click OK.
Click on the Security Accounts tab. Place a checkmark in the Allow only anonymous connections checkbox. This prevents users from sending username and password credentials to the FTP server. You don't want users to send credentials because those credentials are sent in "clear text", which can be read by anyone who's listening on the wire.
Click the Messages tab. Enter a Welcome message, an Exit message, and a message users will see if there are no available connections.
Click on the Home Directory tab. Make sure there is a checkmark in the Read and Log Visits checkboxes. REMOVE the checkmark in the Write checkbox. Note the location in the Local Path text box. Navigate to that path in the Windows Explorer.
Right click on the FTPROOT folder and click Properties.
Click on the Security tab. Make sure that SYSTEM has Full Control. Assign the IUSR_ account READ access only. Remove all other permissions for the IUSR account. Make sure you give Adminstrators Full Control tool. This allows you, the administrator on the FTP Server computer, to add, remove and change files in the FTPROOT folder.
Stop and restart the FTP Server. Now your FTP server is secure and Internet bad guys won't be able to use it to distribute porno and bootlegged software.

0 Comments:

Post a Comment

<< Home

Who links to me?