Tech

Guides

Business Applications ▪ Database Management ▪ Disaster Recovery ▪ Enterprise Servers & Storage ▪ IT Security ▪ Java ▪ Microsoft Office Suite ▪ Network Admin ▪ Open Source ▪ SMB ▪ SOA ▪ Tech Management ▪ Software/Web Development ▪ Windows Server ▪ Wireless Tech

IT Security TechGuides

Lock down FTP servers

By Michael Mullins, TechRepublic
Tuesday, May 30, 2006 09:46 AM

Most public FTP servers lack the appropriate security despite having been around since the beginning of the Internet. Learn how to set up a secure FTP server.
FTP servers have been around since the beginning of the Internet, but most public FTP servers lack the appropriate security to avoid becoming warez servers. However, you can secure your FTP servers in a few simple steps.

If you haven't already done so, you can install the FTP Service via Control Panel's Add/Remove Programs applet. Open this applet, and click Add/Remove Windows Components. Select Internet Information Services (IIS), and click Details. Select File Transfer Protocol (FTP) Service, and click OK.

After you've installed the FTP Service, run Windows Update. Then, get ready to secure the FTP directory.

Create a new directory
After installing the FTP Service and running Windows Update, your next step is to create a new FTPROOT directory on the root of a separate hard drive. If someone compromises your directory structure through a directory traversal hack, this placement ensures that the attacker won't have access to any system files.

After creating the FTPROOT directory, you need to point your default site to the new directory. Follow these steps:

Go to Start | Control Panel | Internet Information Service.
Right-click Default FTP Site, and select Properties.
On the Home Directory tab, click Browse to select the new FTP root.
Select the Read, Write, and Log Visits options.

Secure the new directory
Next, select the Security Accounts tab to begin securing your directory structure. Deselect the Allow Anonymous Connections check box.

This allows you to enforce security on the directory using NTFS permissions. There's no need to change the default username or password. Follow these steps:

Open Explorer, right-click the new FTP directory, and select Properties.
On the Security tab, click the Advanced button.
Deselect this check box: Inherit From Parent The Permission Entries That Apply To Child Objects. Include These With Entries Explicitly Defined Here.
Click OK.
When the security warning displays, select Yes. (If you need to take ownership of the directory, select the Owner tab.)
Click the Add button to add users.
Assign new users these permissions: List Folder Contents, Read (to open the folder over FTP), and Write (if you want users to be able to put files into this directory).
After managing the permissions on this folder, select the Replace Permission Entries On All Child Objects With Entries Shown Here That Apply To Child Objects check box, and select Apply. This ensures all objects in a folder have the same permissions as the folder.

Final thoughts
I recommend that you peruse your FTP logs daily for problems. One of the easiest ways to spot a hijacked FTP server is to enable disk quotas on the FTP directory and pay attention to the quota warning messages.

Setting up a secure FTP server is a pretty easy process. Keep the FTP server patched and up to date on security fixes to increase the likelihood that it remains as secure as the day you installed it.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a network security administrator for the Defense Information Systems Agency.