I have to admit that FTP has always been a second-class citizen for the IIS security team, and we usually put all our efforts into the HTTP platform. There has always been a notion that our old FTP server (FTP 6.0-) was never really popular due to lack of features. With the recent FTP vulnerabilities it became evident that we were wrong on multiple counts, and so it seems like this is a good time to do a securing your FTP server 101 blog.

I will attempt to author a guide to securing your FTP server in this blog and even though it is most likely not complete, it should be a good start. Also, a lot of the points below relate to one another and are not stand-alone suggestions.

All the features mentioned below should be available on FTP 6.0 on Windows Server 2003 and Windows Server 2008, except the ones I specifically call out. For more information on how FTP versions tie in to platforms check out Wade’s blog.

1. Authentication

By requiring users to be authenticated, you will substantially narrow the set of people that can maliciously tamper/attack your server. And in the case they do, you have an audit trail that can lead you to the perpetrator. There are varying levels of authentication that can be applied depending on the use scenario of your FTP server.

1.1 Disable anonymous authentication

FTP 6.0 server has anonymous read access enabled by default. If you don’t have the need for unauthenticated access, you should disable it entirely. In the case you actually need anonymous authentication, you must verify that write access is not given to anonymous users. If this is the case, you are allowing un-trusted users to host possibly malicious data and code on your server.

1.2 Create user groups for authenticated users

Even if your server only allows authenticated users, they likely have different roles that they fulfill. For example some of these users are FTP administrators, while others maybe publishers (upload) or consumers (download). To make this relationship explicit, you should create user groups for each role and then use these groups to apply access control to your site (see section 3).

2. FTP over SSL (FTP 7.0+)

When SSL is not used, credentials used to authenticated against your FTP server are sent in plain text and can be sniffed on the wire. This poses a risk for systems that are on an unsecured network or the internet. FTP password sniffers have become an integral part of malware, viruses and trojans, and have a surprisingly decent success rate at sniffing out root/administrator passwords. The lack of SSL for FTP 6.0 is a drawback and a good case for upgrading to FTP 7.0+. To learn how to setup SSL on FTP 7.0+ please refer to the IIS.net article, Using FTP over SSL.

3. NTFS Permissions (ACLs)

Check NTFS permissions on ftproot and restrict them. Don't allow everyone write permissions; operate on the principle of least privileges. Use groups as mentioned in 1.2 to help you maintain groups of users.

4. Configuring your firewall

You want to setup your firewall correctly to make sure that you aren't disallowing valid requests or allowing invalid ones. The main considerations to keep in mind here are control vs. data channel and active vs. passive data connections. We have an entire article on learn.iis.net on this http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/.

5. Uploads versus Downloads

Figure out what your requirements are from your FTP server. Do they require just uploading, just downloading or both. In the case it is both, can they be partitioned into 2 separate FTP sites, one allowing just downloads and one allowing just uploads? Modify access to FTP site depending on Read vs. Write requirements and set the NTFS permissions accordingly. Narrow both upload and download to the particular kind of users, create groups to address them and then use the groups to set up appropriate NTFS permissions.

6. IP Restriction

If you have a set of machines that you want to give access, use the IP restriction list to restrict your clients. If you want to dynamically restrict clients you can use extensibility on FTP 7+ to implement this and you can refer to the following article for it http://learn.iis.net/page.aspx/673/how-to-use-managed-code-c-to-create-an-ftp-authentication-provider-with-dynamic-ip-restrictions/.

7. Restricting and auditing FTP users

You can take more defensive steps in restricting unauthorized use of your FTP server. Here are some defensive mechanism that will help manage your FTP users.

7.1 Enable logon time restrictions for users

You can restrict FTP users logging in at only specific times, say during business hours. You can use "net user ftpuser /times" command from your command prompt to set this up for any user.

7.2 Enable auditing for logon events

You can enable auditing for logon events using the reference at http://technet.microsoft.com/en-us/library/cc787567(WS.10).aspx. This will enable the server administrator to monitor failed logon attempts to see if someone is trying to brute-force a password.

7.3 Enforce strong passwords and account lockout policies

This is a very generic advise, but is tried and tested and goes a long way in ensuring your server's security. Refer to http://technet.microsoft.com/en-us/library/cc875814.aspx for password strength enforcement.

8. Configuring user isolation (FTP 7.0+)

If you have multiple uploaders to your FTP server, then you want to isolate them from one another, so that they cannot trample each other's data. FTP user isolation lets you achieve this and you can refer to http://learn.iis.net/page.aspx/305/configuring-ftp-75-user-isolation/ to help you configure it.

9. Disk quotas

Using disk quotas is a good Defense-in-Depth that may protect against certain kinds of Denial of Service attacks. Refer to http://learn.iis.net/page.aspx/307/using-fsrm-folder-quotas-with-ftp/ on how to setup quotas on your FTP server.

10. Logging

This is not a defense but will help you react/respond to an incident if one arises. In FTP 7+, you have the ability to extend standard logging by implementing custom logging providers. Refer to http://learn.iis.net/page.aspx/602/how-to-use-managed-code-c-to-create-a-simple-ftp-logging-provider/ and http://learn.iis.net/page.aspx/603/how-to-use-native-code-c-to-create-a-simple-ftp-logging-provider/ on how to go about creating custom logging providers.