Setting up a W2k3 based FTP server

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hey guys,

Looking for your thought creating and securing an FTP Server using w2k3. It is for clients to access files which we would upload to the FTP site.

Would you feel it neccessary to put it in a DMZ or would you put it on inside network with firewall configured to allow FTP to that server only?

Had a request to look into this, but most of the info i can find only seems to concern actually setting it up rather than best practices for doing so.

Any advice/links would be most appreciated!

Danny

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I always use FileZilla for FTP servers. Its secure and configurable enough for you to put inside your LAN (with the right firewall rules of course). however, for opimal security you should always put your FTP server (and any other server (web, mail etc) that offers services to the great unwashed) in the DMZ.

The chief things you need to worry about with FTP servers are:

Who accesses them (can you tie it down to specific usernames)
What they access them for (do they need read/write/modify permissions etc)
Where they access them from (can you tie it down to specific networks/addresses)

The more of those questions you can give defnitive answers to, the more secure the server will be.

I have my FTP server at home inside the LAN, but take the following precautions:

1 - Its shut down unless I'm actively using it or allowing someone else to use it.
2 - I tie it down to specific external addresses
3 - I provide all users with a one-time login and spiteful password
4 - I log all access attempts at firewall level, through my IDS & internally using FileZilla's own access logging
5 - I create a subdirectory for anyone who uses it with the appropriate restrictions in Filezilla

You also need to keep a lookout for any security issues with whichever FTP server you're running and make sure you patch against any vulnerabilities.

The more open you make your FTP server, the more chance there is that the inquisitive will come knocking. The more valuable your data, the more chance someone who actually knows what they are doing will come knocking. make a risk assessment based on the level of data you're making available, and the potential for disaster should there be any accidental exposure to other data from a misconfiguration. Protecting against script kiddies is a piece of piss. Protecting against a determined intruder with the right tools, time on their hands and a viable reason for wanting access to your network is another thing entirely.

 

I suppose I'll just go ahead and say it. The real best practice regarding FTP is to simply not use it. Go with something that can support secure authentication and an encrypted data channel. FTP undoubtedly works, but you just have to consider what you're really doing.

1) You're giving lots of people you don't know credentials on your server or directory service environment.
2) You're letting those people transmit those credentials in clear text.
3) Any data they upload/download is also being transmitted in clear text.

There is a whole category of attacks called "Escalation of Privilege" attacks. Giving them access to your file system, access to your data and a nice port by which to talk with your system on. Well...yeah..at a minimum the system needs to be in your DMZ, the system shouldn't be a member of your domain, and you should definitely apply the "least privilege" security ideal in a very ruthless fashion.

Have you investigated Isolated User Mode in w2k3 FTP?
Have you given sufficient thought to user account maintenance in the long term on the FTP system itself?
The process for account procurement and all those sort of things?

I know FTP is used widely, and maybe you don't have a choice in the matter. But better a website secured with SSL than good ole FTP, even if it is a little more inconvenient.

Just my opinion of course, I know how it is as an admin when you have to do things you'd rather not. Best of luck on your upcoming project.

My two cents.

Cheers,

J.

 

I have to echo Triton here. My workplace bans FTP (on its own) because it is hopelessly insecure. SFTP *only*. This isn't difficult as there are many SFTP clients now available, many for free.

Harry.

 

I can only echo what has been said before really. Basically FTP is about as secure as a caffeine based beverage after a 16 hour coding session ie: not at all. That being said it is still a very common system to use for sharing files as I'm sure you already know.

On top of the already good suggestions (ie: keep it in a DMZ, use something other than a Windows server and lock it down) I'd also highly recommend that you do not make it part of your domain and also removing everything off it that you safely can. Afterall, there's no need for Adobe Reader v5 on an FTP server, is there?

Good luck with it.

 

Thank you all for taking the time and giving such thorough responses!

At the minute i don't think we will be going ahead with it. Being a financial institution security is obviusly a massive thing for us, and FTP clearly isn't going to cut it. Alot of our clients do use them however so will be fun explaining to our users that we aren't going to use it for securty reasons. Decision isn't mine to make however so you i may be back in here with some more questions if we get told to do it!

Thanks again guys!

 

Whoa - didn't know that! In that case, ignore all the advice I gave you above. You're a legitimate target for the class of people who DO know what they're doing and, as such, the guys posting above are quite right - you should never use FTP for anything!