By Mike Mullins
FTP servers have been around since the beginning of the Internet, but most public FTP servers lack the appropriate security to avoid becoming warez servers. However, you can secure your FTP servers in a few simple steps.
If you haven't already done so, you can install the FTP Service via Control Panel's Add/Remove Programs applet. Open this applet, and click Add/Remove Windows Components. Select Internet Information Services (IIS), and click Details. Select File Transfer Protocol (FTP) Service, and click OK.
After you've installed the FTP Service, run Windows Update. Then, get ready to secure the FTP directory.
Create a new directory
After installing the FTP Service and running Windows Update, your next step is to create a new FTPROOT directory on the root of a separate hard drive. If someone compromises your directory structure through a directory traversal hack, this placement ensures that the attacker won't have access to any system files.
After creating the FTPROOT directory, you need to point your default site to the new directory. Follow these steps:
Secure the new directory
Next, select the Security Accounts tab to begin securing your directory structure. Deselect the Allow Anonymous Connections check box.
This allows you to enforce security on the directory using NTFS permissions. There's no need to change the default username or password. Follow these steps:
I recommend that you peruse your FTP logs daily for problems. One of the easiest ways to spot a hijacked FTP server is to enable disk quotas on the FTP directory and pay attention to the quota warning messages.
Setting up a secure FTP server is a pretty easy process. Keep the FTP server patched and up to date on security fixes to increase the likelihood that it remains as secure as the day you installed it.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.