Tech Tip: Secure FTP/Add roles to a Certificate Authority server

Windows 2000 Professional: Secure FTP

The FTP protocol is useful for sharing files with remote users. When you use FTP, you don't need to create Web pages to provide links to shared files or create VPN connections to enable native Windows file-sharing access. However, if you don't secure the server, enabling FTP on a computer can expose the computer to a handful of potential problems. For example, unauthorized users could host their files on your computer or gain access to files they shouldn't have.

There are three steps you can take to prevent unauthorized access to your computer through FTP.

First, disable anonymous access on the virtual FTP server. Any user who wants to access the FTP server will have to use a valid account on the computer in order to authenticate the FTP session. Open the IIS console from the Administrative Tools folder, open the Properties for the virtual FTP server, select the Security Accounts tab, deselect the Allow Anonymous Connections option, and click OK.

Next, use the options on the Home Directory tab to point the FTP virtual server to a home directory on an NTFS volume, if possible. Use NTFS permissions in the target folders to restrict access to folders and files as needed. You should avoid creating virtual FTP folders that reside on FAT volumes because these offer little access control.

Finally, if it's critical that you know who's accessing files from the FTP server, enable object access auditing and configure the FTP folders to log successful and/or failed attempts to access the folder or files to the security log.

Windows 2000 Server: Add roles to a Certificate Authority server

A Windows 2000 Server running Certificate Services can function as a Certification Authority (CA) server for a network, creating certificates for users and computers for a variety of uses. For example, users might retrieve a certificate from a CA to digitally sign their e-mail messages, which enables the user to authenticate his or her e-mail to recipients and to share encrypted messages as well.

When you install a Windows 2000 CA, the installation configures the CA to issue certificates for a specific set of uses. However, you can easily add further certificate types. For example, you might want the CA to issue code-signing certificates that Office users can install to sign macros, which prevents those macros from triggering security warnings.

To add a new certificate type, open and expand the Certification Authority console. Right-click the Policy Settings branch, and choose New | Certificate To Issue. In the Select Certificate Template dialog box, select one or more templates, and click OK. When you click the Policy Settings branch, the templates will appear in the right pane of the CA console. These certificate types also will be available when users request a certificate from the CA.

Editor's Picks