Discussion on:

Setting up an FTP server with Windows 2000

Before you set up IIS's services, you should have your Firewall and Anti-Virus systems up and running.

Within moments of enabling IIS's FTP services, I was attacked by Nimda uploads.

As a NetAdmin rather new to FTP, I have a few questions. In a corporate environment where FTP is to be used by only different office locations and certain affiliates, is setting the TCP/IP restriction secure enough? When testing on my intranet, those machines that I did not add to the list received an authentication challenge that did nothing no matter what id and password was entered. Is this a true indication of what to expect when I actually publish it on the actual web server? Secondly,if this ftp site is changed to be accessed by anyone on the web, will not selecting the option of Write (on the Home Directory tab) eliminate the chance of someone uploading a virus?

On win 2k and winnt 4 the ftp service can be set for the option of "allow anonymous logons" and if that is checked than anyone can log on to your site. If you set it up to only accept certain accounts and it is allowing anyone to get in, than I would install service pack 2. SP2 has a security patch for IIS services though I cannot speak from experience, but I bet that FTP was one of the holes.

I am setting up a dedicated FTP server and was wondering what is a good firewall product you PROs recomand.

I am looking for a product which automatically connects to website which publishes known hacker's IP address and the product blocks it automatically.

Watchguard provides that type of service & my experience with a FireboxIII device leaves me to highly recommend both the service, Watchguards device & support team & the management GUI.
http://www.watchguard.com/
PS: Their nu SOHO products have impressive capabilities.

Why risk the exploits associated with IIS when there are quality open source FTP servers (I will omit pay FTP servers for this post)? I suggest checking out these IIS alternatives for FTP, both are long running freeware projects with a history of security review.

WarFTP (server)
http://support.jgaa.com/index.php?MenuPage=&cmd=ShowCurrVer&ID=3

Filezilla (Client and/or server)
http://sourceforge.net/project/showfiles.php?group_id=21558
(scroll to the bottom for the FTP Server)

After a year or so, I find it unlikely that the poster is checking back for a reply.

but you did....
as long as tech rep keeps referencing these old articles in their emails, many will continue to read them and learn from them

happy holidays

I hate to say this, but if you allow anonymous access to a FTP site, there is an exploit that malicious users use to place large amounts of undetectable and undeletable files on in the ftproot directory. We had a IIS FTP server running that had anonymous access enabled (we thought it was off). In less then one week there was over 4.2GB of movies and junk. The exploit is well know on the internet. The following URL has information about the exploit: http://www.xs4all.nl/~liew/startdivx/endofdeleters.txt The easiest way to rid the data is to format the drive (good reason to have the, otherwise, using the POSIX utility on the Server resource CD is the only other way to remove the data.


Steven M. Regner
Network Support Specialist
King's College Wilkes-Barre, PA

I've got my FTP setup on win2k server through a DSL connection that has dynamic IP address and can not access it? I have a host name mapped to my ip through No-Ip.com but I still get access. Can anyone help?

The problem is that you have dynamic ip. Whay you can do is get a static ip or use a program that tracks you ip when it changes. The program that I use is dynu. What dynu is Your PC is connected to the internet and runs Dynu Client. Dynu Client keeps track of your computers IP address and reports it to Dynu DNS servers.
When someone requests 'yourname.dynu.com', Dynu DNS servers redirect them to your computer just like Internic DNS servers redirect requests to 'yourname.com'.
Now any user on the internet can connect to your PC instantly by requesting 'yourname.dynu.com'.
I recommend this program and here the best part it's free.

Try this link as it explains about port forwarding etc and may shed some light.

http://www.homenethelp.com/web/explain/port-forwarding-dmz.asp

There are services available which will provide dym=namic updates to DNS servers on the internet so that you can be accessed by URL. these services require you to load a utility on your server which updates the dynamic dns server of changes to your IP address due to DHCP etc...
One Such Service that I have had great luck with is TZO.com, $25 per year for a url such as www.yourdomain.tzo.com

I have everyting set up with No-Ip.com and have their client but with Win2k FTp properties window under the FTP site tab in the identification part that says IP address I think I need to put blocka.no-ip.com I click apply and I get an error saying invaild ip addres.

I followed the instructions above but my site only works in command prompt mode not browser mode. when I use internet explorer and type ftp://localhost I get a message box:
An error has occured reading the contents of the folder etc
Details:
The computer is disconnected from the network

please help me solve this

"If you have sensitive files, as an alternative you can configure FTP to use valid Windows 2000 domain accounts."

I am not so sure about this. I read something different from Microsoft because I wanted to setup a virtual FTP directory for a Domain User so that when they login, they see only that directory. MS docs say that the user has to be local. No thanks, I'll pass on this one.

Thanks a lot. I learned a lot from this....

I checked off anonymous ftp, and then Windows tells me my passwords will be sent plain text! How do I encrypt my passwords?

This is a fine article, but what about setting up multiple ftp sites on IIS? I have a challenge where every site needs its own port number. This causes problems for many of my users who don't even know what a port number is!

I have about 200 sites on a single IP address.

Thanks, DRM

I have found that I can easily access the FTP folders by using the required FTP://(IP Address) and then after that, make sure each User has the required permissions.
I still don't quite understand whether the rest of the access has been secured correctly or not...
But, I also need to know how and where I would be able to secure the passwords from being identified as plain text.
I DO NOT wish to have the Anonymous login to be allowed. That would be like allowing the GUEST login on the Domain to have complete and unfettered access. That's surely not going to happen. The whole setup is on 2000 Adv Svr.
Any suggestions wold be greatly appreciated.

I am curious about the security of FTP authentication. If I do not allow anonymous access and the user must provide a username/password pair to authenticate, is this information encrypted between the FTP server and client ??

FTP is commonly misunderstood as a secure means for transferring data, because the FTP server can be configured to require a valid username and password combination prior to granting access. You should be aware that neither the credentials specified at logon nor the data itself is encrypted or encoded in any way. All FTP data can be easily intercepted and analyzed by any station on any network between the FTP client and FTP server.

I want to know about the security of FTP authentication. If I do not allow anonymous access and the user must provide a username/password pair to authenticate, is this information encrypted between the FTP server and client ??

How can I grant logon access to a user that will only use FTP to upload and download files ?

I've got my connecgtion coming into a router and then goging gto each PC including the PC I'm using for a server. I've forwarded port 21(TCP) to the local IP of the server, and I've also put the server on the DMZ. On the server I've turned on IIS (Windows 2000 standard) and used the IP address coming into the router as the IP addres for the server. I have so far not been able access the the server via FTP protocol (I can of course see it on the network) Can anyone shed some light on my subject? How should I set up the username so that only one username and password will be able to login to it. I'm used to seeing the login box come up when I access an FTP that requires a logon. Is this a standard feature? or does this not apply to my situation? thanks in advance

I've created a local intranet ftp site on our server (internet access is blocked by our firewall). Anonymous access is permitted. I can access the site by typing ftp:// , but using ftp://localhost returns "connection can't be established", while ftp://ftp..com returns "Anonymous access not allowed". Thanks in advance for any help!

I have windows 2000 pro, installed ISS
I am stuck here ....
-Fig A - I don't see Administration web side under my FTP site * Myco in the example
- Creating FTP site #3, Right click on Default FTP site does not give me the option to select New Site.

What am I missing?
thanks
Dav

nothing