What is FTP (File Transfer Protocol)?
What is FTP (File Transfer Protocol)?
Secure the FTP server
FTP service is one of the oldest and most common services available on the Internet. So The above service is used to send and receive files on a network. FTP service is used by the general Internet users and is accepted as a standard for sending and receiving files on the network (intranet, Internet) by most operating systems.
Windows 2000 comes with an FTP server that is part of IIS. Also Using the above service and combining it with other features provided by Windows, system administrators will be able to create and configure an FTP site with a suitable security factor. To secure an FTP site, several suggestions are provided.
- Disable access via the Anonymous account
- Enable Logging. By activating Logging to connect to the FTP site
- Proper setup and configuration of ACL list (access control list)
- Configure the site as a recipient, not a sender
- Enable Disk Quotas
- The use time limit for Logon
- Restriction of access based on IP address
- Record Audit logon events
- Activate Strong Password
- Enable Account Lockout and Account Lockout Threshold
Disable access via an Anonymous account.
Anonymous access is enabled by default after installing the first FTP server. The above method allows you to access the FTP site without an account. So In this way, users will be able to use the resources available on the FTP server anonymously. Therefore It is possible to use the site traffic useful necessary them. Removing the Anonymous access feature will be possible to access the FTP site only. It will be available to users who have a valid account.
After defining each of the desired accounts, you can then use the ACL Access Control List to define and specify the controls and permissions for accessing the FTP directory (the physical location of the FTP site on disk). . NTFS permissions can be used in this regard. In order Tote the Anonymous account, the desired operation can be performed through the Property page of the FTP site (Internet Information Service program).
Enable Logging. By activating Logging to connect to the FTP site
Will ensuEnsure necessary information (IP addresses or usernames) will be recorded for users who have successfully connected to the site. Monitor the traffic on the site and, in case, of an attack, provide the possibility of initial tracking. In addition To the above feature, it is enough to select the relevant Chex box through the Property page of the FTP site. Next, the log files will be created based on the specified format. So Using log files to view and analyze site traffic will be very useful.
Proper configuration of the ACL list (access control list)
Access to the FTP directory must be controlled using NTFS permissions and ACL restrictions. Therefore The FTP directory should not have an Everyone group with all privileges and permissions (it will not be possible to control permissions and users who are c to the FTP site).
Delete the existing names and select the Authenticated user by selecting the Add button from the existing list. In the foAccordingxisting policies, the relevant group can give the Read, Write and List, Folder contents permissions. If the existing policy so requires, you can simply gr write access to the group and revoke their Read and List Folder Contents permissions.
Configure the site as a recipient, not a sender
If it is only necessary that users do not have to send files to the server and can not download the file from the server, the FTP site can be configured as Blind put. Thus, users can send (write) files on The server will be given. (It will not be possible to read from the FTP directory.) For this purpose, after selecting the FTP site through the Home Directory, the desired settings can be made.
Enable Disk Quotas
Using the features provided by Windows 2000, it is possible to determine the capacity or quota of storage on disk for each user. By defaulOwnershiped to each user who writes to a file. So By action by defaulting and making the desired settings, the necessary prevention in connection with the invasion of an FTP site can be done (filling the disk capacity).
If this happens, the problem will spread to other disk storage services. To enable Quota Management, click on the desired drive, right-click on the Property option, and select the Quota Tab option. The above option can only be used in conjunction with NTFS partitions. Using Disk Quota, Is limited to NTFS partitions and, in addition, can only be used in relatiaboutnd can, not be used in conjunction with groups. By selecting the Quota Entries button, you can define a new entry and define the restrictions.
The use time limit for Logon
Using the features provided with Windows 2000, you can define a specific time to enter the user network. Therefore This way, users will only be able to use the server at specified times. The above feature will significantly control access to the FTP site.
Active Directory Users and Computers will be used to configure the logon timlogintivation of the above program; select the desired user, and after viewing the relevant Property page, by selecting the Logon hours button through the Account Tab, In addition, you can specify the time desired by the user to use the server.
Restriction of access based on IP address
The access criterion can be considered based on specific IP addresses to reach the FTP site. By applying the above restriction, appropriate measures will be taken to control access to the site. So To the above feature, after selecting the FTP site through the Internet Information Services program and viewing the Property page, select the Directory Security Tab option. Next, Denied Access is enabled, and very fixed IP addresses can be introduced using the Add button.
Record Audit logon events
By activating the Audit related to Account Logon events, you can see all the successful or failed attempts to connect to the FTP site using the Security log related to the Event Viewer.
Periodic viewing of this log can affect detecting, detecting, and tracking, king an attack on a site. (Identify intruders and intelligence attackers). Therefore The Local Security Policy or Group Policy program is used (Programs | Administrative Tools). Also, after activating the above program and establishing the Local Policies Policies/Audit, you can change the Local Setting to Success and Failure.
Activate Strong Password
The use of sophisticated passwords has been proven to be a convenient way to increase the security of a particular service for users. Given the position of the FTP server, the use of strong passwords can be an effective factor in increasing the security of FTP sites. Also Using the features provided in Windows 2000, system administrators can force users to use strong passwords. The Local Security Policy or Group Policy program is used (Programs | Administrative Tools). After activating the above program and establishing the Account Policy / Password Policy, the Passwords Must Meet Complexity Requirements option can be activated. After activating the above feature, each of the defined accounts will be subject to the following conditions and restrictions:
• The defined password cannot contain all or part of the user’s account name.
- The defined password must be at least six inches long.
- The defined password can include characters from three groups of the following four groups:
- Alphabetical letters A-Z
- Alphabetical letters A-Z
- Numbers from zero to nine
- Special characters (%, #, $,!)
Enabling Account Lockout and Account Lockout Threshold
Awareness and password recognition are topics of most attackers and password detection programs. Log in to the network and specify that its operation will not be successful, and if the above conditions are met, the relevant account will be deactivated.
So By activating the above feature and configuring the threshold level, network administrators can limit the functionality of password detection programs or information attackers and increase the security factor.
So The Local Security Policy or Group Policy program is used (Programs | Administrative Tools). After activating the above program and establishing the Account Policy / Account Lockout Policy, In addition, you can make the necessary settings regarding Account Lockout Duration, Account lockout threshold, and Reset the account lockout counter.