The IIS5.0 of Windows 2000 system provides the FTP service function, because it is simple and easy to use, with the Windows system itself tightly combined, deeply loved by the majority of users. But is it really safe to use IIS5.0 to set up an FTP server? Its default settings in fact there are many security risks, it is easy to become hackers attack targets. How to make the FTP server more secure, as long as we slightly modified, we can do it.
I. Canceling the anonymous access feature
By default, the Windows 2000 system FTP Server is allowed anonymous access, although anonymous access for users to upload, download files to provide convenience, but there are great security risks. Users do not need to apply for a legitimate account, you can access your FTP server, and even upload, download files, especially for some storage of important information of the FTP server, it is easy to leak the situation, so we recommend the user to cancel the anonymous access function.
In Windows 2000 system, click the "start → program → admin tools →internet Service Manager" to eject the admin console window. then expand the window to the left of the local computer options, you can see the IIS5.0 FTP server, the following author to the default FTP site, for example, describes how to cancel the anonymous access feature.
Right-click the "Default FTP Site" item, select "Properties" in the right-click menu, then eject the Default FTP Site Properties dialog box, switch to the "Security Account" tab, cancel the "Allow anonymous connection" before the check (Figure 1), and finally click "OK" button, This allows users to access the FTP server using anonymous accounts and must have a legal account.
Figure 1 Prohibit anonymous access
Two. Enable Logging
The Windows log records all the information that the system is running, but many administrators do not pay enough attention to logging, and in order to save server resources, disable the FTP server logging function, this is absolutely undesirable. FTP server log records all user access information, such as access time, client IP address, the use of login account, etc., this information for the stable operation of the FTP server has a very important significance, once the server has problems, you can view the FTP log, find the fault, in time to eliminate. Therefore, be sure to enable FTP logging.
In the Default FTP Site Properties dialog box, switch to the FTP Sites tab, and make sure that the Enable Logging option is selected so that you can view the FTP log records in Event Viewer.
Three. Set User access rights correctly
Each FTP user account has certain access rights, but the unreasonable setting of user rights can also cause the FTP server to appear the security hidden trouble. such as the CCE folder in the server, only allow Cceuser account for it to read, write, modify, list permissions, prohibit other users access, but the system defaults to allow other users to the CCE folder has read and list permissions, so you must reset the folder's user access rights.
Right-click the CCE folder, select Properties in the pop-up menu, then switch to the Security tab, first delete the Everyone user account, then click the "Add" button, add the Cceuser account to the Name list box, and then select the Modify, read, and run in the "Permission" list box. List the folder directories, read and write options, and then click the OK button. This makes the CCE folder accessible only to Cceuser users.
Four. Enable disk quotas
FTP Server disk space resources are valuable, unrestricted to allow users to use, is bound to cause huge waste, so to each FTP user to use the disk space limit. The following is an example of a cceuser user, limiting it to only 100M disk space.
In the Resource Manager window, right-click the hard drive letter of the CCE folder, select Properties from the pop-up menu, and then switch to the Quota tab (Figure 2), select the Enable quota management check box to activate all quota setting options on the Quota tab page. To not allow some FTP users to consume too much server disk space, be sure to select the Deny disk space to users exceeding quota limit check box.
Figure 2 restricting FTP storage space
Then, in the Select default quota limit for new users on this volume box, select the Limit disk space to single option. Then enter 100 in the following column, select "MB" for the disk capacity unit, and then proceed to the warning level setting, enter "96" in the "set warning level to" column, and the capacity unit is also selected as "MB" So that the default quota settings are complete. Also, select the log events when users exceed their quota limit and log events when users exceed the warning level check box to log quota alert events to the Windows log.
Click the Quota Entry button below the Quota tab page, open the Disk Quota Entry dialog box, click on "quotas → New Quota entries", Pop the Select User dialog box, select the Cceuser user, click OK, and then set the quota parameters for the Cceuser user in the Add New Quota Entry dialog box. Select the limit disk space to single option, enter "100" in the following column, then enter "96" in the "set warning level to" column, their disk capacity unit is "MB", and then click the "OK" button to complete the disk quota setting so that the Cceuser user can only use 100 MB of disk space, warning will be issued over 96MB.
Five. TCP/IP Access restrictions
To ensure the security of the FTP server, we can also deny access to certain IP addresses. In the Default FTP Site Properties dialog box, switch to the Directory Security tab page, select the grant access single option (Figure 3), and then click the "Add" button in the "Exceptions listed below" box to eject the "Deny Access" dialog box, where we can deny access to a single IP address or a set of IP addresses. Take a single IP address as an example, select the "stand-alone" option, and then enter the IP address of the machine in the IP Address field, and then click the "OK" button. The IP address added to the list will not be able to access the FTP server.
Figure 3 Block this IP access FTP
Six. Setting Group Policy rationally
You can also enhance the security of your FTP server by modifying the Group Policy items. In the Windows 2000 system, go to control Panel → Administrative tools and run the Local Security Policy tool.
1. Audit Account Login Events
In the Local Security Settings window, expand security settings → local policy → audit policy in turn. Then, in the box on the right, locate the Audit account logon event item (Figure 4), double-click to open the item, select both "Success" and "fail" in the Setup dialog, and then click OK. After this policy is in effect, each logon of the FTP user is logged.
Figure 4 Logging User login information
2. Enhance the complexity of the account password
Some FTP account password set too simple, it is possible to be "lawless" cracked. In order to improve the security of the FTP server, users must be forced to set a complex account password.
In the Local Security Settings window, expand security settings → account policy → password policy, and in the right box, locate the password must meet complexity requirement, double-click Open, select the Enabled option, and then click OK.
Then, open the "Minimum password Length" item to set the minimum character limit for the FTP account password. Since then, the security of the password has been greatly enhanced.
3. Account Login Limit
Some illegal users use hacker tools, repeatedly log on to the FTP server, to guess the account password. This is very dangerous, so we recommend that you limit the number of login times.
Expand "Security settings → account policy → account lockout policy", in the right frame to find "Account lockout threshold" Item, double-click Open, set the maximum number of account login, if more than this number, the account will be automatically locked. Then open the "Account lockout Time" item, set the FTP account is locked time, once the account is locked, more than this time value, can be reused.
With the above steps set, our FTP server will be more secure, no longer fear of being illegally invaded.