Improve the security performance of FTP server comprehensively

Source: Internet
Author: User
Tags add anonymous ftp ftp site log modify window access
The Windows2000 system provides the FTP service function, because it is simple and easy to use, and the Windows system itself combines tightly, deeply favored by the majority of users. But is it really safe to use IIS5.0 to set up an FTP server? Its default settings in fact there are many security risks, it is easy to become hackers attack targets. How to make the FTP server more secure, as long as a little transformation, you can do.

One Cancel Anonymous access feature

By default, the FTP server of the Windows2000 system is allowed anonymous access, although anonymous access for users to upload, download files to provide convenience, but there are great security risks. Users do not need to apply for a legitimate account, you can access the FTP server, and even upload, download files, especially for some storage of important information of the FTP server, it is easy to leak the situation, so we recommend the user to cancel the anonymous access function.

In the Windows2000 system, click the "start → program → Administrative tools →internet Service Manager", Pop-up Management Console window. then expand the window to the left of the local computer options, you can see the IIS5.0 FTP server, the following author to the default FTP site, for example, describes how to cancel the anonymous access feature.

Right-click the "Default FTP Site" entry, select "Properties" in the right-click menu, then eject the Default FTP Site Properties dialog box, switch to the "Security Account" tab, Cancel "Allow anonymous connection" before the check, and finally click the "OK" button, so that users can not use anonymous account access to the FTP server, Must have a legal account.

Two Enable logging

The Windows log records all the information that the system is running, but many administrators do not pay enough attention to logging, and in order to save server resources, disable the FTP server logging function, this is absolutely undesirable. FTP server log records all user access information, such as access time, client IP address, the use of login account, etc., this information for the stable operation of the FTP server has a very important significance, once the server has problems, you can view the FTP log, find the fault, in time to eliminate. Therefore, be sure to enable FTP logging.

In the Default FTP Site Properties dialog box, switch to the FTP Sites tab, and make sure that the Enable Logging option is selected so that you can view the FTP log records in Event Viewer.

Three correctly set user access rights

Each FTP user account has certain access rights, but the unreasonable setting of user rights can also cause the FTP server to appear the security hidden trouble. such as the CCE folder in the server, only allow Cceuser account for it to read, write, modify, list permissions, prohibit other users access, but the system defaults to allow other users to the CCE folder has read and list permissions, so you must reset the folder's user access rights.

Right-click the CCE folder, select Properties in the pop-up menu, then switch to the Security tab, first delete the Everyone user account, then click the "Add" button, add the Cceuser account to the Name list box, and then select the Modify, read, and run in the "Permission" list box. List the folder directories, read and write options, and then click the OK button. This makes the CCE folder accessible only to Cceuser users.

Four Enable disk quotas

FTP Server disk space resources are valuable, unrestricted to allow users to use, is bound to cause huge waste, so to each FTP user to use the disk space limit. The following is an example of a cceuser user, limiting it to only 100M disk space.

In the Explorer window, right-click the hard drive letter of the CCE folder, select Properties from the pop-up menu, switch to the Quota tab, select the Enable quota management check box, and activate all quota setting options in the Quota tab page. To not allow some FTP users to consume too much server disk space, be sure to select the Deny disk space to users exceeding quota limit check box.

Then, in the Select default quota limit for new users on this volume box, select the Limit disk space to single option. Then enter 100 in the following column, select "MB" for the disk capacity unit, and then proceed to the warning level setting, enter "96" in the "set warning level to" column, and the capacity unit is also selected as "MB" So that the default quota settings are complete. Also, select the log events when users exceed their quota limit and log events when users exceed the warning level check box to log quota alert events to the Windows log.

Click the Quota Entry button below the Quota tab page, open the Disk Quota Entry dialog box, click on "quotas → New Quota entries", Pop the Select User dialog box, select the Cceuser user, click OK, and then set the quota parameters for the Cceuser user in the Add New Quota Entry dialog box. Select the limit disk space to single option, enter "100" in the following column, and then enter "96" in the "set warning level to" column, their disk capacity unit is "MB", and then click the "OK" button to complete the disk quota settings so that the Cceuser Users can only use 100MB of disk space, warning is issued over 96MB.

Five TCP/IP access restrictions

To secure your FTP server, you can also deny access to certain IP addresses. In the Default FTP Site Properties dialog box, switch to the Directory Security tab page, select the grant access single option, and then click the Add button in the exceptions below box to eject the Deny Access dialog box, where you can deny access to a single IP address or a set of IP addresses, as an example of a single IP address. Select the stand-alone option, and then enter the IP address of the machine in the IP Address field, and then click the "OK" button. The IP address added to the list will not be able to access the FTP server.

Six reasonable set Group Policy

You can also enhance the security of your FTP server by modifying the Group Policy items. In the Windows2000 system, go to Control Panel → admin tool and run the local Security Policy tool.

1. Audit Account Login Events

In the Local Security Settings window, expand security settings → local policy → Audit policy in turn, and then locate the Audit account logon event item in the box on the right, double-click to open the project, select success and failure in the Setup dialog, and click OK. After this policy is in effect, each logon of the FTP user is logged.

2. Enhance the complexity of the account password

Some FTP account password set too simple, it is possible to be "lawless" cracked. In order to improve the security of the FTP server, users must be forced to set a complex account password.

In the Local Security Settings window, expand security settings → account policy → password policy, and in the right box, locate the password must meet complexity requirement, double-click Open, select the Enabled option, and then click OK.

Then, open the "Minimum password Length" item to set the minimum character limit for the FTP account password. Since then, the security of the password has been greatly enhanced.

3. Account Login Limit

Some illegal users use hacker tools, repeatedly log on to the FTP server, to guess the account password. This is very dangerous, so we recommend that you limit the number of login times.

Expand "Security settings → account policy → account lockout policy", in the right frame to find "Account lockout threshold" Item, double-click Open, set the maximum number of account login, if more than this number, the account will be automatically locked. Then open the "Account lockout Time" item, set the FTP account is locked time, once the account is locked, more than this time value, can be reused.

With these steps, the user's FTP server will be more secure and no longer be afraid of being illegally invaded.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.