Slightly improved Windows FTP server security

Author:Ye Fei

Windows 2000 provides FTP service functions, which are easy to use and closely integrated with the Windows system. But is the FTP server set up with IIS5.0 secure? Its default settings have many security risks and are easy to become targets of hackers. How to make the FTP server more secure can be achieved with a slight transformation.

　　1. Cancel Anonymous Access

By default, FTP servers in Windows 2000 allow anonymous access. Although anonymous access is convenient for users to upload and download files, there are great security risks. You do not need to apply for a valid account to access the FTP server, or even upload or download files. Especially for FTP servers that store important data, leaks may easily occur, therefore, we recommend that you cancel anonymous access.

In Windows 2000, click Start> program> Management Tools> Internet Service Manager to bring up the Management Console window. Expand the Local Computer option on the left side of the window to view the FTP server that comes with IIS5.0. The following uses the default FTP site as an example to describe how to cancel anonymous access.

Right-click "Default FTP site" and select "properties" from the shortcut menu. Then, the default FTP site Property dialog box is displayed. Switch to the "Security Account" tab, deselect the check box before "Allow anonymous connection" (1) and click "OK". In this way, the user cannot access the FTP server using an anonymous account and must have a valid account.

Figure 1 Disable Anonymous Access2. Enable Logging

Windows logs record all information about system operation, but many administrators do not pay enough attention to the logging function. To save server resources, the FTP server logging function is disabled, which is absolutely undesirable. The FTP server log records the access information of all users, such as the access time, Client IP address, and Logon account used. This information is of great significance for the stable operation of the FTP server, once the server encounters a problem, you can view the FTP Log, locate the fault, and troubleshoot it in time. Therefore, you must enable FTP logging.

In the default FTP site Properties dialog box, switch to the "FTP site" tab and make sure that the "Enable Logging" option is selected, in this way, you can view FTP log records in the event viewer.3. Correctly Set User Access Permissions

Each FTP user account has certain access permissions, But improper settings of user permissions can also lead to security risks on the FTP server. For example, the CCE folder on the server only allows the CCEUSER account to have the read, write, modify, and list permissions on it. Other users are prohibited from accessing it, or allow other users to have the read and list permissions on the CCE folder. Therefore, you must reset the user access permissions for the folder.

Right-click the CCE folder, select "properties" from the pop-up menu, switch to the "Security" tab, delete the Everyone user account, and click "add, add the CCEUSER account to the name list box, select modify, read and run, list folder directories, read and write options in the "permission" list box, and click "OK. In this way, the CCE folder can only be accessed by the CCEUSER user.4. Enable Disk Quota

The disk space resources of the FTP server are precious, and unlimited use by users will inevitably result in a huge waste. Therefore, you must limit the disk space used by each FTP user. The following uses the CCEUSER user as an example to limit the capacity to MB.

In the resource manager window, right-click the drive letter of the CCE folder, select "properties" from the pop-up menu, and switch to the "quota" tab (2 ), select the "enable quota management" check box to activate all quota settings on the "quota" tab. To prevent some FTP users from occupying too much server disk space, be sure to select the "Deny disk space to users who exceed the quota" check box.

Figure 2 restrict FTP storage space

In the "select default quota limit for new users on the volume" box, select the "Limit disk space to" option, and then enter 100 in the following column, select "MB" as the disk capacity unit, set the warning level, enter "96" in the "set warning level" column, and select "MB" as the capacity unit ", this completes the default quota settings. In addition, You must select the "record events when the user exceeds the quota limit" and "record events when the user exceeds the warning level" check boxes to record the quota alarm events to Windows logs.

Click the "quota items" button at the bottom of the quota tab to open the disk quota project dialog box. Then, click "quota> Create quota item". The "Select User" dialog box is displayed, and the CCEUSER user is selected, click "OK", set the quota parameter for the CCEUSER in the "Add new quota" dialog box, and select the "restrict disk space to" option, enter "100" in the following column, and then enter "96" in "set warning level to". Their disk capacity is measured in "MB ", click the "OK" button to complete the disk quota settings. Therefore, the CCEUSER can only use 100 MB of disk space. If the disk space exceeds 96 MB, a warning will be issued.

 

1 V. TCP/IP access restrictions

To ensure the security of the FTP server, access from some IP addresses can also be denied. In the default FTP site Properties dialog box, switch to the "Directory Security" tab, select the "authorized access" option (3), and click "add" in the "excluded from the following" box, the "Deny Access" dialog box is displayed. You can deny access from a single IP address or a group of IP addresses. Take a single IP address as an example and select the "single host" option, enter the IP address of the machine in the "ip address" column, and click "OK. In this way, the IP addresses added to the list cannot access the FTP server.

Figure 3 block this IP address from accessing FTP

 

1 6. Reasonably set group policies

Modifying group policy items can also enhance the security of the FTP server. In Windows 2000, go to "Control Panel> Management Tools" and run the local security policy tool.

　　1. Audit Account Logon Events

In the local security settings window, expand "Security Settings> Local Policies> Audit Policies", and then find the "Audit Account Logon Events" project in the box on the right (4 ), double-click to open the project, select "successful" and "failed" in the Setting dialog box, and click "OK. After this policy takes effect, FTP users are recorded in logs every time they log on.

Figure 4 logging User Logon Information

　　2. Enhance account and password complexity

Some FTP account passwords are too easy to set and may be cracked by "bad guys. To improve the security of the FTP server, you must set a complex account and password.

In the local security settings window, expand "Security Settings> Account Policy> password policy", find the "Password Must Meet Complexity Requirements" item in the right-side frame, and double-click it, select the "enabled" option and click "OK.

Then, open the "minimum password length" item and set the minimum character limit for the FTP account password. In this way, the password security is greatly enhanced.

　3. Account Logon Restrictions

Some illegal users use hacking tools to repeatedly log on to the FTP server to guess the account and password. This is very dangerous. Therefore, we recommend that you limit the number of Logon times.

Expand "Security Settings> Account Policy> account lock policy", find the "account lock threshold" item in the right box, and double-click it to set the maximum number of Logon times for the account, if this value is exceeded, the account is automatically locked. Next, open the "account lock time" item and set the time when the FTP account is locked. Once the account is locked, it will be used again after the time value is exceeded.

After setting the above steps, the user's FTP server will be more secure and no longer need to be afraid of illegal intrusion.