Re: Secure FTP

From: ESVOIT (esvoit_at_starpower.net)
Date: 07/18/04 

Date: Sun, 18 Jul 2004 14:18:18 -0400

For securing IIS and Windows, see here:

www.microsoft.com/technet/security
www.nsa.gov/snac
http://securityadmin.info/faq.asp#harden
http://securityadmin.info/faq.asp#ftpfolder
http://securityadmin.info/faq.asp#ftpencrypt

FYI, there is no way to do FTP that securely encrypts passwords without
requiring your users to use third party software. The only option I know of
for encrypted file transfer with no third party clients is to use a web
server with WebDAV such as the projects at www.webdav.org/projects along
with a web server certificate such as www.freessl.com Other alternatives
include using anonymous FTP, although everyone would be able to see any
files on your server with no password required, or to enable passwords and
not encrypt them. [The main risk of the latter is someone sniffing your
passwords, but this may be secure enough depending on your security needs.]

Whatever you do, don't permit anonymous user e.g. the IUSR account to both
read and write to any one FTP folder... instead, create a read only download
folder and a write only, no read "upload" folder.

Microsoft IIS can be plenty secure if you configure it properly and install
all the necessary patches regularly.

"Zen Andreas" <zen8069@zen.co.uk> wrote in message
news:u6CBWp$aEHA.3988@tk2msftngp13.phx.gbl...
> I want to create an secure ftp account on our server. But the
> criteria is that other colleagues should not require specialised
> software to connect. There is the option of using IIS but knowing
> that large sections of the global community are designing nifty
> tricks to hack or just breach whatever security arrangement it
> can offer, I was wondering what other practical alternative
> solutions are available.
>
> Your advice would be much appreciated.
>
> Thanks in advance,
> Zen
>
>

Relevant Pages

  • Re: Is my system secure? What else should I do?
    ... > downloads/uploads with ftp client, reading newsgroups, email). ... > bastille and ran bastille to tune security, did urpmi install of guarddog ... > it), have changed my passwords to what I consider strong passwords, ... no system is ever as secure as you would like it. ...
    (comp.os.linux.security)
  • Re: low-power x86 computer
    ... >> ftp can be secure if you use a secure ftp server on a secure OS and ... > methods only dealing with server machines, OSs and configuration, ... You are completely correct - ftp login names and passwords are sent as clear ...
    (comp.arch.embedded)
  • Re: FTP vs. encryption
    ... > I have a request from a user to evaluate a secure means of ... > transmitting files. ... The choices I have are encrypted files _OR_ FTP. ... FTP sends passwords and data in the clear. ...
    (comp.security.misc)
  • Re: FTP vs. encryption
    ... > I have a request from a user to evaluate a secure means of ... > transmitting files. ... The choices I have are encrypted files _OR_ FTP. ... FTP sends passwords and data in the clear. ...
    (comp.security.misc)
  • Re: getting rid of reset disc
    ... Assign all new passwords to all accounts and password protect your BIOS. ... Go through this list and secure your PC. ... using Windows XP "prettifications". ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.security_admin)