Home page logo
/

basics logo Security Basics mailing list archives

Re: Secure FTP
From: Krymson () gmail com
Date: 26 Mar 2007 16:23:48 -0000

It is awesome to hear you are wanting to further secure your FTP, and it sounds like you already have some good ideas.

If you absolutely need to use an FTP server, definitely review permissions and accounts on a regular basis, choose 
difficult-to-guess usernames and passwords, and try your best not to use domain accounts but rather local accounts. 
Review activity logs, don't let data sit there for 2 years, and rotate passwords. There should be some hits on a Google 
search for "secure IIS FTP." It could also be a step up to not use IIS FTP but rather even a free third-party FTP 
server. 

If you don't mind spending some money, and I see you don't mind having your clients download something new (free SFTP 
client), I definitely would suggest an SFTP solution so that your communication channel is encrypted. On the Windows 
commercial side, I believe F-Secure has an SFTP product, although your mileage may vary depending on how it meets your 
needs. There may be others, but F-Secure is the only one I know about offhand.

If you want to rig something less supported, you could get a Linux box with SSH/SFTP set up. This is really the best 
solution, but is oftimes out of reach of some businesses due to support requirements or *nix-knowledgable staff.

Lastly, you can get really elaborate by installing Cygwin with OpenSSH on your Windows box and turn your Windows box 
into a faux SFTP server. I'm not the biggest fan of this, but if you want to use it, it does get the job done. This is 
really less complicated than a Linux box for Windows admins, but is still pretty complex for non-nix people.

I would caution that not all of your clients may be willing or able to install or run third-party executables on their 
own systems and might be very limited to FTP both on their network and their systems. I am a big proponent of keeping 
both FTP and SFTP around for just such reasons. Pimp out SFTP as much as possible, but you can then fall back to FTP 
for those who won't "get it."

<- snip ->
We have a public facing FTP server that we would like to secure. We are =
running a MS 2003 Active Directory domain and this box is running on =
Win2k Server. What is the best way to secure this FTP server? I've =
tried SFTP, but was just curious as to what else is out there. Right =
now we are using the builtin IIS FTP server. Our goal is to provide a =
public FTP server so that clients or customers can dropoff large files =
there without the need to e-mail them. We aren't too keen on the fact =
that FTP is cleartext and these are domain user/pass going back and =
forth. Plus, we are a financial institution and any way to encrypt this =
traffic would definitely be a plus....even if we have to provide a link =
to connecting clients so that they can download a free secure FTP =
client.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]