Archive for category: Microsoft

Today, it’s all about security. If you aren’t practicing good security, you are probably going to be held accountable for the information that sneaks into your network, and especially the information that can find its way out of your network.

Script kids and hackers alike all begin their first “hacking” by targeting what’s easy – The poor, unsuspecting FTP server. All day long, doing its job of blindly sharing and accepting files. Here are the four key parts of FTP (and its cousin Telnet) that make it insecure.

• Clear-text transmission: all communications are done in clear text, including usernames and passwords
• Weak client authentication: both FTP and Telnet authenticate users through usernames and passwords, which, time and time again, have proven to be unreliable authentication methods. There is no support for more advanced authentication methods such as public/private key, Kerberos or digital certificates
• No server authentication: this means that users have no way to be sure that the host they are communicating with really is the FTP server and not an attacker impersonating the server
• No data integrity: problem here is that, assuming the same scenario as above, anyone could alter and corrupt the data being transmitted between the server and the client without being noticed

So you have your brand new shiny server with tons of disk capacity, and a clean install of Windows 2008 Server. You’re tasked with setting up the new company FTP site. If you have experience with setting up IIS and FTP services on Windows 2000/2003 server, then you know exactly how easy it is to setup FTP service. With Windows 2008 server, securing your FTP server became just as easy. And the benefits, immense!

Windows 2008 Server utilizes the method FTPES aka FTP Explicit mode. In explicit mode, an FTPS (FTP Secure) client must “explicitly request” security from an FTPS server and then step-up to a mutually agreed encryption method (usually the minimums are defined on the server). It currently isn’t packaged onto the Windows 2008 server install media, but information and the download can be found here http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1619
Without this extra handshaking and communication, your server-to-FTP client communication is susceptible to snooping and hijacking. With these simple steps, your server avoids the pitfalls listed above, that plague many FTP servers out on the web.

Securing your new Windows 2008 based FTP server comes down to these steps:

• Make sure your users and clients have a current FTP client that supports the few FTPSecure methods.
• Install IIS7 on your Windows 2008 Server
• Install the required Microsoft extras (all available on the “roles” menu) for Microsoft FTP Publishing Service for IIS 7.0.
• Install the Microsoft FTP Publishing Service for IIS 7.0 update. Now you’re nearly 80% complete
• Create and apply security ACL’s to your FTP repository. The top 10 rules that very much still apply today are published at http://www.windowsecurity.com/articles/Secure_FTP_Server.html
• Create a self signed server certificate, or purchase a server Certificate and import.

Tada, you’re done! Now your Windows 2008 FTP server is protected. From beginning to end, Connection, Authentication, Authorization, Data Request, Data transfer. It’s all encrypted.