Configuring FTP Network Security
FTP 7 provides
numerous methods for ensuring that only authorized users can access an
FTP site. In this section, you’ll learn about using SSL, firewall
settings, and IP address restrictions to control access to FTP sites.
Configuring FTP SSL Settings
By default, all control
channel and data channel communications between an FTP server and client
are sent in clear text. This is a serious security issue, especially
when providing FTP access over the Internet. For example, if packets are
intercepted during the authentication process, username and password
information can be collected and used to access the site.
Administrators can encrypt communications between an FTP 7 server and an FTP client by using the FTP over SSL
(commonly referred to as FTP/S or FTPS) standard. To modify these
settings, select the appropriate FTP site in IIS Manager and
double-click the FTP SSL Settings feature. (See Figure 24.)
The first setting enables
you to specify which SSL certificate will be used by the FTP site. The SSL Policy section provides three options. Allow SSL Connections
specifies that users may use SSL connections, but they can also connect
to the server using an unencrypted connection. Require SSL Connections
forces all users to use SSL and prevents unencrypted connections, and
the Custom option enables you to specify different rules for the Control
Channel and Data Channel. (See Figure 25.)
You can use these options to minimize the performance overhead of
implementing encryption. For example, by requiring encryption only for
credentials, you can prevent usernames and passwords from being sent in
clear text and still allow other control commands and data transfer to
occur without encryption.
By default, the
FTP SSL functionality will use a 40-bit encryption key strength. This
reduces the CPU performance overhead while still maintaining adequate
security for most scenarios. You can enable the Use 128-Bit Encryption
For SSL Connections option to increase the strength of the encryption
(at the expense of performance).
Note: FTP security standards
The
Secure Shell (SSH) standard can also be used to secure FTP
communications. The combination of these technologies is sometimes
referred to as Secure FTP or SFTP. The use of SSH-based security is not
supported in Windows Server 2008 and FTP 7, but you might see this
option in other FTP server software or in FTP client connection options.
Users typically will
configure their SSL settings in their FTP client software. When they
attempt to create a new connection, they will see a message that enables
them to view and accept the SSL certificate that is installed for the
FTP server.