1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Resolved FTP Security Issue

Discussion in 'Windows Server System' started by Steve R Jones, 2014/07/30.

  1. 2014/07/30
    Steve R Jones

    Steve R Jones SuperGeek Staff Thread Starter

    Joined:
    2001/12/30
    Messages:
    12,279
    Likes Received:
    246
    My small company uses a Vista machine as a backup server. We also use Sync Back to send files to the machine... Three co-workers in other States have to use the FTP function within Sync Back to send their files.

    My main IT guy in India contacted me freaking out saying the machine was exposed to the whole outside world.

    I kind of thought a person would need one of the usernames and passwords to get into the machine. Guess I was wrong?!?!?!?

    Do I need to disable the "Allow Anonymous Connections" in IIS Manager? And are there any other settings?

    Thank you in advance.
     
  2. 2014/07/30
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,068
    Likes Received:
    396
    Anonymous FTP allows anyone using an email address to connect to the FTP server, it's wide open, one can enter "anonymous or ftp" when prompted for a username and enter anything at all for a password. In some cases there's no prompt for credentials.

    You should disable anonymous FTP and assign usernames and passwords to those remote users, or better yet, use SFTP. Find out is there's a SSH module for IIS and use that (I don't think it's supported by IIS). Users can then connect with credentials using a very good free client like WinSCP.

    For encryption during transfers you can use FTPS.

    If don't need encryption then at least setup users and strong passwords for FTP.

    IIS: Default FTP Authentication Settings <authentication>

    Post the domain name please!
     

  3. to hide this advert.

  4. 2014/07/31
    Steve R Jones

    Steve R Jones SuperGeek Staff Thread Starter

    Joined:
    2001/12/30
    Messages:
    12,279
    Likes Received:
    246
    THANKS Tony.

    There is no domain name involved. We're using a straight shot to the router with port forwarding to the pc in question.

    The three users are currently logging in with one of the pc user profiles and the password is fairly strong with 10 digits.

    My IT guys will be getting involved and I'll read up on the info you provided.

    One little thing I can do is set up a schedule in the router setup to only allow FTP for a few hours one day a week....which is all we need.

    Thanks again.
     
  5. 2014/08/01
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,068
    Likes Received:
    396
    No worries so long as Anonymous FTP is disabled and usernames/passwords are used.

    Without a domain name a criminal would need the IP address supplied by the ISP. Easy to grab, it's in email headers and elsewhere, but unlikely your biz would be targeted for anything.

    One can use Google Search to locate FTP sites with this search string:
    inurl:ftp -inurl:(http|https)

    If your WWW site is also accessible from outside the LAN:
    put a robots.txt file in WWW root with this line(s):
    Disallow: /MY-FTP-FOLDER/
    Disallow: /MY-OTHER-FTP-FOLDER/

    As a better safeguard I would configure FTP to use alternate ports: change from 20, 21 to something like 8020, 8021. That will eliminate the majority of attempts by criminals' attacks. (they are looking for ports 20,21).
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.