Security Basics mailing list archives
Re: Secure FTP
From: Krymson () gmail com
Date: 26 Mar 2007 16:23:48 -0000
It is awesome to hear you are wanting to further secure your FTP, and it sounds like you already have some good ideas. If you absolutely need to use an FTP server, definitely review permissions and accounts on a regular basis, choose difficult-to-guess usernames and passwords, and try your best not to use domain accounts but rather local accounts. Review activity logs, don't let data sit there for 2 years, and rotate passwords. There should be some hits on a Google search for "secure IIS FTP." It could also be a step up to not use IIS FTP but rather even a free third-party FTP server. If you don't mind spending some money, and I see you don't mind having your clients download something new (free SFTP client), I definitely would suggest an SFTP solution so that your communication channel is encrypted. On the Windows commercial side, I believe F-Secure has an SFTP product, although your mileage may vary depending on how it meets your needs. There may be others, but F-Secure is the only one I know about offhand. If you want to rig something less supported, you could get a Linux box with SSH/SFTP set up. This is really the best solution, but is oftimes out of reach of some businesses due to support requirements or *nix-knowledgable staff. Lastly, you can get really elaborate by installing Cygwin with OpenSSH on your Windows box and turn your Windows box into a faux SFTP server. I'm not the biggest fan of this, but if you want to use it, it does get the job done. This is really less complicated than a Linux box for Windows admins, but is still pretty complex for non-nix people. I would caution that not all of your clients may be willing or able to install or run third-party executables on their own systems and might be very limited to FTP both on their network and their systems. I am a big proponent of keeping both FTP and SFTP around for just such reasons. Pimp out SFTP as much as possible, but you can then fall back to FTP for those who won't "get it." <- snip -> We have a public facing FTP server that we would like to secure. We are = running a MS 2003 Active Directory domain and this box is running on = Win2k Server. What is the best way to secure this FTP server? I've = tried SFTP, but was just curious as to what else is out there. Right = now we are using the builtin IIS FTP server. Our goal is to provide a = public FTP server so that clients or customers can dropoff large files = there without the need to e-mail them. We aren't too keen on the fact = that FTP is cleartext and these are domain user/pass going back and = forth. Plus, we are a financial institution and any way to encrypt this = traffic would definitely be a plus....even if we have to provide a link = to connecting clients so that they can download a free secure FTP = client.
Current thread:
- Secure FTP aaronr (Mar 23)
- Re: Secure FTP Ali, Saqib (Mar 26)
- Re: Secure FTP Ansgar -59cobalt- Wiechers (Mar 26)
- RE: Secure FTP Scott Ramsdell (Mar 26)
- Re: Secure FTP MaddHatter (Mar 26)
- RE: Secure FTP jbeauford (Mar 27)
- Re: Secure FTP Michael Louie Loria (Mar 28)
- RE: Secure FTP jbeauford (Mar 27)
- <Possible follow-ups>
- Re: Secure FTP Krymson (Mar 26)