Q: I've set up a Win2k Web server using IIS 5.0. I have also set up a secure site using dummy certificates from another internal server. (We're still in testing stages.) I'm having lots of problems with FTP. I have been able to connect to the default FTP server through a browser on a dial up but not over our DSL router. And now I cannot connect at all except through a command prompt. Can you tell me the best permissions to use for FTP and is there anyway to use certificates with it to make it secure?
A: There are a couple of different issues here, and I?ll handle them one-by-one.
First, you're concerned about the security of FTP. FTP, the application protocol, provides minimal security in the form of clear-text authentication. So, it's possible to keep unwanted users out of your FTP server by disabling anonymous authentication and restricting file permissions within NTFS to specific accounts. This security is very weak by modern standards. The username and password are sent across the network completely unencrypted, so anyone with access to your network (or any network between the client and server) could read the username and password. This isn?t a complex attack; there are hacker tools available that anyone could use that will gather a list of usernames and passwords from passing FTP traffic.
The best practice for securing FTP is not to use FTP. IIS 5.0 provides all of the capabilities of FTP within the HTTP protocol. HTTP, as you already know, can be encrypted. If you?re forced to use FTP, the only way to make the protocol more secure is to tunnel it inside of a secure session. This can be done with any type of VPN, including the IPSec software built into Windows 2000.
Your second issue related to connecting to FTP through your DSL router. There?s nothing specific to DSL circuits that would cause a problem with FTP, so your best bet is to troubleshoot it like any FTP connectivity problem. Most likely, there?s a firewall in the way. The FTP protocol itself is far too complex to go into sufficient detail here, so I will refer you to a chapter of a book I wrote a couple of years ago. The book is called NT Network Plumbing, and it is now available online. Though it was written for NT4, none of the technical details of FTP have changed. Here?s a link to the chapter on FTP.
This was first published in January 2001