TheTAZZone - Internet Chaos

Securing a Windows 2000 FTP server

ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

Securing a Windows 2000 FTP Server – For foxy

Windows 2000 comes with an FTP server included with IIS 5.0. Surprisingly, and contrary to common belief it is quite secure and includes a good variety of features!

Here I will list most of the fundamental aspects of securing a Win 2000 FTP server.

Most of the following require the FTP Store be on an NTFS partition, so if you have a FAT partition it will be a good idea to convert it.


Anonymous Access:

The most common and obvious thing to do is to disable Anonymous Access if it is not needed. Unfortunately Windows 2000 FTP has this enabled by default.

If you leave Anonymous Access enabled no user account is required to access the server.

Once anonymous access is disabled all users will be required to have an account to access your server; these accounts can be further locked down to your specifications with the use of Access Control Lists (ACL) which are defined in the home directory of the FTP server.

To disable it:
Default site properties > Security Accounts > Uncheck Allow Anonymous Connections.

Enable Disk Quotas.
Once you have disabled Anonymous Access and forces users to have a user account, you can limit the amount of disk space that an individual user can have. This is handy if a certain user constantly uploads needless large files or when space is running low.
Before assigning a disk quota to a user you need to turn the feature on, on the drive that the FTP store is located on.

Right click the relevant drive > Properties > Quota > Check ‘Enable quota management’ > Check ‘Deny disk space to users exceeding quota limit’ > Set ‘Limit disk space to’ to the relevant size you want. The limit may depend on the size of your Hard Drive, amount of users with accounts etc.

This is only a setting I usually apply when I am running low on disk space only.
Whilst here, you also need to set the warning level. I usually set this to around 5 MB below the allowed limit – the users will be issued with a warning when they are approaching there maximum limit.
This will affect all users on the server.

If you want to set it for individual users, whilst in the same window:
Quota Entries > Double click the desired user name > Set the quota you want to define for the user in the same way as above.

The settings here will override the setting in the default drive quota management window we used earlier.

Restriction of IP addresses:
The best way I feel to secure your FTP server is to restrict connection by IP address. Although this is not always feasible in all cases when external clients connect who are on a dynamic IP address.

This can be looked at in two ways – You can either deny all connections except the ones you list, OR, you can grant all connections except the ones you have listed.
For internal FTP servers I usually ‘deny all’ except for the listed IP’s but if your FTP server has mainly external clients connecting to it, it will be best to ‘allow all’ except for the listed IP’s. – Examine the logs regularly to spot any repeated unauthorised attempts and add the IP to your list.

To enable the IP restriction feature:
FTP site properties > Directory Security > Set the default action to either Grant Access or Deny Access > Add > Enter the IP address and the subnet mask accordingly.

If you grant access by default it is fairly important to keep checking your logs so you can filter out IP’s to block. However by default Win 2000 FTP does not have logging enabled!

Enable Logging:
The only way to effectively identify any attacks and to monitor usage of your FTP server is to regularly examine your connection logs in conjunction with your logon/logoff logs.

You enable logging by:
FTP site properties > FTP Site > Enable logging > Select the relevant format you want the logs to appear in. W3C extended format is the most common.

So far we have secured the server to the extent that everyone will need to have a user account, can only use a certain amount of disk space, has to have an authorised IP address ( or an IP address that has not been blocked) and they will leave entries in the log upon connection.

Strengthening user ACL’s:
ACL’s are where we define if a user can write to the FTP site, read from it or do both, amongst other things.

Open up the FTProot Properties page, the first thing to check, is if the ‘everyone’ group is there and has full rights. If this is so, you will struggle to control any user’s rights/permissions and should remove the group.

You can use the Authenticated Users group to apply setting to all users who have successfully logged in or you can add a user by name and apply the settings individually.

If you want to stop a user uploading any files deny them Write Permissions. In almost all cases all but the absolute trusted of users should be denied Execute permissions.

List folder contents pretty much speaks for itself and should be granted or denied at your discretion.

If you want allusers to be able to upload files to your server but not download any, rather than denying then read access you can set your FTP server to be a ‘Blind Put’.

Blind Put:
As stated if you have a Blind Put configured, as the name suggest the user can only ‘put’ files on the server ‘blindly’. This is preferable if you want to give NO user write permissions and also has the benefit of limiting what an unauthorised user could do should they manage to gain access to the server.

In the default FTP Site Properties > Home Directory > FTP Site Directory make sure that ‘read’ access in Unchecked, Write and Log Visits should remain checked.

The most common form of attack on an FTP server is a Password Crack attempt. The only sure way to defeat a password guessing attempt is to force your users to use strong passwords and have an account lockout policy.

Without either of these a password could be guessed quickly and the attacker will have unlimited attempts to try and guess the password.

People tend to look at this issue from one of two ways, if the lockout policy is strong enough the attacker wont be able to guess the password anyway, so the strong password policy is not needed, or they take the point of view that, if there is a decent enough Password policy an attacker will not be able to guess the password, so the account lockout policy is not needed.

Personally I think they go hand ion hand with each other and should be used together, not one or the other.

Enable Strong Password Policy:
By enabling the ‘Passwords Must Meet Complexity Requirements’ component in the Local Security Policy or Group Policy, users will be forced to adhere to the following restrictions when setting their passwords:

Must not contain all or part of the user’s account name
Must be at least 6 characters in length
Contain characters from 3 of the following options:
English uppercase characters (A – Z)
English lowercase characters (a – z)
Base 10 digits (0 through 9)
Non-alphanumeric characters (e.g. @:)*^&£$”)

To open the local group policy, type ‘gpedit.msc’ in either the run prompt or the command prompt.

Computer Configuration > Security Settings > Password Policy > Enable ‘Passwords must meet complexity requirements’.

There are other settings you can enable here should you wish, they all pretty much speak for themselves, be careful if disabling the ‘Store passwords using reversible encryption’ option as some authentication protocols such as CHAP need this setting to be enabled.

Account lockout policy:

Whilst in the screen we can also set the account lockout policy.

Account lockout policy > Account lockout duration, Account lockout threshold, and reset account lockout after…

I usually go for the following options for my external FTP servers:

Account lockout duration – 60 Minutes
Account lockout threshold – 3 Attempts
Reset account lockout counter after – 30 minutes

This is just a policy that suits my needs and yours may differ!

These settings will lock an account out for 60 minutes after three wrong password attempts.

The final thing we need to do it to ensure that we are auditing the successful and unsuccessful logon attempts to enable us to notice if an unauthorised access attempt has been made of an account and where the attempt originated from.

Auditing Logon Events:
To set the account auditing level we want we use ‘gpedit.msc’ again.

Computer Configuration > Security Settings > Local Policies > Audit policy > at the very minimum we need to enable auditing for successful and failed logon events.

After enabling this, all logon attempts whether successful or unsuccessful will be logged in the event viewer. Get to the event viewer by typing eventvwr.msc into the run prompt. All logon attempts will be under the security option in the event viewer.

Obviously not all of these settings will be relevant to you or your FTP server but at a very minimum for an eternal FTP server the following should be observed:

Disable Anonymous Accounts
Ensure the Execute permission is denied to all but the most trusted users
Ensure the Password must meet complexity requirements is set
Have an Account lockout policy enabled in conjunction with the password policy not instead of it.

Hope it helped!

Nokia

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertise

If you'd like to advertise on The Mutt ( aka TheTAZZone.com ) feel free to contact us at: administration[at]thetazzone.com

TheTAZZone is a non-commercial entity. We do not sell any products or services ourselves. Our revenue comes from advertising and donations only.

We appreciate your support! Your advertising revenue ( or donations ) helps us to continue to upgrade, improve, and offset the costs of maintaining this site.

Donations can be made through the page ' Donate '.