• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

FTP security questions

G

GaryGnu

Member

I'm setting up an FTP server to share some pictures temporarily for about 20 people. I want to allow people to upload or download pictures for a period of about a month. I tried this before and used anonymous access, and eventually got hacked and was storing some pirated movies or something. I have since learned my lesson with that, and I reformatted and reinstalled the OS to take care of that issue.

I'm using Windows 2000 and have IIS configured to allow Reads and Writes. I created a restricted Windows account with password to allow access. I do have an Administrator account created with a non-obvious password.

Even with the username/password what security risks am I opening myself up for? And are there any better (simple) alternatives? I've done some web searches and I've read conflicting views.

Thanks in advance.

-- Gary
 
Plain ol' FTP, even if it's well-secured and fully patched, has a few problems.

Most notable and the one you can't really do anything about is that everything is sent "in the clear," including usernames and passwords. So, if a person has access to the data path, conceivably they have access to your data.

A fairly common attack is to establish a "man-in-the-middle" position and start capturing. The scripts and applications are commonly available. The likelyhood of something like that happening to your data and resources is something you need to determine.

What can you do about it?

There are some FTP servers the permit encryption; my personal favorite in the Windows environment is Filezilla. It give you several ways to pass your data via encrypted link, and it's free. Of course, the clients must also support the chosen encryption suite. Fortunately, there is also a Filezilla client that also supports encryption.

IF you have a few bucks laying around, you could also use an SSH service. MOst SSH server applications also provide SFTP through the same encrypted tunnels.


My favorite is WinSSHD from Bitvise

One of the nice things is that it will use the AD for Authentication and authorization by user or group, by default. It permits all of the tunnelling provided by SSH ... and it's a solid performaer. Personal use licenses are ~US$35.00 or so. Commercial and educational licenses are more but still very reasonable.

Good Luck

Scott
 
I would not use Windows built in FTP at all. I would use something like FileZilla Server. http://filezilla-project.org

You can configure it quite easily and also restrict access per IP address. I had it set to block all (*.*.*.*) but allow only local subnet on LAN and certain IP addresses from the outside. You can use wildcards like 192.168.1.* or even 192.168.*.* for a friend's ISP subnet range. Windows 2000 is hardly secure enough compared to this.
 
OK, but someone intercepted my username/password, what exactly is that going to get them? Access to our youth football team pictures? Because that's all that will be on this computer. This particular computer will have nothing else on it. Its a spare computer I have lying around, and this is its only purpose. Its is however, connected to my LAN with about 4 other computers.
 
There are (or were, if you are fully patched & compliant) a number of vulnerabilities in IIS and / or the IIS FTP service.

Full access and control of the machine is / was possible.

Do whatever you want, now you know you have some options.


Good Luck

Scott
 
IIS 6.0 can be secured well too, http://www.microsoft.com/techn...4b783e20.mspx?mfr=true
However, authentication is done differently with Windows Native applications. It is done by users policies rather than ID and password.

The decision which way to go is a system decision. If you already use IIS then secure it and you are done.
Otherwise, I have agreed with Scott, for your specific purpose FileZilla with used in sFTP mode it probably the solution.
 
The underlying problem is that I will have a bunch of clueless people attempting to copy pictures. Finding the location of their pictures on their hard drive will be an adventure for them. Having them each download filezilla clients is not going to work.
 
Easy enough then.

Bring up a straight HTML page with a bunch of links that will trigger an FTP download to their machine.

It'll look something like: <a>href="ftp//anonymous@your.server.address/directory/filename.jpg",Title of picture </a>

As long as the content isn't security sensitive, anonymous works OK. The Web page links are something most people can handle.

The syntax might be a little off, I'm away from my reference text, but you should get the idea.

Good Luck

Scott
 
Originally posted by: GaryGnu
The underlying problem is that I will have a bunch of clueless people attempting to copy pictures. Finding the location of their pictures on their hard drive will be an adventure for them. Having them each download filezilla clients is not going to work.
Click to expand...

Um, who said they needed to download FileZilla clients? FileZilla Server is an FTP server application. It will work through any FTP client, even Windows Explorer FTP sessions...

I pity anyone that uses IIS. It's the biggest pile of crap I have ever seen. I'd also like to slap the crap out of Microsoft for Sharepoint. That's another story though.
 
Filezilla does work (very well!) for "regular" FTP. THe point was that to use one of the encrypted modes that Filezilla Server offers, you need to run a client that also supports that encrypted mode, of which, FIlezilla Client is easily available and you know it's supported.

At the time of that post it hadn't been established as to whether the information was sensitive or not.

FWIW

Scott
 
Originally posted by: ScottMac
Filezilla does work (very well!) for "regular" FTP. THe point was that to use one of the encrypted modes that Filezilla Server offers, you need to run a client that also supports that encrypted mode, of which, FIlezilla Client is easily available and you know it's supported.

At the time of that post it hadn't been established as to whether the information was sensitive or not.

FWIW

Scott
Click to expand...

Pictures to 20 people...if he uses FileZilla Server and blocks *.*.*.* (only allowing the IP ranges he wants afterwards) then how will anyone gain access that he doesn't want?

I've never used encryption for FTP, ever. Don't see a reason to. I don't see anything from the OP stating that's what he wanted. If anything he seems like he justs wants a safe and secure FTP, which IIS will not provide and FileZilla Server will.
 
Picture ScottMac a very senior Network specialist. Not too many people around here has is level of Knowledge.

FileZilla, and IIS ftp part are both FTP servers but have a totatly different approach to authentication and security.

To use secure FileZilla the client needs to install FileZilla and what ever is need for the encryption.

The OP states clearly.

The underlying problem is that I will have a bunch of clueless people attempting to copy pictures. Finding the location of their pictures on their hard drive will be an adventure for them. Having them each download filezilla clients is not going to work.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top