securing IIS 5.0 FTp server

[mobogasm]

Can someone point me to some tips on securing IIS 5.0 for FTP server only use? I already have all service pack updates/hot fixes/security patches. Thanks.

 

[wetcat007]

I myself would recomend you use BulletProof FTP 2.15 (for ftp serving), but I guess it's personal preference.

 

[mobogasm]

Thanks for the recommendation but I don't really have a choice in this situation.

How come when I disable anonymouse access for the FTP server it says that it will cause all passwords to be transmitted in clear text???? What am I doing wrong? I do not want anonymous access nor do I want passwords to be transmitted in clear text.

 

[Poontos]

You cannot really secure IIS 5.0 FTP server.

For the most part, MS FTP is based on the standard FTP protocol, which, by itself does not encrypt authentication traffic, therefore, all FTP communication is transmitted in clear text. There is no way around this with MS FTP, and the majority of FTP server daemons unless of course, a third party encryption protocol like SFTP is utilized. However, this of course means that your clients need to utilize software that supports FTP encryption.

You can download Serv-U FTP server for personal use for free the last I checked. It's an extremely rock solid FTP server platform/solution.

If you have absoultely NO choice but to stick with IIS FTP (difficult for me to understand ), try here.

 

[jleon]

The files transfer protocol (ftp) is inherently insecure, just like telnet. It uses cleartext password and there is no way to change that. There are work-arounds that people have used such as ftp over an established vpn tunnel, etc.

Best bet is what Poontos mentioned. Research into setting up a ssh server/service and use sftp (secure ftp). There are windows versions of it as well.

g'luck!

 

[Fallen Kell]

ROFLMAO.... Security on IIS? Those two things are mutually exclusive (i.e. you can't have them both at the same time).

 

[Poontos]

Originally posted by: Fallen Kell
ROFLMAO.... Security on IIS? Those two things are mutually exclusive (i.e. you can't have them both at the same time).

Funny. Point me to a properly setup Windows 2000 Server with IIS locked down, that is hacked.

 

[wetcat007]

Originally posted by: Poontos

Originally posted by: Fallen Kell
ROFLMAO.... Security on IIS? Those two things are mutually exclusive (i.e. you can't have them both at the same time).

Funny. Point me to a properly setup Windows 2000 Server with IIS locked down, that is hacked.

microsoft.com had their dns servers attacked sucessfully about 6 months ago, lol just showing u something, nothing is 100% secure linux, apache and so on hjave all had their share of security breaches.

 

[mobogasm]

ok back to my original question, lets stop the flame wars microsoft vs linux etc. I just want to lock this thing down as much as possible regardless of how well it is locked down as compared to another ftp server.

 

[Poontos]

Originally posted by: mobogasm
ok back to my original question, lets stop the flame wars microsoft vs linux etc. I just want to lock this thing down as much as possible regardless of how well it is locked down as compared to another ftp server.

Click on the "here" link in my original post.