Chapter 7 - Securing FTP Sites

Abstract

The file transfer protocol (FTP) component of the Internet information services (IIS) provides the ability to upload and download file to and from the IIS server, and allows the user to manipulate files remotely. The chapter focuses on techniques that secure the FTP content, along with methods for securing the FTP connection. FTP resources refer to content files served by the FTP server. To prevent unauthorized file uploading and downloading, these content files needs to be secured. This can be done by protecting individual FTP files or controlling user access. IIS 6.0 introduces FTP user isolation, a feature that enables the administrator to contain users to their own FTP directory. This is done by defining the user's home directory as their logical FTP root path, thus preventing users from accessing other users' contents. FTP user isolation is configured when protection of data access among different users is required. If it is required to put sensitive data on the FTP server, the communication between the client application and FTP server should be secured to prevent the data from being analyzed or user credentials from being intercepted and reused by attackers to gain access to the server. Along with securing the FTP connection, limiting the access of users based on their Internet protocol (IP) address reduces the possibility of channel attacks if the server is accessible by everyone in the network. The chapter highlights different ways of securing FTP connection to protect sensitive data transferred. It ends with a discussion enabling and uses of FTP access log file.