Set Up Secure FTP on Windows 2003 Server

For large amount of data interchange, FTP is always a good solution. That one should secure such a site is obvious. Internet Information Services 6 from Microsoft, or IIS 6, lets you implement corporate intranets or use over the Internet quite easily. Using Windows Server 2003 to support IIS is a good option not only to set up FTP sites, but also to have complete security over the transactions happening on them.

There are some preliminary steps necessary first. Installing IIS over Server 2003 does not install the FTP services by default. These will have to be specifically enabled in the IIS basket of services. The server is installed as an application server and includes the IIS service. To enable FTP services you will need to go through the “add/remove programs” option on the control panel. You’ll have to select “add/remove windows components.” Then select Applications Server by clicking on the checkbox for it. Consult the set of screenshots in the next section for the sequence of doing these operations. Click on the Detail button as shown on the IIS screen to get to the next screen which provides you the options of FTP services (shot 3).

Clicking on the OK button will start the installation if you have the installation CD ready in the CD drive, else you’ll have to provide that. You may, of course, provide a file path to a network distribution point. When the installation is done click “finish” and come out. Your default FTP site is now ready. The properties of this site need to be set up as any request for FTP will end up on this spot. The simplest way to separate out this as well as other sites created on the Server set up is to associate IP addresses with each one of them.

To set up this and other properties you’ll need to get to the properties page of this default site. Activating the IIS manager in administrative tools will show you the FTP site. Right clicking will bring up the properties wizard. IP address, TCP port, FTP site connections and log enable are properties that need to be set on the Default FTP site properties, FTP site tab. We need to allocate one of the IP addresses assigned for setting up FTP sites. The default for the TCP port is 21 and can be left as such. FTP site connections can be set as unlimited or you can set a specific number. The timeout parameter in seconds will define when a connection request will be timed out. Checking the enable logging check box will ensure you have a log available for the FTP events. Select one of the log file formats that is appropriate for your organization.

Based on these default templates, you would be able to set up specific FTP sites. The FTP site creation wizard takes you through the steps of creating a specific site. For all new sites you’ll need to specify a unique name, a unique IP address, TCP (default 21) port number and if you want user isolation. User isolation is a feature by which even users on the same FTP site and same virtual directory can be isolated from each other. No user would be able to view the files in the directory of the other user.

Three options available under isolation feature are no isolation, isolate users and isolate users using Active Directory. If “no isolation” is selected users can see each other’s FTP home directory. With the standard isolation choice, this is prevented and users are required to be authenticated by user name and password. Each user will need to be assigned a home directory within the root directory of the FTP site. Under the Active Directory option users need to be assigned a home directory that is configured using the Active Directory user account.

The configuration wizard also lets you set if the site will be read only, write only or both. If it is going to be used for downloads only, it should be read only. While, in general, anonymous FTP not being allowed is more secure, there are situations where they may have to be allowed. Access for downloading datasheets is one such situation. One can specify a particular user name and password authentication for anonymous access. IP restrictions as well as file system restriction can provide additional levels of security. You should require strong passwords to be specified. Set account lockout on wrong attempts too.