The Windows 2000 system provides the FTP service function. Because it is simple and easy to use, it is closely integrated with the Windows system itself and is very popular among users. But is the FTP server set up with IIS5.0 really safe? Its default settings actually have many security risks, and it is easy to become a target of hackers. How to make the FTP server more secure, you can do it with a little modification.
cancel a function
anonymous access by default, Windows2000 system FTP server to allow anonymous access, although anonymous access for users to upload and download files with ease, However, there are great security risks. Users do not need to apply for a legitimate account, they can access the FTP server, and even upload and download files. Especially for some FTP servers that store important data, it is easy to leak. Therefore, users are advised to cancel the anonymous access function.
In the Windows2000 system, click "Start → Programs → Administrative Tools → Internet Service Manager" to bring up the management console window. Then expand the local computer option on the left side of the window, you can see the FTP server that comes with IIS5.0. Below I use the default FTP site as an example to explain how to cancel the anonymous access function.
Right click on the "Default FTP Site" item, select "Properties" from the right-click menu, then pop up the Default FTP Site Properties dialog box, switch to the "Security Accounts" tab, and cancel the "Allow Anonymous Connections" Check and finally click the "OK" button, so users can not access the FTP server using an anonymous account, and must have a valid account.
two enable logging
Windows logging with all the information the system is running, but many administrators logging not pay enough attention, in order to save server resources, disabled FTP server logging, this is absolutely necessary. The FTP server logs record the access information of all users, such as access time, client IP address, login account used, etc. This information is very important for the stable operation of the FTP server. Once the server has a problem, you can view the FTP log. Find the fault and eliminate it in time. So be sure to enable FTP logging.
In the default FTP site properties dialog, switch to the "FTP Sites" tab, make sure the "Enable logging" option is selected so that you can view FTP logging in the Event Viewer. It is.
three user access permissions are set correctly
each FTP user account has certain access rights, but unreasonable to set user permissions, can also lead to an FTP server There is a security risk. For example, the CCE folder in the server only allows the CCEUSER account to have read, write, modify, and list permissions on it, prohibiting other users from accessing it, but the system defaults to allow other users to have read and list permissions on the CCE folder. Therefore you must reset the user access rights for this folder.
Right click on the CCE folder, select "Properties" in the pop-up menu, then switch to the "Security" tab, first delete the Everyone user account, then click the "Add" button to add the CCEUSER account to the name list In the box, then select Modify, Read & Run, List Folder Directory, Read & Write Options in the Permissions list box, and finally click the OK button. In this way, the CCE folder can only be accessed by the CCEUSER user.
four-enabled disk quotas
FTP server disk space is a valuable resource, allowing users unlimited use, is bound to cause huge waste, and therefore for each FTP The disk space used by the user is limited. The author below takes the CCEUSER user as an example and limits it to only 100M disk space.
in the Explorer window, right-click on the drive letter where the CCE folder, the pop-up menu, select "Properties", then switch to the "quota" tab, select "Enable quota management" complex Check the box to activate all the quota setting options in the Quotas tab. To prevent some FTP users from taking up too much server disk space, be sure to select the Reject disk space to users who exceed the quota limit check box.
Then select the "Restrict disk space to" option in the "Select default quota limit for new users on this volume" box, then enter 100 in the following column, and select the disk capacity unit as "MB" Then, set the warning level, enter "96" in the "Set warning level to" field, and select "MB" for the capacity unit, thus completing the default quota setting. In addition, check the "Log events when users exceed quota limits" and "Log events when users exceed warning levels" checkbox to log quota alarm events to the Windows log.
Click the “Quota Item” button at the bottom of the quota tab page to open the Disk Quota Item dialog box, then click “Quotas → New Quota Item” to pop up the Select User dialog box. After selecting the CCEUSER user, click “OK”. Button, then set the quota parameter for the CCEUSER user in the "Add New Quota Item" dialog box, select the "Restrict disk space to" option, enter "100" in the following column, and then set the warning level to " Enter "96" in the column, their disk capacity unit is "MB", and finally click the "OK" button to complete the disk quota setting, so that CCEUSER users can only use 100MB disk space, more than 96MB will issue a warning.
Five TCP/IP Access Restrictions
In order to ensure the security of the FTP server, you can also deny access to certain IP addresses. In the Default FTP Site Properties dialog box, switch to the Directory Security tab, select the Authorize Access option, and then click the Add button in the Except List box below to bring up the "Reject the following access" dialog. Box, here you can reject a single IP address or a set of IP address access, take a single IP address as an example, select the "single machine" option, then enter the IP address of the machine in the "IP address" field, and finally click the "OK" button. The IP address added to the list in this way cannot access the FTP server.
six reasonable set of Group Policy
by modifying Group Policy project, it can also enhance the security of FTP server. In the Windows 2000 system, go to "Control Panel → Administrative Tools" and run the local security policy tool.
1. Audit account login event
In the local security settings window, expand Security Settings→Local Policies→Audit Policy, and then find the audit account in the box on the right. Log in to the event" project, double-click to open the project, select "success" and "failure" in the settings dialog, and finally click the "OK" button. After the policy takes effect, each login of the FTP user is logged to the log.
2. Enhanced too simple password complexity
some of the FTP account account password, there is likely to be "criminals" to the crack. In order to improve the security of the FTP server, the user must be forced to set a complicated account password.
In the local security settings window, expand Security Settings→Account Policies→Password Policy. In the right frame, find the password must meet the complexity requirements. Double-click to open and select Enable the "single option" and finally click the "OK" button.
Then, open the "Length of password length" item and set the minimum character limit for the FTP account password. This way, the security of the password is greatly enhanced.
3. Account Login Restriction
Some illegal users use hacking tools and repeatedly log in to the FTP server to guess the account password. This is very dangerous, so it is recommended that you limit the number of account logins.
Expand Security Settings→Account Policies→Account Lockout Policy. In the right frame, find the “Account Lockout Threshold” item. After double-clicking, set the maximum number of account logins. If this value is exceeded, The account will be automatically locked. Then open the “Account Lock Time” item to set the time when the FTP account is locked. Once the account is locked, it can be reused if it exceeds this time. After
by setting the above steps, the user's FTP server will be more secure, no longer have to fear the illegal invasion.