But is the FTP server set up using IIS5.0 really safe? Its default settings actually have many security risks and are easily targeted by hackers. How to make FTP servers more secure can be achieved with a little transformation.
1. Cancel the anonymous access function
By default, the FTP server of Windows 2000 system allows anonymous access. Although anonymous access provides convenience for users to upload and download files, it poses great security risks. Users do not need to apply for a legal account to access the FTP server, and can even upload and download files. Especially for some FTP servers that store important information, it is easy to cause leakage, so users are advised to cancel the anonymous access function.
In Windows 2000 system, click "Start → Programs → Administrative Tools → Internet Service Manager" to pop up the management console window. Then expand the local computer options on the left side of the window and you can see the FTP server that comes with IIS5.0. Below, the author uses the default FTP site as an example to introduce how to cancel the anonymous access function.
Right-click the "Default FTP Site" item, select "Properties" in the right-click menu, and then the default FTP site properties dialog box pops up, switch to the "Secure Account" tab, cancel the checkmark before "Allow anonymous connections", and finally click the "OK" button, so that users cannot use an anonymous account to access the FTP server and must have a legal account.
2. Enable logging
Windows logs record all the information about the system running, but many administrators do not pay enough attention to the logging function. In order to save server resources, the FTP server logging function is disabled, which is absolutely undesirable. The FTP server log records all users' access information, such as access time, client IP address, login account used, etc. This information is of great significance to the stable operation of the FTP server. Once there is a problem with the server, you can view the FTP log, find the fault, and troubleshoot it in time. Therefore, be sure to enable FTP logging.
In the default FTP site properties dialog box, switch to the "FTP site" tab page, be sure to make sure the "Enable Logging" option is selected so that you can view FTP logging in the "Event Viewer".
3. Correctly set user access permissions
Each FTP user account has certain access rights, but unreasonable settings of user rights can also lead to security risks in the FTP server. For example, the CCE folder in the server only allows the CCEUSER account to have permissions to read, write, modify, and list, and prohibit other users from accessing it. However, the system defaults to allow other users to have permissions to read and list CCE folders, so the user access rights of the folder must be reset.
Right-click the CCE folder, select "Properties" in the pop-up menu, and then switch to the "Security" tab. First delete the Everyone user account, then click the "Add" button to add the CCEUSER account to the name list box, and then select the Modify, Read and Run, List folder directories, Read and Write options in the "Permissions" list box, and finally click the "OK" button. In this way, only the CCEUSER user can access the CCE folder.
4. Enable disk quota
FTP server disk space resources are valuable. Unlimited use by users will inevitably cause huge waste, so the disk space used by each FTP user must be limited. The author takes the CCEUSER user as an example and limits it to only use 100M disk space.
In the Explorer window, right-click the hard disk letter where the CCE folder is located, select "Properties" in the pop-up menu, then switch to the "Quota" tab, select the "Enable Quota Management" check box, and activate all quota settings options in the "Quota" tab. In order to prevent some FTP users from occupying too much server disk space, be sure to select the "Reject disk space to users who exceed the quota limit" check box.
Then select the "Limit disk space to" option in the "Select default quota limit for new users on this volume" box, then enter 100 in the subsequent column, select the disk capacity unit to "MB", and then perform the warning level setting, enter "96" in the "Set warning level to" column, and select the capacity unit to "MB", so that the default quota setting is completed. In addition, select the "Record events when users exceed quota limit" and "Record events when users exceed warning levels" check boxes to log quota alarm events to the Windows log.
Click the "Quota" button at the bottom of the Quota tab to open the Disk Quota Project dialog box, then click "Quota → New Quota Item", and the user selection dialog box pops up. After selecting the CCEUSER user, click the "OK" button, then set the quota parameters for the CCEUSER user in the "Add New Quota Item" dialog box, select the "Limit Disk Space to" option, enter "100" in the subsequent column, and then enter "96" in the "Set Warning Level to" column. Their disk capacity unit is "MB". Finally, click the "OK" button to complete the disk quota setting. In this way, CCEUSER users can only use 100MB of disk space, and warnings will be issued if they exceed 96MB.
Five TCP/IP access restrictions
In order to ensure the security of the FTP server, access to certain IP addresses can also be denied. In the default FTP site properties dialog box, switch to the "Catalog Security" tab, select the "Authorized Access" option, and then click the "Add" button in the "Except for the following" box, and the "Denied Access below" dialog box pops up. Here you can deny access to a single IP address or a set of IP addresses. Taking a single IP address as an example, select the "Single-alone" option, and then enter the IP address of the machine in the "IP Address" column, and finally click the "OK" button. In this way, the IP addresses added to the list cannot access the FTP server.
6. Set up group policies reasonably
The security of the FTP server can also be enhanced by modifying the Group Policy Project. In Windows 2000 system, go to "Control Panel → Administrative Tools" and run the local security policy tool.
1. Review account login events
In the local security settings window, expand "Security settings → Local policies → Audit policies", and then find the "Audit Account Login Event" item in the box on the right, double-click to open the item, select "Success" and "Failed" in the settings dialog box, and finally click the "OK" button. After this policy takes effect, each login of the FTP user will be logged into the log.
2. Enhance the complexity of account passwords
If the password setting of some FTP accounts is too simple, it may be cracked by "injustice". In order to improve the security of the FTP server, users must be forced to set complex account passwords.
In the local security settings window, expand "Security settings → Account policy → Password policy" in the box on the right, find the "Password must meet the complexity requirements" item, after double-clicking to open, select the "Enabled" option, and finally click the "OK" button.
Then, open the "Password Length Minimum" item to set the shortest character limit for the FTP account password. In this way, the security of the password has been greatly enhanced.
3. Account login restrictions
Some illegal users use hacking tools to log in to the FTP server repeatedly to guess their account passwords. This is very dangerous, so it is recommended that you limit the number of times you log in to your account.
Expand "Security Settings → Account Policy → Account Locking Policy" in the box on the right, and find the "Account Lock Threshold" item. After double-clicking to open it, set the maximum number of times the account login. If this value exceeds, the account will be automatically locked. Then open the "Account Lock Time" item and set the time when the FTP account is locked. Once the account is locked, it can only be reused after exceeding this time value.
After setting up the above steps, the user's FTP server will be more secure and there is no need to worry about being illegally hacked.
1. Cancel the anonymous access function
By default, the FTP server of Windows 2000 system allows anonymous access. Although anonymous access provides convenience for users to upload and download files, it poses great security risks. Users do not need to apply for a legal account to access the FTP server, and can even upload and download files. Especially for some FTP servers that store important information, it is easy to cause leakage, so users are advised to cancel the anonymous access function.
In Windows 2000 system, click "Start → Programs → Administrative Tools → Internet Service Manager" to pop up the management console window. Then expand the local computer options on the left side of the window and you can see the FTP server that comes with IIS5.0. Below, the author uses the default FTP site as an example to introduce how to cancel the anonymous access function.
Right-click the "Default FTP Site" item, select "Properties" in the right-click menu, and then the default FTP site properties dialog box pops up, switch to the "Secure Account" tab, cancel the checkmark before "Allow anonymous connections", and finally click the "OK" button, so that users cannot use an anonymous account to access the FTP server and must have a legal account.
2. Enable logging
Windows logs record all the information about the system running, but many administrators do not pay enough attention to the logging function. In order to save server resources, the FTP server logging function is disabled, which is absolutely undesirable. The FTP server log records all users' access information, such as access time, client IP address, login account used, etc. This information is of great significance to the stable operation of the FTP server. Once there is a problem with the server, you can view the FTP log, find the fault, and troubleshoot it in time. Therefore, be sure to enable FTP logging.
In the default FTP site properties dialog box, switch to the "FTP site" tab page, be sure to make sure the "Enable Logging" option is selected so that you can view FTP logging in the "Event Viewer".
3. Correctly set user access permissions
Each FTP user account has certain access rights, but unreasonable settings of user rights can also lead to security risks in the FTP server. For example, the CCE folder in the server only allows the CCEUSER account to have permissions to read, write, modify, and list, and prohibit other users from accessing it. However, the system defaults to allow other users to have permissions to read and list CCE folders, so the user access rights of the folder must be reset.
Right-click the CCE folder, select "Properties" in the pop-up menu, and then switch to the "Security" tab. First delete the Everyone user account, then click the "Add" button to add the CCEUSER account to the name list box, and then select the Modify, Read and Run, List folder directories, Read and Write options in the "Permissions" list box, and finally click the "OK" button. In this way, only the CCEUSER user can access the CCE folder.
4. Enable disk quota
FTP server disk space resources are valuable. Unlimited use by users will inevitably cause huge waste, so the disk space used by each FTP user must be limited. The author takes the CCEUSER user as an example and limits it to only use 100M disk space.
In the Explorer window, right-click the hard disk letter where the CCE folder is located, select "Properties" in the pop-up menu, then switch to the "Quota" tab, select the "Enable Quota Management" check box, and activate all quota settings options in the "Quota" tab. In order to prevent some FTP users from occupying too much server disk space, be sure to select the "Reject disk space to users who exceed the quota limit" check box.
Then select the "Limit disk space to" option in the "Select default quota limit for new users on this volume" box, then enter 100 in the subsequent column, select the disk capacity unit to "MB", and then perform the warning level setting, enter "96" in the "Set warning level to" column, and select the capacity unit to "MB", so that the default quota setting is completed. In addition, select the "Record events when users exceed quota limit" and "Record events when users exceed warning levels" check boxes to log quota alarm events to the Windows log.
Click the "Quota" button at the bottom of the Quota tab to open the Disk Quota Project dialog box, then click "Quota → New Quota Item", and the user selection dialog box pops up. After selecting the CCEUSER user, click the "OK" button, then set the quota parameters for the CCEUSER user in the "Add New Quota Item" dialog box, select the "Limit Disk Space to" option, enter "100" in the subsequent column, and then enter "96" in the "Set Warning Level to" column. Their disk capacity unit is "MB". Finally, click the "OK" button to complete the disk quota setting. In this way, CCEUSER users can only use 100MB of disk space, and warnings will be issued if they exceed 96MB.
Five TCP/IP access restrictions
In order to ensure the security of the FTP server, access to certain IP addresses can also be denied. In the default FTP site properties dialog box, switch to the "Catalog Security" tab, select the "Authorized Access" option, and then click the "Add" button in the "Except for the following" box, and the "Denied Access below" dialog box pops up. Here you can deny access to a single IP address or a set of IP addresses. Taking a single IP address as an example, select the "Single-alone" option, and then enter the IP address of the machine in the "IP Address" column, and finally click the "OK" button. In this way, the IP addresses added to the list cannot access the FTP server.
6. Set up group policies reasonably
The security of the FTP server can also be enhanced by modifying the Group Policy Project. In Windows 2000 system, go to "Control Panel → Administrative Tools" and run the local security policy tool.
1. Review account login events
In the local security settings window, expand "Security settings → Local policies → Audit policies", and then find the "Audit Account Login Event" item in the box on the right, double-click to open the item, select "Success" and "Failed" in the settings dialog box, and finally click the "OK" button. After this policy takes effect, each login of the FTP user will be logged into the log.
2. Enhance the complexity of account passwords
If the password setting of some FTP accounts is too simple, it may be cracked by "injustice". In order to improve the security of the FTP server, users must be forced to set complex account passwords.
In the local security settings window, expand "Security settings → Account policy → Password policy" in the box on the right, find the "Password must meet the complexity requirements" item, after double-clicking to open, select the "Enabled" option, and finally click the "OK" button.
Then, open the "Password Length Minimum" item to set the shortest character limit for the FTP account password. In this way, the security of the password has been greatly enhanced.
3. Account login restrictions
Some illegal users use hacking tools to log in to the FTP server repeatedly to guess their account passwords. This is very dangerous, so it is recommended that you limit the number of times you log in to your account.
Expand "Security Settings → Account Policy → Account Locking Policy" in the box on the right, and find the "Account Lock Threshold" item. After double-clicking to open it, set the maximum number of times the account login. If this value exceeds, the account will be automatically locked. Then open the "Account Lock Time" item and set the time when the FTP account is locked. Once the account is locked, it can only be reused after exceeding this time value.
After setting up the above steps, the user's FTP server will be more secure and there is no need to worry about being illegally hacked.