Aug 072014
 

The FTP protocol is some 43 years old now. Yet it continues to be one of the most widely used file transfer technologies available. Over the years it has been shown to  be vulnerable to brute force attacks, packet capture, and other attack vectors.  Fortunately with IIS 8 on Windows Server 2012  your FTP server doesn’t have to be vulnerable. It goes without saying that FTP Authentication and Authorization are the most fundamental methods to secure your server.  Here are three additional things you can do to increase the security of your server’s FTP service and minimize its attack footprint.\r\n\r\n \r\n

IIS 8 FTP Logon Attempt Restrictions

\r\nOne of the most common FTP attack vectors is the dictionary attack. Using automated tools hackers will repeatedly hammer your FTP site with thousands of username and password combinations hoping to find that one account with an easy password. In the picture below you can see just a snippet of this automated activity. Fortunately none of these attempts were successful.\r\n\r\nlog\r\n\r\n \r\n\r\nIIS 8 now features FTP Logon Attempt Restrictions. This powerful feature is not available in IIS 7 or IIS 7.5. Once configured automated logon attacks will be stopped in their tracks. From IIS Manager simply click on FTP Logon Attempt Restrictions.\r\n\r\nCapture3\r\n\r\n \r\n\r\nConfiguring the FTP Logon Attempt Restrictions module is easy. Simply choose how many logon attempts are to be allowed and the time period for them to occur. When you consider that most FTP clients will save passwords in a profile, legitimate users on your FTP site should only need 1-2 logon attempts. However, depending on how many FTP users you’re hosting and their technical savvy you may need to tweak these settings.\r\n\r\nCapture4\r\n\r\n \r\n\r\nTesting my FTP site now with the new logon attempt restrictions it is easy to see how well it works. After the threshold is exceeded my connection to the server is forcibly closed. Automated hack attempts will no longer be a threat to this FTP server.\r\n\r\nCapture5\r\n\r\n \r\n

Enable FTP Over SSL with IIS 8

\r\nThe FTP protocol wasn’t originally designed for encryption. Fortunately with IIS 8 (and IIS 7) your FTP sessions can now be encrypted with SSL. To configure FTPS also known as FTP Over SSL open IIS Manager. You can either specify using SSL when adding FTP Publishing to a site or alternatively just going to the FTP SSL Settings on an existing site. Connecting with SSL can either be optional or or you can force all connections to use it. Using the drop down menu choose the certificate that you want to be used to encrypt the connections.  Windows Server 2012 has a default certificate available however you are also welcome to install your own 3rd party certificate.\r\n\r\nimage\r\n\r\n \r\n\r\nAfter you’ve configured the SSL settings on the server you just need to change your FTP client connection properties. In the picture below I’m using a legacy version of Cute FTP 8.0. Depending on which FTP client you’re using your protocol menu will look different.\r\n\r\nimage\r\n\r\n \r\n\r\nHaving changed my FTP client settings I attempt to connect to the server using SSL. The first time you connect to the server you will be prompted to accept the new SSL certificate. The log snippet below shows that my FTP session is being properly established with SSL. My communication with the server is now secure and protected.  Here is a more detailed walk through of configuring FTP over SSL on IIS 8.\r\n\r\nimage\r\n

\r\n

Configuring IIS 8 FTP User Isolation

\r\nWhen IIS 7 was released the FTP service had been completely redesigned from the ground up with security in mind. This was a welcome change indeed from IIS 6. In addition to supporting FTP over SSL it introduced FTP User Isolation. Multiple users on the same FTP site could be separated regardless of which file path they were being logged into without risk of someone traversing up parent paths to other user folders.\r\n\r\nThe FTP Authorization rules make it easy to identify multiple users or even local groups to have access to the FTP server. The user isolation is accomplished by creating a virtual directory called LocalUser and then choosing User name directory (disable global virtual directories). The LocalUser virtual directory should point to the FTP root directory and then you create a separate virtual directory for each FTP user which points to their destination path.\r\n\r\nimage\r\n\r\n \r\n\r\nWith FTP User Isolation configured your users will never be able to move up up to a parent path beyond their individual root directory. Even if a user were able to correctly guess the username and virtual path of another FTP account on the server they will not be able to reach it. Due to the confines of the isolation the FTP session can not see anything else on the server. In the example below I login with local account ftpuser2 and attempt to change the path to /ftpuser1 however that path does not exist and therefore is not accessible to my user. Here is a more detailed walkthrough of configuring FTP User Isolation on IIS 8.\r\n\r\nimage\r\n\r\n \r\n

In Summary

\r\nIIS 8 on Windows Server 2012 offers the most secure FTP service of any IIS version to date. You have multiple layers of FTP security available by leveraging FTP Logon Attempt Restrictions, FTP Over SSL, and FTP User Isolation. Your FTP server will be well protected using these built-in modules. With internet security there is no ‘patch’ for complacence.  More security is always better so implement it when it’s readily available to you.  Thanks for reading.

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

May 042013
 

FTP User Isolation is a great way to lock down your FTP site and prevent users from accessing resources they are not supposed to. Regardless if your server is providing shared hosting or dedicated hosting, FTP User Isolation can be leveraged for greater FTP security. It is particularly beneficial in hosting environments when you have a limited number of IP addresses to utilize but have several users requiring FTP access. In this case you’ll want to create 1 master FTP site and configure user virtual directories. Alternatively if your web server has several IP addresses available then one will typically deploy FTP Publishing on each site being hosted using a dedicated IP address. FTP user isolation in this case is not as critical but can still be implemented if you need multiple users accessing different folders on the same site.

In This Walk-through

In this walk-through I’ll be configuring 1 master FTP that will be used to isolate FTP users for 3 different web site’s I’ve created. To see how to setup an FTP site please check my recent blog post on setting up an FTP site with SSL. Our FTP site will use c:\inetput\ftproot as the root directory. Double check the FTP Authentication section has Anonymous Authentication disabled and Basic Authentication enabled.

image

 

Create User Group for FTP Users

Our server has 3 user accounts we want to use for FTP access: ftpuser1, ftpuser2, ftpuser3. In the Computer Management console under Local Users and Groups create a new group called FTPUsers.

image

 

Add the 3 FTP users to the group and then go to the root folder of the FTP site c:\inetpub\ftproot and add FTPUsers group to the folder permissions.

image

 

Check the FTP Authorization Rules

Go back to the Features View of the FTP site in the IIS Manager and click on FTP Authorization. In the FTP Authorization settings select Specified roles or user groups enter the FTPUsers group we just created.  By storing the users in 1 group it will make it easier to maintain in the future if we have to add more FTP users. We want the users to have Read and Write permissions.

image

 

Configure LocalUser Virtual Directory

Now on the the FTP site we need to create a virtual directory called LocalUser. This is a special directory which is required to make the user isolation work properly. Right click on the master FTP site and then click Add Virtual Directory.

image

Enter the name LocalUser and specify the root folder of the FTP site c:\inetpub\ftproot.

image

 

Create FTP User Virtual Directories

Under the LocalUser virtual directory create an additional virtual directory for each FTP user. Enter the name of the FTP user and set the physical path to the web site they will be accessing. In this example ftpuser1 will be access c:\domains\domain1.com. Ftpuser2 will access c:\domains2.com and Ftpuser3 will access c:\domains3.com.

image

Since we have 3 FTP users we’ll have a virtual directory for each user under LocalUser.

image

 

Configure FTP User Isolation

On the Features View of the FTP Site and click on FTP User Isolation. Under the section Isolate Users select User name directory (disable global virtual directories). As a reminder If you are deploying FTP Publishing at the site level with only 1 user accessing the site content then user isolation is not necessary and selecting the first option FTP root directory will be sufficient. The FTP user will be dropped into the root of the site.

image.

 

Testing FTP Client

Now our FTP site is ready for testing. With my FTP client I connect to the site using ftpuser1 and I am correctly logged into domain1.com root folder.

image

You can test if the isolation is working properly by trying to change the directory to the parent level or another ftp user’s folder. If you remember back to FTP and IIS 6  this would have been possible or at least you you would have been able to get into the root folder of the FTP site and potentially seen other FTP users’ folders. In the example below I login as ftpuser2 and then try to change to the directory of ftpuser1 however thanks to FTP Isolation we get an error message that the path does not exist. Each user is now completely isolated from the others.

image

In Summary

Starting with IIS 7, Microsoft completely redesigned the FTP service offering the highest level of security. FTP User Isolation will completely shield web site content from other FTP users. It is particularly beneficial when you have an FTP site that needs to allow access to multiple users to different folder paths. Thanks for reading.

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Feb 092013
 

In 2011 the FTP protocol had it’s 40 birthday. Despite it’s age it is still a widely used file transfer technology however it wasn’t originally designed for encryption. It has been shown to be vulnerable to brute force attacks, packet capture, and spoof attacks as well as a few other attack vectors. Now with IIS 8 on Windows Server 2012 encrypting an FTP session has never been easier. Using the IIS Manager with just a few clicks you can enable FTPS also known as FTP Over SSL on your site and take advantage of encrypted communication. In this walkthrough I am going to configure FTPS on IIS 8 using my personal SSL certificate which I obtained from a 3rd party SSL vendor. I am not going to cover how to install an SSL certificate. To get started launch IIS Manager from the Start Screen.

image

 

Once IIS Manger is open we first need to add FTP Publishing to our site. This is straight forward and can be completed in mere moments. To do this right click on your site and select Add FTP Publishing. The Add FTP Site Publishing wizard will launch taking us through the few remaining steps.

image

 

There are a few options which need to be configured. Select the IP address you want to use for the site. Under the SSL setting, select if you want to allow connections without SSL or force every connection to use it. For the highest level of security you’ll want to select Require SSL. Next pick the SSL certificate that you want to use for the encryption. Click Next to continue.

image

 

Now we’re going to configure the Authentication and Authorization settings. Check Basic Authentication and leave Anonymous Authentication unchecked. Under Authorization you can specify local users and groups that are allowed to access the site. On my test server I have a user called “ftpuser2” and we want Read and Write permissions enabled. Click Finish and then the window will close. FTP Publishing has been added to the site. Next we’ll need to configure the FTP client before we can connect.

image

 

Configuring your FTP client for FTP over SSL is just a matter of changing the protocol type in your client settings.  First I’ll do a test without making any client changes. In the previous step I choose to force all connections to use FTPS so we should get an error of some kind. Sure enough as seen in the FTP log below, the server forcibly closes the connection when it detects that we’re not using FTPS.

image

 

For my FTP client I’m using an old version Cute FTP Pro so depending on which FTP client you are using your menus may look different. Below I am selecting FTP with SSL Explicit.

image

 

Now when I try to reconnect to the server I’m prompted to accept the SSL certificate before I can continue. If I do not accept the certificate then the connection will be closed.

image

 

After clicking Accept we are logged into the FTP site and are files are displayed as expected. Looking at the FTP log we see the SSL session is being established and the session is encrypted.

image

In summary, FTP is a great file transfer technology but is unencrypted in native form. Configuring FTP over SSL with IIS 8 on Windows Server 2012 is an easy and straight forward way encrypt your FTP sessions and increase your security. Thanks for reading.

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Jan 302013
 

Configuring and using FTP with IIS 8 on Windows Server 2012 is very easy and straight forward. If you ever used FTP 7 that was released with Windows 2008 then the GUI will be familiar to you. An FTP virtual directory is quite handy when you need to provide an FTP user access to files which are not in their FTP root folder. If you’ve ever created one, then you know the FTP user is usually not able to physically “see” the virtual directory when they login. To get to the new folder they have to manually change the path using their FTP client. I will show you a simple trick so the virtual directory will be visible to the FTP user.

image

 

Open the IIS 8 Manger. Depending on your needs one can have FTP configured in a few different ways. Your server may have FTP publishing configured on each site for example. My test server only has 1 IP address available so I’ve configured a “master” FTP site and have FTP user access configured accordingly for each site that is being hosted. In this example I have “ftpuser2” logging into a folder called c:\domains\domain2.com. As one would expect this is the folder where the user can maintain all their web site files.

image

 

Probably one of the most common requests with web hosting is having access to the web site traffic logs. These logs are typically stored outside of the FTP path somewhere else on the web server.  On my test server they’re stored in the folder C:\wwwlogs and the logs for domain2.com are located in the folder W3SVC3. Ordinarily on a locked down web server no FTP user would ever be able to access this location.

image

 

So let’s walk through how to provide “ftpuser2” FTP access to his site’s traffic logs. In the IIS Manger right-click on the FTP user in question and then right-click again on Add Virtual Directory.

image

 

This will open the Add Virtual Directory window. Enter the Alias you want to use and browse the physical path to which you want to provide FTP access.

image

 

One additional step is to add the FTP user to the folder permissions. That is straight forward so I’m not going to walk through that. So now ftpuser2 has the necessary permissions to read the log files in the W3SVC3 folder and access them using their FTP client. So what happens when we log in via FTP? Well nothing.

image

 

Why don’t we see our new virtual directory with the traffic logs? We can see them if we manually change the path in the FTP client to /wwwlogs. But having to manually change paths is a bit of a pain. And trying to explain that to someone who may not be technical is even more complicated. So what’s the solution?

image

The solution is to create an empty folder in the root of the FTP user’s FTP path that matches the alias of our FTP virtual directory. With this dummy folder in place, when the FTP user logs in and clicks it they will automatically be redirected into the path of the virtual directory and see all the files. What’s really cool about this technique is that works with legacy versions of IIS as well as IIS 7 and IIS 8.

image

So now we’ve created a far more intuitive experience for the FTP user to access files and folders outside of their FTP root anywhere on the server –provided they have permissions to access the folder of course. I hope you’ve enjoyed this walkthrough. Thanks for reading.

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website