Slightly remodeled Windows FTP server is more secure

Windows 2000 system provides FTP service function, because it is easy to use, and the Windows system itself is closely combined, and is deeply loved by users. But is the FTP server set up with IIS5.0 really safe? Its default setting actually has many security risks, and it is easy to become a target of hackers. How to make the FTP server more secure, you can do it with a little modification.

The Windows 2000 system provides the FTP service function. Because it is simple and easy to use, it is closely integrated with the Windows system itself and is very popular among users. But is the FTP server set up with IIS5.0 really safe? Its default setting actually has many security risks, and it is easy to become a target of hackers. How to make the FTP server more secure, you can do it with a little modification.

One Cancel Anonymous Access Function

By default, the FTP server of Windows 2000 system allows anonymous access. Although anonymous access provides convenience for users to upload and download files, it is extremely Security risks. Users do not need to apply for a legitimate account, they can access the FTP server, and even upload and download files. Especially for some FTP servers that store important data, it is easy to leak. Therefore, users are advised to cancel the anonymous access function.

In the Windows2000 system, click “Start → Programs & Rarr; Management Tools & Rarr; Internet Service Manager & rdquo;, pop-up management console window. Then expand the local computer option on the left side of the window, you can see the FTP server that comes with IIS5.0. Below I use the default FTP site as an example to explain how to cancel the anonymous access function.
Right click on the "Default FTP Site" item, select "ldquo" in the right-click menu, then pop up the default FTP site properties dialog box, switch to the "Security Account" tab, cancel "Allow Anonymous" Check the connection before (see Figure 1), and finally click the "OK" button, so users can not use an anonymous account to access the FTP server, you must have a legitimate account.
Figure 1 Disabling anonymous access and enabling logging

Windows logging records all the information about the system running, but many administrators do not pay enough attention to the logging function. In order to save server resources, FTP server logging is disabled. Function, this is absolutely impossible. The FTP server logs record the access information of all users, such as access time, client IP address, login account used, etc. This information is very important for the stable operation of the FTP server. Once the server has a problem, you can view the FTP log. Find the fault and eliminate it in time. So be sure to enable FTP logging.

In the Default FTP Site Properties dialog box, switch to the "FTP Site" tab page and make sure the "Enable Logging" option is selected so that it can be in the “Event Viewer&rdquo ; View FTP log records.

3 Correctly set user access rights

Each FTP user account has certain access rights, but the unreasonable setting of user rights can also cause security risks on the FTP server. For example, the CCE folder in the server only allows the CCEUSER account to have read, write, modify, and list permissions on it, prohibiting other users from accessing it, but the system defaults to allow other users to have read and list permissions on the CCE folder. Therefore you must reset the user access rights for this folder.

Right-click on the CCE folder, select “Properties> in the pop-up menu, then switch to the "Security" tab page, first delete the Everyone user account, then click the “Add” button. Add the CCEUSER account to the Name list box, and then select Modify, Read and Run, List Folder Directory, Read and Write Options in the “Permissions" list box, and finally click the “OK” button. In this way, the CCE folder can only be accessed by the CCEUSER user.

Five-Enable Disk Quotas

The FTP server disk space resources are valuable and unlimited for users to use, which is bound to cause huge waste. Therefore, the disk space used by each FTP user is required. limit. The author below takes the CCEUSER user as an example and limits it to only 100M disk space.

In the Explorer window, right-click the hard drive letter where the CCE folder is located, select “Properties> in the pop-up menu, and then switch to the "quota" tab page (Figure 2) ), check the "Enable Quota Management" checkbox to activate all quota setting options in the "Quotas" tab. In order to prevent some FTP users from taking up too much server disk space, be sure to check "Reject" Leave disk space to the user who exceeds the quota limit check box.

Figure 2 Limit FTP storage space and then select the default quota limit for new users on the volume. In the box, select “ Limit disk space to " single option, then enter 100 in the following column, select the disk capacity unit as “MB”, then set the warning level, and set the warning level to ” Enter “96” in the column, and the capacity unit is also selected as “MB”, thus completing the default quota setting. In addition, check the "Events" event when the user exceeds the quota limit and the "Events" check box to record the quota alarm events to the Windows log.

Click the "Quotas" button at the bottom of the Quotas tab to open the Disk Quotas dialog box, then click "Quota & Rarr; New Quota Item", the Select User dialog box will pop up, select CCEUSER users, click &ldquo ; determine the & rdquo; button, then set the quota parameter for the CCEUSER user in the "Add new quota item" dialog box, select "ld disk space limit to " rdquo; single option, enter "ldquo; 100" in the following column, Then set the warning level to “ in the column, enter “96”, their disk capacity unit is “MB”, and finally click the "OK" button to complete the disk quota setting, so that CCEUSER users can only With 100MB of disk space, a warning will be issued if it exceeds 96MB.

five TCP /IP access restrictions

In order to ensure the security of FTP server, you can also deny access to certain IP addresses. In the Default FTP Site Properties dialog box, switch to the “Directory Security” tab, select the “Authorize Access” option (see Figure 3), and then click “ in the "except listed below" ; Add & rdquo; button, pop-up "Refuse the following access" dialog box, where you can deny a single IP address or a set of IP address access, with a single IP address as an example, select the "single machine" option, and then in the "IP" Enter the IP address of the machine in the Address & rdquo; column and click the “OK” button. The IP address added to the list in this way cannot access the FTP server.

It is also possible to enhance the security of the FTP server. In the Windows 2000 system, go to “ Control Panel & Rarr; Management Tools & rdquo;, run the local security policy tool.

1. Review account login event

In the local security settings window, expand “security settings →local policy →audit strategy”, then in the right frame Find the “Audit Account Login Event” project (Figure 4), double-click to open the project, select “Successful” and “Failure” in the Settings dialog box, and finally click the “OK” button. . After the policy takes effect, each login of the FTP user is logged to the log.

Figure 4 Recording User Login Information 2. Enhancing Account Password Complexity

Password Settings for Some FTP Accounts Too simple, it may be cracked by the "lawless". In order to improve the security of the FTP server, the user must be forced to set a complicated account password.

In the local security settings window, expand “Security Settings →Account Policies & Rarr; Password Policy", found in the box on the right side, the password must meet the complexity requirements & rdquo; Once opened, check the “Enabled” single option and finally click the “OK” button.

Then, open the “Password Length Minimum” item to set the minimum character limit for the FTP account password. This way, the security of the password is greatly enhanced.

3. Account Login Restrictions

Some illegal users use the hacking tool to repeatedly log in to the FTP server to guess the account password. This is very dangerous, so it is recommended that you limit the number of account logins.

Expand "“Security Settings & Rarr; Account Policy & Rarr; Account Lockout Policy", find the "Account Lockout Threshold" item in the right frame, and double-click to open the maximum number of account logins. If this value is exceeded, the account will be automatically locked. Then open the “Account Lock Time” item to set the time when the FTP account is locked. Once the account is locked, it can be reused if it exceeds this time.

After setting the above steps, the user's FTP server will be more secure and no longer have to be illegally invaded.