How Win 2000 makes FTP server more secure

One Cancel Anonymous Access Function

By default, the FTP server of Windows 2000 system allows anonymous access. Although anonymous access provides convenience for users to upload and download files, it has great security risks. . Users do not need to apply for a legitimate account, they can access your FTP server, and even upload and download files. Especially for some FTP servers that store important data, it is easy to leak. Therefore, users are advised to cancel the anonymous access function.

In Windows 2000, click "Start → Programs → Administrative Tools → Internet Service Manager" to bring up the management console window. Then expand the local computer option on the left side of the window, you can see the FTP server that comes with IIS5.0. Below I use the default FTP site as an example to explain how to cancel the anonymous access function.

Right-click on the "Default FTP Site" item, select "Properties" from the context menu, then the default FTP Site Properties dialog box will pop up, switch to the "Security Accounts" tab, and cancel the "Allow Anonymous Connections" Check (Figure 1), and finally click the "OK" button, so users can not use an anonymous account to access the FTP server, you must have a legitimate account.

two enable logging

Windows logging with all the information the system is running, but many administrators logging not pay enough attention, in order to save server resources, disable the FTP server logging, This is absolutely impossible. The FTP server logs record the access information of all users, such as access time, client IP address, login account used, etc. This information is very important for the stable operation of the FTP server. Once the server has a problem, you can view the FTP log. Find the fault and eliminate it in time. So be sure to enable FTP logging.

In the Default FTP Site Properties dialog, switch to the FTP Sites tab and make sure the Enable Logging option is selected so that you can view FTP logging in the Event Viewer. It is.

3 Correctly set user access rights

Each FTP user account has certain access rights, but the unreasonable setting of user rights can also cause security risks on the FTP server. For example, the CCE folder in the server only allows the CCEUSER account to have read, write, modify, and list permissions on it, prohibiting other users from accessing it, but the system defaults to allow other users to have read and list permissions on the CCE folder. Therefore you must reset the user access rights for this folder.

Right-click on the CCE folder, select "Properties" from the pop-up menu, then switch to the "Security" tab, first delete the Everyone user account, then click the "Add" button to add the CCEUSER account to the list of names. In the box, then select Modify, Read & Run, List Folder Directory, Read & Write Options in the Permissions list box, and finally click the OK button. In this way, the CCE folder can only be accessed by the CCEUSER user.
Four enable disk quota

FTP server disk space resources are valuable, unlimited use for users, is bound to cause huge waste, so limit the disk space used by each FTP user. The author below takes the CCEUSER user as an example and limits it to only 100M disk space.

In the Explorer window, right-click the hard drive letter where the CCE folder is located, select "Properties" from the pop-up menu, and then switch to the "Quotas" tab (Figure 2), select " Enable quota management checkbox to activate all quota setting options in the Quotas tab. In order to prevent some FTP users from taking up too much server disk space, be sure to select "Deny disk space to users who exceed the quota limit." ” checkbox.

then in the "new user for the volume on the choice of the default quota limit" selection box 100, disk capacity unit selected as "MB" disk space limit "single option, then enter in the back of the bar Then, set the warning level, enter "96" in the "Set warning level to" field, and select "MB" for the capacity unit, thus completing the default quota setting. In addition, check the "Log events when users exceed quota limits" and "Log events when users exceed warning levels" checkbox to log quota alarm events to the Windows log.

Click the “Quota Item” button at the bottom of the quota tab to open the Disk Quota Item dialog box, then click “Quotas → New Quota Item” to pop up the Select User dialog box. After selecting the CCEUSER user, click “OK”. Button, then set the quota parameter for the CCEUSER user in the "Add New Quota Item" dialog box, select the "Restrict disk space to" option, enter "100" in the following column, and then set the warning level to " Enter "96" in the column, their disk capacity unit is "MB", and finally click the "OK" button to complete the disk quota setting, so that CCEUSER users can only use 100 MB of disk space, more than 96MB will issue a warning.
Five TCP/IP Access Restrictions

In order to ensure the security of the FTP server, we can also deny access to certain IP addresses. In the Default FTP Site Properties dialog box, switch to the Directory Security tab, select the Authorize Access single option (Figure 3), and then click the Add button in the "Except listed below" box to bring up " Refuse the following access dialog box, where we can deny access to a single IP address or a set of IP addresses. Take a single IP address as an example, select the "single-machine" option, then enter the IP address of the machine in the "IP address" field, and finally Click the "OK" button. The IP address added to the list in this way cannot access the FTP server.

six reasonable set of Group Policy

through changes to the group policy items, and can also enhance the security of FTP server. In Windows 2000, go to Control Panel → Administrative Tools and run the Local Security Policy tool.

1. Audit Account Login Event

In the Local Security Settings window, expand Security Settings→Local Policies→Audit Policy, and then find the Audit Account in the box on the right. Log in to the event project (Figure 4), double-click to open the project, select "success" and "failure" in the settings dialog, and finally click the "OK" button. After the policy takes effect, each login of the FTP user is logged to the log.

2. Enhanced account password complexity

too simple password to some FTP account, there may be "criminals" to the crack. In order to improve the security of the FTP server, the user must be forced to set a complicated account password.

In the Local Security Settings window, expand Security Settings→Account Policies→Password Policy. In the right frame, find the password must meet the complexity requirements. Double-click to open and select Enable the "single option" and finally click the "OK" button.

Then, open the "Minimum password length" item and set the minimum character limit for the FTP account password. This way, the security of the password is greatly enhanced.

3. Account Login Restriction

Some illegal users use the hacking tool to repeatedly log in to the FTP server to guess the account password. This is very dangerous, so it is recommended that you limit the number of account logins.

Expand Security Settings→Account Policies→Account Lockout Policy, and then click the “Account Lockout Threshold” item in the right frame. After double-clicking, set the maximum number of account logins. If this value is exceeded, The account will be automatically locked. Then open the “Account Lock Time” item to set the time when the FTP account is locked. Once the account is locked, it can be reused if it exceeds this time.

After setting up the above steps, our FTP server will be more secure and no longer have to be illegally invaded.