How to limit FTP access in Windows 2000

This step-by-step article describes how to create a File Transfer Protocol (FTP) site, and then configure the site so that access to the site is limited.

NOTE: FTP must be installed on your computer for these steps to work.

FTP authentication options are limited to Anonymous and Basic Authentication. Basic Authentication may pose a security risk because it allows for username and password information to pass over the network in clear text. Anonymous authentication does not expose username and password information. However, the authentication does not allow you to control who can access directories on an FTP server.

Note A secure FTP site only allows for anonymous file downloads. Alowing users to upload files over basic authentication or by anonymous connections introduces many secuirty concerns. If the ability to upload files is required, use WebDAV over HTTPS, a custom ASP file upload over HTTPS, or FTP over a VPN. ISA also offers more secure access to FTP sites.

Create an FTP site

To start the Microsoft Internet Information Services (IIS) snap-in and create an FTP site:

1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Information Manager.
2. In the Internet Information Services snap-in, right-click your server object, point to New, and then click FTP Site.
3. When the FTP Site Creation Wizard starts, click Next.
4. On the FTP Site Description page, type your FTP site description in the Description box, and then click Next.
5. On the IP Address and Port Settings page, select the IP address that you are using, type the TCP port you are using (if it is different from the default port), and then click Next.
6. On the FTP Site Home Directory page, type the path to your home directory in the Path box, and then click Next.
7. On the FTP Site Access Permissions page, check the appropriate Read and/or Write permissions, and then click Next.
8. Click Finish, and then verify the creation of your FTP Site in the console tree.

Limit the number of connections

Administrators can use Internet Service Manager to limit the number of connections for the FTP services.

1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
2. In the Internet Information Services snap-in, right-click your server object, click Properties, and then click the FTP Site tab.
3. Under Connection, click Limited To, and then type the maximum number of simultaneous connections that will be permitted to the server.
4. In the Connection Timeout box, type the length of time before the server disconnects an inactive user. This ensures that all connections are closed if the HTTP protocol cannot close a connection.
5. Click OK.

Configure anonymous or domain user access

You can use Internet Service Manager to configure logon requirements for the FTP service. If the FTP service is configured for anonymous logon, clients can log on with the user name "anonymous." Traditionally, anonymous FTP users log on by using their e-mail addresses as passwords. Note that Internet Explorer automatically logs on anonymously to all FTP servers that permit anonymous logon.

By default, FTP clients are also permitted to log on with a Windows NT user name and password with permissions to use that computer. You can use this feature to control every user's access permissions and file access on Windows NT File System (NTFS) drives.

Click to select the Allow anonymous only check box to prevent users from using user names. With this feature on, any account other than "anonymous" cannot log on. This is useful for security because only one account, the one that is assigned for anonymous logon, is permitted access, and intruders cannot try to gain access with the administrator account.

To configure the site for anonymous or Domain User access:

1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Information Manager.
2. In the Internet Information Services snap-in, right-click your server object, and then click Properties.
3. Click the Security Accounts tab, and then do either of the following:
   • Click to select the Allow Anonymous check box to allow users to be anonymously authenticated on your site.
   • Click to clear the Allow Anonymous check box if you want to extend FTP access to domain users only. Click to clear this check box and make sure user accounts exist for each person you want to authenticate.

Limit access to specific computers

You can set up an FTP site with different levels of access for different users. To limit access to only certain computers:

1. In the Internet Information Services snap-in, right-click your server object, and then click Properties.
2. Click the Directory Security tab, and then click Edit in the IP address and domain name restrictions section.
3. You can grant or deny access to all computers or subnets except those you specify. Note that on an NTFS file system, you can also use a single virtual directory and set the NTFS permissions to grant or deny different types of access to different Windows user accounts.

Troubleshooting

• If the newly-created FTP Site does not appear in the console tree, click Refresh on the Action menu.

REFERENCES