|
Home > Archive > IIS Server Security > November 2004 > Best way to secure FTP IIS 5.0 Win2K
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Best way to secure FTP IIS 5.0 Win2K
|
|
| Jo Winchester 2004-11-17, 7:48 am |
| We are reviewing network security and file transfers on our internal network.
We need to transfer files to & from Unix servers to Windows servers, and
have decided that FTP is our best approach.
Can anyone advise what is the best method of authentication from a security
point of view?
Anonymous - avoids the use of user names and passwords in batch files and
being transmitted across the network - but leaves source and destination file
shares fairly open
Anonymous not allowed - requires the use of user names and passwords, which
will need to be scripted in batch files, and sent across the network in clear
text - but does allow file shares to be locked down with NFTS permissions.
| |
| Jeff Cochran 2004-11-17, 7:48 am |
| On Wed, 17 Nov 2004 03:24:02 -0800, "Jo Winchester"
<JoWinchester@discussions.microsoft.com> wrote:
>We are reviewing network security and file transfers on our internal network.
>We need to transfer files to & from Unix servers to Windows servers, and
>have decided that FTP is our best approach.
>Can anyone advise what is the best method of authentication from a security
>point of view?
>Anonymous - avoids the use of user names and passwords in batch files and
>being transmitted across the network - but leaves source and destination file
>shares fairly open
>Anonymous not allowed - requires the use of user names and passwords, which
>will need to be scripted in batch files, and sent across the network in clear
>text - but does allow file shares to be locked down with NFTS permissions.
Well, which is better *for you*? Obviosuly, the best method of
authentication wouldn't be one where you don't authenticate at all,
but in your environment it may be acceptable or even advantageous.
Jeff
| |
| Jo Winchester 2004-11-17, 7:48 am |
| Can anyone point me in the direction of a clear document weighing up the pros
and cons of both approaches?
"Jeff Cochran" wrote:
> On Wed, 17 Nov 2004 03:24:02 -0800, "Jo Winchester"
> <JoWinchester@discussions.microsoft.com> wrote:
>
>
> Well, which is better *for you*? Obviosuly, the best method of
> authentication wouldn't be one where you don't authenticate at all,
> but in your environment it may be acceptable or even advantageous.
>
> Jeff
>
| |
| Jeff Cochran 2004-11-17, 5:50 pm |
| On Wed, 17 Nov 2004 05:39:01 -0800, "Jo Winchester"
<JoWinchester@discussions.microsoft.com> wrote:
>Can anyone point me in the direction of a clear document weighing up the pros
>and cons of both approaches?
I doubt you'd find one, but "CYA Securing IIS 6" has a decent chapter
on securing FTP sites. Applies to Server 2003/IIS6 but the ideas are
still the same.
Maybe Ken will point up a link to ordering it... 
There's always Amazon.com.
Jeff
[vbcol=seagreen]
>"Jeff Cochran" wrote:
>
| |
| Bernard 2004-11-18, 2:48 am |
| :-)
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:41a1cdf3.1650399318@msnews.microsoft.com...
> On Wed, 17 Nov 2004 05:39:01 -0800, "Jo Winchester"
> <JoWinchester@discussions.microsoft.com> wrote:
>
pros[vbcol=seagreen]
>
> I doubt you'd find one, but "CYA Securing IIS 6" has a decent chapter
> on securing FTP sites. Applies to Server 2003/IIS6 but the ideas are
> still the same.
>
> Maybe Ken will point up a link to ordering it...
>
> There's always Amazon.com.
>
> Jeff
>
network.[vbcol=seagreen]
and[vbcol=seagreen]
security[vbcol=seagreen]
and[vbcol=seagreen]
destination file[vbcol=seagreen]
which[vbcol=seagreen]
in clear[vbcol=seagreen]
permissions.[vbcol=seagreen]
>
| |
| Bernard 2004-11-18, 2:48 am |
| I see both plans are more of less equal.
what you can do more is configure the IIS ftp server so that it is only
accepting connections from valid hosts (via IP restriction). even with
anonymous you would setup different NTFS permissions, whereby you have one
upload and one download folder, eliminating the mess when one can read and
write at the same path. next, since this is internal network, it should be
'fairly' simple to implement a mini vpn between hosts to secure entire ftp
communication.
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Jo Winchester" <JoWinchester@discussions.microsoft.com> wrote in message
news:9B0E9E2F-D6A0-4717-8676-EB9F75F507B1@microsoft.com...
> Can anyone point me in the direction of a clear document weighing up the
pros[vbcol=seagreen]
> and cons of both approaches?
>
> "Jeff Cochran" wrote:
>
network.[vbcol=seagreen]
and[vbcol=seagreen]
security[vbcol=seagreen]
and[vbcol=seagreen]
destination file[vbcol=seagreen]
which[vbcol=seagreen]
clear[vbcol=seagreen]
permissions.[vbcol=seagreen]
|
|
|
|
|