FTP Security Features
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
When you install Windows Server® 2008, IIS 7 is not automatically installed. Instead, you must decide whether to install IIS 7. This is a security precaution to protect your computer from a Web-based virus or an attacker. In addition, the FTP 7.5 service must be downloaded and installed.
For added security, after you install FTP 7.5, your FTP server will have no FTP sites created. When creating a new FTP site, you must use at least one of the following security measures.
Authentication determines who can access resources on a Web server. FTP 7.5 supports the following challenge-based authentication methods:
Anonymous authentication (disabled by default)
Basic authentication (disabled by default)
FTP 7.5 also supports custom authentication, which allows using non-Windows user accounts. For example, FTP 7.5 includes custom authentication features for .NET Membership and IIS Managers.
Authorization rules determine which resources on a server a specific user can access. You can use FTP 7.5 to configure authorization rules that grant or deny specific users, groups of users, or roles access to sites, directories, or files on your server.
In FTP 7.5, you can set permissions to control how users interact with the content in your sites, directories, and files. For example, you might want users to be able to read files in a directory, but not write to files.
You can use FTP 7.5 to organize users into groups called roles. Roles let you perform security-related operations, such as authorization, for many users at the same time.
You can use FTP 7.5 to define which users will be allowed to access FTP content. Only user identities that are defined can access the content.
Certificates provide a way for users to make sure they are at the correct site before they transmit personal information, such as a credit card number. Certificates can also identify a user to a server. By using certificate mapping, you can map client certificates to one or more users. Another alternative is to use Active Directory certificate mapping.
IP and Domain Restrictions
You can allow or deny specific computer IP addresses or Windows domains to access the content on your Web server. In FTP 7.5, IP restriction lists can be configured to deny content access for a single computer, a group of computers, a domain, or all IP addresses and unlisted entries. Configuring restriction lists in this manner lets FTP 7.5 determine inheritance and merge IP restriction rules from multiple configuration levels.
When you want to restrict the types of FTP requests your server will process, you can configure FTP 7.5 to analyze specific criteria for each incoming request. In the past, this configuration was only possible for Web access. However, FTP 7.5 now incorporates this functionality for FTP access.
Secure Sockets Layer (SSL) helps secure communication between an FTP server and a client. If users send confidential information to your FTP server, you must use SSL. FTP 7.5 supports 40–bit and 128–bit SSL and lets you ignore, accept, or require client certificates on a per-FTP site basis.