The Windows 2000 system provides the FTP service function. Because it is simple and easy to use and closely integrated with the Windows system itself, it is deeply loved by the majority of users. But is the FTP server set up using IIS5.0 really safe? Its default settings actually have many security risks and can easily become the target of hackers. How to make the FTP server more secure can be done with a little modification.
1. Cancel the anonymous access function
By default, the FTP server of Windows 2000 system allows anonymous access. Although anonymous access provides convenience for users to upload and download files, it also poses great security risks. Users do not need to apply for a legal account to access the FTP server, and can even upload and download files. Especially for some FTP servers that store important information, it is easy for leaks to occur, so it is recommended that users cancel the anonymous access function.
In Windows 2000 system, click "Start→Programs→Administrative Tools→Internet Service Manager" to pop up the management console window. Then expand the local computer option on the left side of the window, and you will see the FTP server that comes with IIS5.0. The author below uses the default FTP site as an example to introduce how to cancel the anonymous access function.
Right-click the "Default FTP Site" item, select "Properties" in the right-click menu, then the Default FTP Site Properties dialog box pops up, switch to the "Security Account" tab, uncheck "Allow anonymous connections", and finally click " OK" button, so that users cannot use anonymous accounts to access the FTP server and must have legal accounts.
2. Enable logging
Windows logs record all information about system operation, but many administrators do not pay enough attention to the logging function. In order to save server resources, they disable the FTP server logging function, which is absolutely necessary. The FTP server log records the access information of all users, such as access time, client IP address, login account used, etc. This information is of great significance to the stable operation of the FTP server. Once there is a problem with the server, you can view the FTP log. , find the fault and eliminate it in time. So be sure to enable FTP logging.
In the default FTP site properties dialog box, switch to the "FTP Site" tab and make sure the "Enable logging" option is selected so that you can view the FTP log records in the "Event Viewer".
3. Correctly set user access permissions
Each FTP user account has certain access rights, but unreasonable settings for user rights can also lead to security risks on the FTP server. For example, the CCE folder in the server only allows the CCEUSER account to have read, write, modify, and list permissions on it, and other users are prohibited from accessing it. However, the system default settings still allow other users to have read and list permissions on the CCE folder. Therefore the user access permissions for this folder must be reset.
Right-click the CCE folder, select "Properties" in the pop-up menu, then switch to the "Security" tab, first delete the Everyone user account, then click the "Add" button, add the CCEUSER account to the name list box, and then click " Select the Modify, Read and Run, List Folder Directory, Read and Write options in the "Permissions" list box, and finally click the "OK" button. In this way, the CCE folder can only be accessed by the CCEUSER user.
4. Enable disk quotas
FTP server disk space resources are precious. Allowing users to use them without restrictions will inevitably cause huge waste. Therefore, it is necessary to limit the disk space used by each FTP user. Below, the author takes the CCEUSER user as an example and limits it to only 100M disk space.
In the Explorer window, right-click the hard drive letter where the CCE folder is located, select "Properties" in the pop-up menu, then switch to the "Quota" tab, select the "Enable Quota Management" checkbox, and activate "Quotas" For all quota setting options in the "tab, in order to prevent some FTP users from occupying too much server disk space, be sure to select the "Reject disk space to users who exceed quota limits" check box.
Then select the "Limit disk space to" single option in the "Select a default quota limit for new users on this volume" box, then enter 100 in the following column, select the disk capacity unit as "MB", and then set the warning level Settings, enter "96" in the "Set warning level to" column, and select the capacity unit as "MB", thus completing the default quota settings. In addition, select the "Log events when user exceeds quota limit" and "Log events when user exceeds warning level" check boxes to record quota alarm events to the Windows log.
Click the "Quota Item" button at the bottom of the quota tab to open the disk quota item dialog box, then click "Quota → New Quota Item" to bring up the user selection dialog box. After selecting the CCEUSER user, click the "OK" button, and then click "Add" In the "New Quota Item" dialog box, set quota parameters for the CCEUSER user, select the "Limit disk space to" single option, enter "100" in the subsequent column, and then enter "96" in the "Set warning level to" column. , their disk capacity unit is "MB", and finally click the "OK" button to complete the disk quota setting, so that CCEUSER users can only use 100MB of disk space, and a warning will be issued if it exceeds 96MB.
Five TCP/IP access restrictions
In order to ensure the security of the FTP server, you can also deny access to certain IP addresses. In the default FTP site properties dialog box, switch to the "Directory Security" tab, select the "Authorize access" single option, and then click the "Add" button in the "Except as listed below" box to pop up the "Deny the following access" dialog box box, here you can deny access to a single IP address or a group of IP addresses. Taking a single IP address as an example, select the "Single Machine" option, then enter the IP address of the machine in the "IP Address" column, and finally click the "OK" button. The IP addresses added to the list cannot access the FTP server.
Six Reasonable Settings of Group Policy
By modifying group policy items, you can also enhance the security of the FTP server. In Windows 2000 system, go to "Control Panel → Administrative Tools" and run the local security policy tool.
1. Audit account login events
In the local security settings window, expand "Security Settings → Local Policy → Audit Policy", then find the "Audit Account Login Events" item in the box on the right, double-click to open the item, and select "Success" in the settings dialog box " and "Failed", and finally click the "OK" button. After this policy takes effect, every login of an FTP user will be recorded in the log.
2. Increase the complexity of account passwords
The passwords of some FTP accounts are set too simply, which may be cracked by "criminals". In order to improve the security of the FTP server, users must be forced to set complex account passwords.
In the local security settings window, expand "Security Settings → Account Policy → Password Policy", find the "Password must meet complexity requirements" item in the right frame, double-click to open it, select the "Enabled" single option, and finally Click the "OK" button.
Then, open the "Minimum password length" item and set the minimum character limit for the FTP account password. In this way, the security of the password is greatly enhanced.
3. Account login restrictions
Some illegal users use hacking tools to repeatedly log into the FTP server to guess account passwords. This is very dangerous, so it is recommended that you limit the number of account logins.
Expand "Security Settings → Account Policy → Account Lock Policy" in order, find the "Account Lock Threshold" item in the right frame, double-click to open it, and set the maximum number of account logins. If this value is exceeded, the account will be automatically locked. Then open the "Account Lock Time" item and set the time for the FTP account to be locked. Once the account is locked, it cannot be reused until this time is exceeded.
After setting up the above steps, the user's FTP server will be more secure, and there is no need to worry about being illegally invaded.