Securing FTP 7.0 with SSL and User Isolation
If you have been following our FTP 7.0 chronicles, in the first article we installed FTP Publishing Service for IIS 7.0 and configured it for anonymous access. For those with less public needs, the next article covers setting up FTP 7.0 User Authentication using both Windows authentication and IIS User Manager.
In this article we will cover adding additional layers of security to your FTP sessions.
Most administrators only worry about keeping data secure once it is on one of their servers. As the bad guys get more sophisticated every day, the need to keep data secure during transmission is no longer only for the realm of e-commerce sites.
By using SSL you can secure your FTP transmission from point to point to guard against interception of the data. There are several things that need to be done before we get to that point so let’s get started.
Our first order of business is to setup a SSL certificate on the IIS server. Now if you have experience with using SSL on a website for e-commerce or other uses, you know that you can issue this yourself or you can pay a 3rd party service to issue one.
The benefits of the 3rd party are having their assurance that the person who uses the certificate is who they say they are, but in almost all cases this will not be necessary for FTPS use.
For this article I am going to issue a Self-Signed Certificate for our test server to use.
1. Open IIS Manager
2. Select the server you want to manage and then double click on Server Certificates
3. In the actions panel select Create Self-Signed Certificate
4. In the dialog window type in a the name you want to use for the certificate, it can be whatever you wish, let’s use FTPSTEST and then click OK
After a few seconds the dialog window will close and you will be able to see the self-signed certificate in the center window of the IIS Manager
How to Enable a FTP Site for SSL Usage
Now let’s go ahead and enable SSL on the FTP site.
If you want to know how to setup a FTP site refer back to either the article on installing FTP 7 or setting up User Authentication in FTP 7. I’m going to use the FTP site we already setup for the other articles, so please review them if needed.
1. Open IIS Manager
2. Select the FTP site you want to setup SSL for in the connections pane and then double click on FTP SSL Settings in the center pane
3. In the center pane, you can now select the certificate you created in the SSL Certificate dropdown
4. Under SSL Policy you have several options depending on your needs. For this walkthrough choose Custom and click on Advanced. The options are explained below:
- Allow SSL connections – Accepts SSL connections but does not require them
- Require SSL connections – Forces the client to use SSL by requiring it to establish a connection
- Custom – Allows you to define combinations of requirements for the SSL connection
5. In the Advanced SSL Policy dialog windows we can make some specific requirements for both the Control Channel and the Data Channel
Control Channel has 3 options available:
- Allow – Allows encryption of the control channel but does not require it
- Require – Requires encryption of all aspects of the control channel
- Require only for credentials – Requires the encryption for transmitting username/password, but is options for the rest of the control channel data
Data Channel also has 3 options available:
- Allow – The client can choose to encrypt or not encrypt the data
- Require – Client is required to trans it the data over SSL
- Deny – Server will refuse connection for the data stream over SSL
6. I am going to set the Control Channel to Require only for credentials, and the Data Channel to Allow.
This will ensure that all login credentials are encrypted leaving the rest of the option up to the client. Click OK
7. Next go ahead and click on Apply in the actions pane
This has now configured this FTP site to use SSL during its transmission of data. Now a quick note about FTP clients, not all FTP clients support FTPS so make sure your users have one that does before you apply these settings.
Warning: As of this warning the native command line FTP that comes with Windows does NOT support SSL so if you have scripts that you use for FTP do not apply these settings.
How to Configure User Isolation in FTP 7 on IIS 7
Another option to help secure data on a FTP server is to have the users login to isolated directories that only they have access to. This can have several benefits beyond security, also making it easy to enforce user quotas and file/user administration.
Again this example will assume that you have a FTP site and user authentication already setup. If you need help with that please see the earlier articles in this series.
1. Open IIS Manager. Choose the FTP site you want to enable isolation for and then double click on FTP User Isolation in the center pane.
2. In the FTP User Isolation window you will have the following options to choose from:
- Do Not Isolate Users. Start users in:
- FTP Root directory – All FTP sessions will start in the root directory for all users
- User name directory – If a physical/virtual directory with the username exists the user will start there, if not they will start in the root directory
- Isolate users. Restrict users to the following directory:
- User name directory (disable global virtual directories) – This option isolates the users in the physical or virtual directories that match their usernames. The FTP user will not have access to global virtual directories with this option.
- User name physical directory (enable global virtual directories) – With this option the users will be isolated to the physical directory that matches their username. The FTP user would have access to global virtual directories.
- FTP home directory configure in Active Directory – This option places the FTP user in the directory set in the Active Directory account for that user.
I am going to set the Isolation to User name physical directory (enable global virtual directories) and click on Apply
The site is now setup for user isolation that can be used with Basic Authentication or IIS Manger Users. All that is left is to create the home directories for the users.
How to Create Home Directories for FTP Users
For the server to correctly place FTP users in their isolated directories they have to be setup in a certain way for the server to find them correctly.
The ways they are setup are based on whether they are domain users or local/IIS Manager Users. Here are examples of the correct way to set them up:
- Local Windows or IIS Manger User: %FtpRoot%LocalUser%UserName%
- Windows Domain Accounts: %FtpRoot%%UserDomain%%UserName%
Note: %FtpRoot% is the root of the FTP site that you are managing.
In this article we discussed two ways that you can make the FTP data on your server more secure both in storage and during transmission.
By using FTPS you can make sure your users only connect securely to the FTP site. With user isolation you can keep your users files separated for security and administration.
You can use both of these measures at the same time or independent of each other, whichever best suits your environment.