Install Internet Information Services and the FTP Service Because FTP depends on Microsoft Internet Information Services

(IIS), IIS and the FTP Service must be installed on the computer. To install IIS and the FTP Service, follow these steps. NOTE: In Windows Server 2003, the FTP Service is not installed by default when you install IIS. If you already installed IIS on the computer, you must use the Add or Remove Programs tool in Control Panel to install the FTP Service. Click Start, point to Control Panel, and then click Add or Remove Programs. 1. Click Add/Remove Windows Components. 2. In the Components list, click Application Server, click Internet Information Services (IIS) (but do not select or clear the check box), and then click Details. 3. Click to select the following check boxes (if they are not already selected): Common Files File Transfer Protocol (FTP) Service Internet Information Services Manager 4. Click to select the check boxes next to any other IIS-related service or subcomponent that you want to install, and then click OK. 5. Click Next. 6. When you are prompted, insert the Windows Server 2003 CD-ROM into the computer's CD-ROM or DVD-ROM drive or provide a path to the location of the files, and then clickOK. 7. Click Finish. IIS and the FTP service are now installed. You must configure the FTP Service before you can use it. Configure The FTP Service To configure the FTP Service to allow only anonymous connections, follow these steps: 1. 2. 3. 4. 5. Start Internet Information Services Manager or open the IIS snap-in. Expand Server_name, where Server_name is the name of the server. Expand FTP Sites Right-click Default FTP Site, and then click Properties. Click the Security Accounts tab.

6. Click to select the Allow Anonymous Connections check box (if it is not already selected), and then click to select the Allow only anonymous connections check box. 7. When you click to select the Allow only anonymous connections check box, you configure the FTP Service to allow only anonymous connections. Users cannot log on by using user names and passwords. 8. Click the Home Directory tab. 9. Click to select the Read and Log visits check boxes (if they are not already selected), and then click to clear the Write check box (if it is not already cleared). 10. Click OK. 11. Quit Internet Information Services Manager or close the IIS snap-in. The FTP server is now configured to accept incoming FTP requests. Copy or move the files that you want to make available to the FTP publishing folder for access. The default folder isdrive:\Inetpub\Ftproot, where drive is the drive on which IIS is installed. Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations. Install Internet Information Services 1. Select the optional components that you want to install. By default, the following components are selected: o Common Files o Internet Information Services Manager o World Wide Web Service 2. Click World Wide Web Service (but do not clear the check box), and then clickDetails to view the list of IIS optional subcomponents, such as the Remote Administration (HTML) Tool. Select the optional subcomponents that you want to install. By default, the following component is selected: o World Wide Web Service 3. Click OK, click OK, click OK, and then click Next to install the selected components. 4. Click Finish to complete the Windows Components Wizard, and then close the Add or Remove Programs dialog box. Configure Anonymous Authentication To configure anonymous authentication, follow these steps: 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. Under ComputerName (local computer) (where ComputerName is the name of the server), rightclick Web Sites, and then click Properties. 3. In the Web Sites Properties dialog box, click the Directory Security tab. 4. Under Authentication and access control, click Edit. 5. Click to select the Enable anonymous access check box (if it is not already selected). Note The user account in the User name box is used for anonymous access only, through the Windows guest account.

By default, the server creates and uses the account IUSR_ComputerName. The anonymous user account password is used only by Windows. Anonymous users do not log on by using a user name and password. 6. Click OK two times. Basic Web Site Configuration 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. Under ComputerName (local computer), expand Web Sites. 3. Right-click Default Web Site, and then click Properties. 4. Click the Web Site tab. If you have multiple IP addresses assigned to your computer, click the IP address that you want to assign to this Web site in the IP Address list. 5. Click the Performance tab. Use these options to set the Web site properties that affect memory, bandwidth use, and the number of connections to the Web site. By configuring network bandwidth on a particular site, you can better control how much traffic there is at that site. For example, by restricting bandwidth on a lower-priority Web site, you can restrict bandwidth to allow increased access to other sites. Likewise, when you specify the number of connections to a Web site, you free resources for other sites. Settings are site-specific and you can adjust them as network traffic and use changes. o Click to select the Limit the network bandwidth available to this Web sitecheck box to configure IIS to throttle network bandwidth to the amount selected in the Maximum bandwidth (in kilobytes per second) box. o Under Web site connections, click Unlimited to permit unlimited client connections to this Web site, or click Connections limited to and enter the number of connections you want to limit this Web site to. Limiting connections permits computer resources to be used for other processes. o Note Each client that browses the Web site typically uses about three connections. 6. Click the Home Directory tab. o If you want to use Web content that is stored on the local computer, click A directory located on this computer, and then type the path that you want in the Local path box. For example, the default path is C:\Inetpub\wwwroot. Note For added security, do not create Web content folders in the root folder. o If you want to use Web content that is stored on a different computer, click A share located on another computer, and then type the location that you want in the Network directory box that appears. o If you want to use Web content that is stored on another Web address, click A redirection to a URL, and then type the location that you want in the Redirect to box. Under The client will be sent to, click to select the appropriate check box. 7. Click the Documents tab. Note the list of documents that IIS can use as the default start document. If you want to use Index.html as your start document, you must add it. To do this, follow these steps: a. Click Add. b. In the Default content page box, type Index.html, and then click OK. c. Click the Move Up button until Index.html is displayed at the top of the list. Click OK to close the Default Web Site Properties dialog box. Right-click Default Web Site, and then click Stop. Right-click Default Web Site, and then click Start. The server is now configured to accept incoming Web requests to the default Web site. You can replace the content of the default Web site with the Web content that you want, or you can create a new Web site. Creating and configuring FTP in win 2k3:

In this article we'll walk you through the steps of creating FTP sites in Windows Server 2003 using both Internet Services Manager and scripts. The tutorial will also will explain how to perform common administration tasks involving FTP sites and also how to implement FTP User Isolation, a new feature of Windows Server 2003 enables users to have their own separate FTP home directories. In a previous article we saw that Internet Information Services 6 (IIS 6) is a powerful platform for building and hosting web sites for both the Internet and corporate intranets. IIS 6 is also equally useful for setting up FTP sites for either public or corporate use, and in this article we''ll walk through the process of creating and configuring FTP sites using both the GUI (IIS Manager) and scripts included in Windows Server 2003. The specific tasks we''ll walk through in this article are:
y y y y y

Creating an FTP Site Controlling Access to an FTP Site Configuring FTP Site Logging Stopping and Starting FTP Sites Implementing FTP User Isolation For sake of interest, we''ll again explain these tasks in the context of a fictitious company called TestCorp as it deploys FTP sites for both its corporate intranet and for anonymous users on the Internet. Preliminary Steps As mentioned in the previous article, IIS is not installed by default during a standard installation of Windows Server 2003, and if you installed IIS using Manage Your Server as described in the previous article this installs the WWW service but not the FTP service. So before we can create FTP sites we first have to install the FTP service on our IIS machine. To do this, we need to add an additional component to the Application Server role we assigned our machine when we used Manage Your Server to install IIS. Begin by opening Add or Remove Programs in Control Panel and selecting Add/Remove Windows Components. Then select the checkbox for Application Server:

Click Details and select the checkbox for Internet Information Services (IIS): Click Details and select the checkbox for File Transfer Protocol (FTP) Services.

Click OK twice and then Next to install the FTP service. During installation you''ll need to insert your Windows Server 2003 product CD or browse to a network distribution point where the Windows Server 2003 setup files are located. Click Finish when the wizard is done. Creating an FTP Site As with web sites, the simplest approach to identifying each FTP site on your machine is to assign each of them a separate IP address, so let''s say that our server has three IP addresses (172.16.11.210, 172.16.11.211 and 172.16.11.212) assigned to it. Our first task will be to create a new FTP site for the Human Resources department, but before we do that let''s first examine the Default FTP Site that was created when we installed the FTP service on our machine. Open IIS Manager in Administrative Tools, select FTP Sites in the console tree, and right-click on Default FTP Site and select Properties:

Just like the Default Web Site, the IP address for the Default FTP Site is set to All Unassigned. This means any IP address not specifically assigned to another FTP site on the machine opens the Default FTP Site instead, so right now opening either ftp://172.16.11.210, ftp://172.16.11.211 or ftp://172.16.11.212 in Internet Explorer will display the contents of the Default FTP Site. Let''s assign the IP address 172.16.11.210 for the Human Resources FTP site and make D:\HR the folder where its content is located. To create the new FTP site, right-click on the FTP Sites node and select New --> FTP Site. This starts the FTP Site Creation Wizard. Click Next and type a description for the site:

Click Next and specify 172.16.11.210 as the IP address for the new site:

Click Next and select Do not isolate users, since this will be a site that anyone (including guest users) will be free to access:

Click Next and specify C:\HR as the location of the root directory for the site:

Click Next and leave the access permissions set at Read only as this site will only be used for downloading forms for present and prospective employees:

Click Next and then Finish to complete the wizard. The new Human Resources FTP site can now be seen in IIS Manager under the FTP Sites node:

To view the contents of this site, go to a Windows XP desktop on the same network and open the URL ftp://172.16.11.210 using Internet Explorer:

Note in the status bar at the bottom of the IE window that you are connected as an anonymous user. To view all users currently connected to the Human Resources FTP site, right-click on the site in Internet Service Manager and select Properties, then on the FTP Site tab click the Current Sessions button to open the FTP User Sessions dialog:

Note that anonymous users using IE are displayed as IEUser@ under Connected Users. Now let''s create another FTP site using a script instead of the GUI. We''ll create a site called Help and Support with root directory C:\Support and IP address 172.16.11.211:

Here's the result of running the script:

The script we used here is Iisftp.vbs, which like Iisweb.vbs and Iisvdir.vbs which we discussed in the previous article is one of several IIS administration scripts available when you install IIS on Windows Server 2003. A full syntax for this script can be found here. Once you create a new FTP site using this script you can further configure the site using IIS Manager in the usual way. Note: At this point you could add structure to your FTP site by creating virtual directories, and this is done in the same way as was described in the previous article for working with web sites. Controlling Access to an FTP Site Just like for web sites, there are four ways you can control access to FTP sites on IIS: NTFS Permissions, IIS permissions, IP address restrictions, and authentication method. NTFS permissions are always your first line of defense but we can't cover them in detail here. IIS permissions are specified on the Home Directory tab of your FTP site's properties sheet:

Note that access permissions for FTP sites are much simpler (Read and Write only) than they are for web sites, and by default only Read permission is enabled, which allows users to download files from your FTP site. If you allow Write access, users will be able to upload files to the site as well. And of course access permissions and NTFS permissions combine the same way they do for web sites. Like web sites, IP address restrictions can be used to allow or deny access to your site by clients that have a specific IP address, an IP address in a range of addresses, or a specific DNS name. These restrictions are configured on the Directory Security tab just as they are for web sites, and this was covered in the previous article so we won't discuss them further here. FTP sites also have fewer authentication options than web sites, as can be seen by selecting the Security Accounts tab:

By default Allow anonymous connections is selected, and this is fine for public FTP sites on the Internet but for private FTP sites on a corporate intranet you may want to clear this checkbox to prevent anonymous access to your site. Clearing this box has the result that your FTP site uses Basic Authentication instead, and users who try to access the site are presented with an authentication dialog box:

Note that Basic Authentication passes user credentials over the network in clear text so this means FTP sites are inherently insecure (they don't support Windows integrated authentication). So if you're going to deploy a private FTP site on your internal network make sure you close ports 20 and 21 on your firewall to block incoming FTP traffic from external users on the Internet. Configuring FTP Site Logging As with web sites, the default logging format for FTP sites is the W3C Extended Log File Format, and FTP site logs are stored in folders named %SystemRoot%\system32\LogFiles\MSFTPSVCnnnnnnnnnn where nnnnnnnnnn is the ID number of the FTP site. And just as with web sites, you can use the Microsoft Log Parser, part of the IIS 6.0 Resource Kit Tools, to analyze these FTP site logs. Stopping and Starting FTP Sites If an FTP site becomes unavailable you may need to restart it to get it working again, which you can do using IIS Manager by right-clicking on the FTP site and selecting Stop and then Start. From the command-line you can type net stop msftpsvc followed by net start msftpsvc or use iisreset to restart all IIS services. Remember that restarting an FTP site is a last resort as any users currently connected to the site will be disconnected. Implementing FTP User Isolation Finally, let's conclude by looking at how to implement the new FTP User Isolation feature of IIS in Windows Server 2003. When an FTP site uses this feature, each user accessing the site has an FTP home directory that is a subdirectory under the root directory for the FTP site, and from the perspective of the user their FTP home directory appears to be the top-level folder of the site. This means users are prevented from viewing the files in other users' FTP home directories, which has the advantage of providing security for each user's files.

Let's create a new FTP site called Staff that makes use of this new feature, using C:\Staff Folders as the root directory for the site and 172.16.11.212 for the site's IP address. Start the FTP Site Creation Wizard as we did previously and step through it until you reach the FTP User Isolation page and select the Isolate users option on this page:

Continue with the wizard and be sure to give users both Read and Write permission so they can upload and download files. Now let's say you have two users, Bob Smith (bsmith) and Mary Jones (mjones) who have accounts in a domain whose pre-Windows 2000 name is TESTTWO. To give these users FTP home directories on your server, first create a subfolder named \TESTTWO beneath \Staff Folders (your FTP root directory). Then create subfolders \bsmith and \mjones beneath the \Accounts folder. Your folder structure should now look like this: C:\Staff Folders \TESTTWO \bsmith \mjones

To test FTP User Isolation let's put a file name Bob's Document.doc in the \bsmith subfolder and Mary's Document.doc in the \mjones subfolder. Now go to a Windows XP desktop and open Internet Explorer and try to open ftp://172.16.11.212, which is the URL for the Staff FTP site we just created. When you do this an authentication dialog box appears, and if you're Bob then you can enter your username (using the DOMAIN\username form) and password like this:

When Bob clicks the Log On button the contents of his FTP home directory are displayed:

Note that when you create a new FTP site using FTP User Isolation, you can't convert it to an ordinary FTP site (one that doesn't have FTP User Isolation enabled). Similarly, an ordinary FTP site can't be converted to one using FTP User Isolation. We still need to explore one more option and that's the third option on the FTP User Isolation page of the FTP Site Creation Wizard, namely Isolate users using Active Directory. Since we've run out of IP addresses let's first delete the Help and Support FTP site to free up 172.16.11.211. One way we can do this is by opening a command prompt and typing iisftp /delete "Help and Support" using the iisftp.vbs command script. Then

start the FTP Site Creation Wizard again and select the third option mentioned above (we'll name this new site Management):

Click Next and enter an administrator account in the domain, the password for this account, and the full name of the domain:

Click Next and confirm the password and complete the wizard in the usual way. You'll notice that you weren't prompted to specify a root directory for the new FTP site. This is because when you use this approach each user's FTP home directory is defined by two environment variables: %ftproot% which defines the root directory and can be anywhere including a UNC path to a network share on another machine such as \\test220\docs, and

%ftpdir% which can be set to %username% so that for example Bob Smith's FTP home directory would be \\test220\docs\bsmith and this folder would have to be created beforehand for him. You could set these environment variables using a logon script and assign the script using Group Policy, but that's beyond the scope of this present article.

What is FTP? Short for File Transfer Protocol, the protocol for exchanging files over the Internet. FTP works in the same way as HTTP for transferring Web pages from a server to a user's browser and SMTP for transferring electronic mail across the Internet in that, like these technologies, FTP uses the Internet's TCP/IP protocols to enable data transfer. FTP is most commonly used to download a file from a server using the Internet or to upload a file to a server (e.g., uploading a Web page file to a server)FTP is a TCP based service exclusively. There is no UDP component to FTP.There are two ways to communication with FTP and that is: active and passive.FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20 How does Active FTP work? In active mode FTP the client connects from a random unprivileged port (poer number > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.Firewall on Active FTP - what ports should be opened on server and client 0side?On server port 20 and port 21 must be opened on the client (home user) ports higher than 1023 must be opened for successfull ftp connection and transfer of files How does Passive FTP work? In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (port number > 1023 and port number+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from port (port number+1) to port (port number) on the server to transfer data. The passive FTP protocol is very good because a lot of connections on internet are over ADSL, cable... and clients use routers to connect to the internet. Routers usualy filter data so active ftp protocol can not be used. This problem is solved with active file transfer protocol. Firewall on Passive FTP - what ports should be opened on server and client side? On server port 21 and ports (port number > 1023) must be opened. On client side no change is needed. Setting active FTP on windows IIS with windows firewall configuration Ok. Now we know what passive and active ftp stands for and how it is working. In next steps I will show you how you can configure IIS FTP server to use both active and passive ftp connection. First we install IIS and FTP service. For that we fo in: Control Pannel - Add or Remove programs - Add/Remove windows components

Instalation of Internet Information Services

Under "Details" we must also install "File transfer protocol (FTP) service" Now we are on half of our way. For ftp to work we also need to configure Windows Firewall. We find it under: Control Panel - Network connections - select "properties" on Local Area Network

Example of Local Area Connection properties

we select "Advanced" and add port 20 and port 21

example of adding (opening) port 21 in windows firewall And that is it - we can now use active FTP to transfer files to our machine Setting passive FTP on windows IIS6 and IIS7 with windows firewall Passive FTP is a little bit more complicated. Because we have to open ports: 21 and ports higher than 1023 (port number > 1023). Now here we can tweek our windows ftp service a little bit. We can tell IIS what ports to use fot passive ftp connection. So we can set FTP port range for example to use only 20 ports for passive connection. So we start cmd (command prompt windows), go to folder c:\Inetpub\adminiscripts and there we have adsutil.vbs cript to help us set port range. The command-line we use is: adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5520"

example of setting passive FTP port range fo 20 ports (5500-5520)

WScript working

windows

not

So we let script be registered for VBScript

successfully CScript

registered

If CScript is not registered with VBScript then we let it register Now all is left for us to restart FTP service under IIS Control Panel and open ports 5500, 5501, 5502 ... 5520.

list of ports enabled in windows should look something like this

This tutorial can be used with windows server 2003, windows server 2000, windows XP and windows XP proffessional. If you find this tutorial to be usefull please add link to it http://www.velikan.net/iis-pasiveftp so other people will also find this tutorial page.

FTP [File Transfer Protocol] is one of the oldest and most popular services found on the on the internet today. Serving as an easy and effective method by which to transfer files over a network, FTP has become a standard that is both accepted and widely accessible to users across almost every network and operating system in use today. Windows 2000 comes with an FTP server as a part of IIS 5.0. Installed as a stand alone service, it is very rich in features. When combined with the other resources available inside Windows 2000 server, administrators are empowered with different options that can help make an FTP site more secure. Having said that, we will examine 10 options available native in Windows 2000 that can be used to secure an FTP site. Some are pretty obvious but some are creative approaches that arent readily thought of by administrators. In addition to the tips below, add-on services such as VPNs or SSH are things to consider since there is the pesky issue of sending passwords clear text over the wire. TIP # 1: Disable Anonymous Access. Anonymous access is enabled by default when you first install FTP services in Windows 2000. Anonymous Access is a method by which any user can gain access to your FTP site without the need of a user account. There are some customer facing services that can be served effectively by Anonymous FTP sites, but the majority of the time allowing anonymous access will result in the eventual hijacking of your site by individuals wanting to host illegal files and copyrighted material. By removing the capability for anonymous access, you are essentially limiting access to your FTP site to successful authentication by a predefined user account. Access controls are then configured by the use of ACLs [access control list] defined on the FTP home directory using NTFS permissions.

Figure 1: To restrict the anonymous access to your FTP site, simply clear the Allow Anonymous Connections box in the security accounts tab of the ftp sites properties page

TIP # 2: Enable Logging. By enabling logging your FTP site, you can ensure that you will have an accurate record of which IP addresses and users accessed your site. Maintaining a practice of routine log review can enable you to assess your traffic patterns and identify any security threats and/or breaches.

Figure 2: To enable logging of your FTP site, check the Enable Logging box in the FTP Site Tab found in the properties page of the FTP site. Log files are then created in a format of your choosing and can be reviewed later for analyzing traffic patterns and access controls. TIP # 3: Harden your ACLS. Access to your FTP directory should be regulated utilizing ACL restrictions across NTFS permissions. This cannot be stressed enough. Your FTP directory should not have the everyone group with full rights as this will limit your ability to control the user groups that have access into your FTP site.

Figure 3: Typically you would want to restrict this group to Read, Write, and List only [no execute] but in the case of a blind put configuration (read below) you should also deny against Read and List and only have Write access on your directory. TIP # 4: Setup your FTP site as Blind Put. If you only need your users to transfer files to your server and not transfer files from your server, consider configuring your FTP site as a blind put. What this means is that users are allowed to write files without the having the ability to read from your FTP directory. This will protect the contents of your ftp site in case of an unauthorized user getting access to your ftp directory. Configuring Blind Puts should be done both at the FTP site and on the directorys NTFS permissions.

Figure 4: shows you how to remove read access to your FTP site using the Home Directory Tab found in the properties page of the site. TIP # 5: Enable Disk Quotas. Windows 2000 comes with a handy utility that allows for the enforcement of Disk Quotas. Disk Quotas can effectively limit the amount of disk space a user can have ownership of. By default, ownership is granted to whichever user wrote the file. By enabling disk quotas and checking the deny disk space to users exceeding disk quota, you can effectively limit the possible damage caused in case your FTP site gets hijacked. One worst scenario is the abuse of an FTP site to the point that the disk fills up. This of course can have disastrous consequences to other services that might share the partition with the FTP site. Also, by limiting the amount of disk space each FTP user can have, your site becomes an unattractive target for hackers looking for someplace to share their media files.

Figure 5: Enable Quota Management by Quota Tab found in the properties window of an NTFS disk partition. The use of Disk Quotas is limited to NTFS partitions. Furthermore, Quotas can only be placed on a per user basis and cannot be assigned to groups.

Figure 6: Quote management can be configured on a per user basis. Limits should be set on the user accounts used for FTP access. TIP # 6: Use Logon Time Restrictions. Windows 2000 carries from NT 4.0 days the ability to logon hours of specific users. This option allows for a user to be limited to specific hours of the day in which he can logon. This can be used creatively to limit access to your FTP site to only times that are authorized. If for instance you are using this Ftp site in an enterprise environment for business use, you could assess your availability needs to be limited to working hours. By denying logon during after hours, you would effectively shut down and secure your ftp site for most of the calendar day.

Figure 6: The configuration of logon times in Windows 2000 can be found in Active Directory Users and Computers under the user property page. net user <UserName> /times:

* Local User accounts cannot be configured for logon times through the Local Users and Groups console as this option is not available in the GUI. TIP # 7: Restrict Access by IP. Windows 2000 FTP can be restricted to specific IP addresses. By limiting access to your FTP site to known entities, you can drastically reduce your exposure to unauthorized access.

Figure 7: To restrict FTP access via IP, use the Directory Security tab found in the properties pages of the FTP site. Make sure that the default Denied Access check box is selected and that only trusted IP Addresses are listed in the list box. TIP # 8: Audit Logon Events. By enabling the Auditing of Account Logon Events, you can review success/fail attempts to your ftp site in the Security Log of the Event Viewer. Frequent review of this log can alert you to suspicious activity that could be a malicious user trying to hack in. It can also be used as an effective method for intrusion detection by giving you a historical look into your FTP sites usage.

Figure 8: Audit Account Logon Events can be turned on by using the Local Security Policy configuration tool. Navigate to the local policies/audit policy container and change the local setting to reflect Success, Failure. *Using Active Directory, Audit Account Logon Events can also be configured using Group Policies.

TIP #9: Enable Strong Password Requirement. Using complex passwords is a good security practice whenever you are dealing with end user authentication. In the case of FTP, it can be a crucial component in securing your site. Windows 2000 allows for administrators to force users to comply with strong password requirements. By enabling the Passwords Must Meet Complexity Requirements field in Local Security Policy or Group Policy, FTP user accounts will be forced to adhere to following restrictions when selecting their passwords:
y y y o o o o

Must not contain all or part of the user's account name Must be at least 6 characters in length Contain characters from 3 of the following 4 categories: English uppercase characters (A - Z) English lowercase characters (a - z) Base 10 digits (0 through 9) Non-alphanumeric characters (e.g., !, $, #, %)

Figure 9: Passwords must meet complexity Requirements can be enabled by using the Local Security Policy configuration tool. Navigate to the local policies/Account Policies/Password Policy container and change the setting to reflect Success, Failure. *Using Active Directory, passwords must meet complexity requirement can also be configured using Group Policies TIP # 10: Enable Account Lockout and Account Lockout Threshold. advert isement FTP accounts are pretty popular targets for password cracker programs that run through an exhaustive list of passwords in an attempt to guess, or crack account access. Windows 2000 security policies allow administrators

to lock down the number of times failed logins can be attempted before an account is locked out. By enabling this option and configuring the threshold, administrators can limit their exposure to password crackers.

Figure 10: Account Lockout Duration and Threshold options can be configured by using the Local Security Policy configuration tool. Navigate to the local policies/Account Policies/Password Policy container and change the setting to reflect Success, Failure.