Setting up a secure FTP Server in Windows 2000

I'm using Windows 2000 Server SP4. I have IIS services enabled along with
the FTP server option. I need to have communications on this ftp server
secure. How can I make this a secure FTP server? Can I use SSL over the FTP
connection? Thanks in advance for your help.

Sparky
Fri Dec 10 09:51:50 CST 2004


"Sydem" <Sydem@discussions.microsoft.com> wrote in message
news:E5056102-84F1-40A8-97D8-8EB48CBE62D3@microsoft.com...
> I'm using Windows 2000 Server SP4. I have IIS services enabled along with
> the FTP server option. I need to have communications on this ftp server
> secure. How can I make this a secure FTP server? Can I use SSL over the
> FTP
> connection? Thanks in advance for your help.

No. There is no "secure FTP" if you are talking about something analagous
to HTTPS. FTP passwords are sent in PLAIN TEXT and can easily be sniffed.
Though sniffing an FTP session is not one of those higher probability
security issues, more likely it's spyware/trojans on the end users computer
that you would need to worry about.

Note however there are a number of after market solutions that would work...
as well as using WebDAV (which runs over HTTP and can be run over HTTPS),
you can also do things like restrict the IP addresses allowed to connect and
so on to make it more secure.

Keith
Fri Dec 10 10:32:51 CST 2004

Actually there is such a thing as Secure FTP (sftp), and it's part of the
ssh protocol suite. It works on ports 989 and 990 (rather than 20 and 21
with ftp). Don't think IIS supports it though (I could be wrong though, as I
don't actually use IIS's ftp on any of my servers), but there are plenty of
companies who produce sftp server and client apps which you could use, for
instance I use http://www.serv-u.com/, but there are plenty of others.

Keith

"Sparky Polastri" <jafiwam@MuNGEDyahoo.com> wrote in message
news:41b9c47a$1_3@newspeer2.tds.net...
>
> "Sydem" <Sydem@discussions.microsoft.com> wrote in message
> news:E5056102-84F1-40A8-97D8-8EB48CBE62D3@microsoft.com...
> > I'm using Windows 2000 Server SP4. I have IIS services enabled along
with
> > the FTP server option. I need to have communications on this ftp server
> > secure. How can I make this a secure FTP server? Can I use SSL over
the
> > FTP
> > connection? Thanks in advance for your help.
>
> No. There is no "secure FTP" if you are talking about something analagous
> to HTTPS. FTP passwords are sent in PLAIN TEXT and can easily be sniffed.
> Though sniffing an FTP session is not one of those higher probability
> security issues, more likely it's spyware/trojans on the end users
computer
> that you would need to worry about.
>
> Note however there are a number of after market solutions that would
work...
> as well as using WebDAV (which runs over HTTP and can be run over HTTPS),
> you can also do things like restrict the IP addresses allowed to connect
and
> so on to make it more secure.
>
>
>

Alun
Fri Dec 10 11:50:25 CST 2004

"Keith Langmead" <klangmead@nospam.kms.co.uk> wrote in message
news:eMgoQYt3EHA.3572@TK2MSFTNGP10.phx.gbl...
> Actually there is such a thing as Secure FTP (sftp), and it's part of the
> ssh protocol suite. It works on ports 989 and 990 (rather than 20 and 21
> with ftp). Don't think IIS supports it though (I could be wrong though, as
> I
> don't actually use IIS's ftp on any of my servers), but there are plenty
> of
> companies who produce sftp server and client apps which you could use, for
> instance I use http://www.serv-u.com/, but there are plenty of others.

There's some significant correction to be made to your post - please don't
take offence.

SFTP is not related to FTP. As you say, it _is_ part of the SSH protocol
suite, and we have no plans currently to support it.

FTPS, on the other hand, _is_ related to FTP. It's a relatively simple, yet
secure, adoption of SSL / TLS under the FTP protocol itself. This makes it
compatible across a wide range of FTP clients and servers, and it's
something we plan on including in the next version of IIS. There are
several third party clients and servers that already implement FTPS - it
would be inappropriate for me to recommend any of these, but I'm sure that
there are several people here with their own opinions. What's of interest
to IIS users currently is that there are 'wrappers' or proxies for FTPS to
FTP. You can use these to wrap an existing FTP server or FTP client to
provide FTPS capability.

You can find a detailed list of FTPS implementations - clients, servers, and
proxies - at http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html

FTPS is the owner of port 990, but the use of port 990 has been deprecated.
It is far more appropriate to use port 21 and the AUTH commands to go from
FTP to FTPS.

Alun.
~~~~
--
Software Design Engineer, Internet Information Server (FTP)
This posting is provided "AS IS" with no warranties, and confers no rights.

Sydem
Fri Dec 10 13:17:04 CST 2004

Thanks so much everyone for your input. I see I have several options now.
Thank you.

"Alun Jones [MSFT]" wrote:

> "Keith Langmead" <klangmead@nospam.kms.co.uk> wrote in message
> news:eMgoQYt3EHA.3572@TK2MSFTNGP10.phx.gbl...
> > Actually there is such a thing as Secure FTP (sftp), and it's part of the
> > ssh protocol suite. It works on ports 989 and 990 (rather than 20 and 21
> > with ftp). Don't think IIS supports it though (I could be wrong though, as
> > I
> > don't actually use IIS's ftp on any of my servers), but there are plenty
> > of
> > companies who produce sftp server and client apps which you could use, for
> > instance I use http://www.serv-u.com/, but there are plenty of others.
>
> There's some significant correction to be made to your post - please don't
> take offence.
>
> SFTP is not related to FTP. As you say, it _is_ part of the SSH protocol
> suite, and we have no plans currently to support it.
>
> FTPS, on the other hand, _is_ related to FTP. It's a relatively simple, yet
> secure, adoption of SSL / TLS under the FTP protocol itself. This makes it
> compatible across a wide range of FTP clients and servers, and it's
> something we plan on including in the next version of IIS. There are
> several third party clients and servers that already implement FTPS - it
> would be inappropriate for me to recommend any of these, but I'm sure that
> there are several people here with their own opinions. What's of interest
> to IIS users currently is that there are 'wrappers' or proxies for FTPS to
> FTP. You can use these to wrap an existing FTP server or FTP client to
> provide FTPS capability.
>
> You can find a detailed list of FTPS implementations - clients, servers, and
> proxies - at http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html
>
> FTPS is the owner of port 990, but the use of port 990 has been deprecated.
> It is far more appropriate to use port 21 and the AUTH commands to go from
> FTP to FTPS.
>
> Alun.
> ~~~~
> --
> Software Design Engineer, Internet Information Server (FTP)
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>

Theo
Sat Dec 11 00:47:38 CST 2004

Keith Langmead wrote:
> Actually there is such a thing as Secure FTP (sftp), and it's part of the
> ssh protocol suite. It works on ports 989 and 990 (rather than 20 and 21
> with ftp). Don't think IIS supports it though (I could be wrong though, as I
> don't actually use IIS's ftp on any of my servers), but there are plenty of
> companies who produce sftp server and client apps which you could use, for
> instance I use http://www.serv-u.com/, but there are plenty of others.
>
> Keith
>
This is not entirely correct. SFTP refers to two different things and
then there is FTPS:

- SSH Secure FTP (SFTP) is part of the SSH suite and simply uses port 22
(SSH).

- Simple FTP (also referred to SFTP) uses port 115.

- FTP over SSL (FTPS) uses ports 989 and 990:

ftps-data 989/tcp # FTP over SSL (data)
ftps 990/tcp # FTP over SSL


See further e.g. http://www.pantz.org/networking/tcpip/ports.shtml and
http://www.cites.uiuc.edu/security/winssh.html

regards
Theo