• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 254
  • Last Modified:

Newbie needs advice on setting up FTP server


I am trying to get some advice on setting an FTP server for my office. We have a Win2000 server, with a Netgear FVS 318 router.

I would like to have an FTP server for the following reasons:

A) Allow the company employees (5 total) to access our server from anywhere and d/l or u/l large files,

B) allow our clients same as above, except they can only u/l and/or d/l to their specfic folder

C) allow our vendors same as "B" above,

I envision that for A, there would be full read/write access to the server, but for B and C, it would be folder specific to the logged in user.

Here are my questions:
1 - What software is required to setup FTP?

2 - What are the security issues?

3 - Is it possible to setup the FTP so that only certain individuals can see ALL the contents of the server, and then allow others Folder specific access?

My boss is very leary about FTP, and I have to convince him that it is safe, if it is configured properly.

He insists on using Go To My PC, which is fine, except not everyone has (or wants) GoToMyPC.

One last thing. If it will help the situation, we have been talking about upgrading to Win2003 server. Is that something you would also recomend?

Thanks in advance for your replies.

4 Solutions
1 - What software is required to setup FTP?
an FTP server comes with windows 2000. Install IIS (internet information services) and then you have an FTP server

2 - What are the security issues?
as with anything else sent over the net, it isn't secure.  If employees are going to be accessing this from home, i would highly recommend setting up a VPN for them to connect back to the office network, rather than opening up an FTP server open to everyone.

3 - Is it possible to setup the FTP so that only certain individuals can see ALL the contents of the server, and then allow others Folder specific access?

yes, all you have to do is set NTFS permissons on the files/folders just as you normally do (by rightclicking the file/folder, choose properties and go to the security tab
also rightclick on your 'ftp server' in IIS and setup the appropriate security there.
Steve KnightIT ConsultancyCommented:

Have a look here.  In addition to what has been said this site lists the typical permissions needed etc.  Each user that needs to logon to the FTP sever needs the "logon locally" user right to your server.  You give this in local security policy under Administrative tools, or if this is a domain controller then under domain controller policy.  if you can't find that please ask.

To have different people see different areas the easiest way is to use home directoires using virtual directories (explained in link below).  You basiclly setup the ftp server to a blank or very public area and give nothing but some read rights if anything.  You then create virtual directories which match each username pointing to where you want them to go to and confgiure permission in there using NTFS.  Turn off anonymous access if you don't need it at the ftp server level.


pelampeAuthor Commented:

With regard to #1, IIS is the ONLY software that can be used?  Is it easy to use and configure? If you are basing your answer on cost (or in this case - IIS doesn't cost anything), you should know that we would be willing to pay up to say $150 to purchase a good FTP program, which I have heard Filezilla is good (although it is also free) .  So, would that change your answer any?

With regard to #2, you say FTP isn't secure.  Do you mean it CANNOT EVER be secure, or to make it secure, it would take a lot of difficult configuration?  VPN is OK as an option for us who work in the company, but I don't think it is viable for the "B" and "C" scenarios.  The FTP idea was actually MORE intended for the
"B" and "C" scenarios than for the people who already work in the company.

With regard to #3, with these permissions set as you describe, would the FTP be then secure?  Or is this a different issue altogether?  What ARE the security issues with using an FTP server?
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Steve KnightIT ConsultancyCommented:
The FTP protocol isn't secure.  It is not encrypted and passwords are sent as plain text.  There are a numbre of security issues:

1. Permissions you give people, maybe not realising it.  These can be tied down easily as long as you follow advise, e.g. from the link I gave above and also turn off anonymous access if you need to and restrict the members of the log on locally user right which are the only people who can logon. Make sure any passwords are long and 'difficult' to guess.

2. Vulnerabilities in the software.  AFAIK no issues with FTP server on IIS, and if there were they would be patched by MS I guess.

3. Inherent vulnerability in that the protocol is unencrypted so technicalyl anyone on a suitable bit of the internet *could* intercept your traffic. Not sure how likely that is when traffic probably goes only from your DSL line to your ISP through a few other ISP's and to the end user.

I suggest you don't use any administrative usernames to logon through FTP remotely for instance as the username and password would be sent in plain text over the internet.
There are secure FTP servers avilable, which implement encryption over the FTP connection. However, I think these are above your budget (the first two I've check out WSFPT (http://www.ipswitch.com/products/ws_ftp-server/index.asp) and GlobalScapes FTP server (http://www.cuteftp.com/gsftps/secure_ftp_server.asp) are both in the $500 region.

As dragon-it mentioned the other option is to secure the channel of communications using a VPN. Your FVS318 router will allow you to configure VPN accounts, which arn't too inconvenient to use for most of your clients/suppliers using Windows computers. You can also use your router to limit the source IP addresses or times of the day etc, that the FTP site is available.

I guess the question to answer with your boss, is what is acceptable security? Well configured FTP accounts combined with thorough maintenance of those directories & permissions will account for most potential problems except for interception of the traffic. In reality, is interception likely to be a big problem?
Steve KnightIT ConsultancyCommented:
Why the B grade?

pelampeAuthor Commented:
Sorry Steve, I'm new to this whole thing. I should've given you all a A. My bad.  It kind of threw me off, when I was deciding on closing the question, I was more focused on the points and all. Again, please accept my humble apologies.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now