deming
asked on
How to disable FTP access on Windows Server 2008?
How do I disable FTP access from Windows Server 2008? The problem is users are able to access files via ftp from many programs via the "File > Open" command where they then type "ftp:\\..." etc to access files at a remote FTP site.
I want to prevent users from accessing files from any remote sites. How do I do this?
I want to prevent users from accessing files from any remote sites. How do I do this?
ASKER
If I block port 21, couldn't the user simply use a different port number? For example, they could see another port that is enabled and use it instead?
How do I create the GPO policy to block traffic on port 21?
How do I create the GPO policy to block traffic on port 21?
when accessing data using ftp:// the system will default to port 21 and 99.9% of standard FTP sites work over port 21. SFTP would be port 22 and FTPS 990.
This should help you create your GP to define the firewall rules on the machines:
http://technet.microsoft.com/en-us/library/bb490626.aspx
This should help you create your GP to define the firewall rules on the machines:
http://technet.microsoft.com/en-us/library/bb490626.aspx
ASKER
Thank you for the GPO link.
I am trying to set it up via the "Admin Tools> Windows Firewall with Advance Security" where I have added:
Block port 20
Block port 21
Block port 22
Block port 990
in both the inbound and outbound rules applicable to everyone.
However, when I open Wordpad and do a "File > Open" and enter my FTP details:
ftp://username:password@ftpserver
It stills opens the FTP site and allows me to browse the remote files. That is what I need to prevent.
I am trying to set it up via the "Admin Tools> Windows Firewall with Advance Security" where I have added:
Block port 20
Block port 21
Block port 22
Block port 990
in both the inbound and outbound rules applicable to everyone.
However, when I open Wordpad and do a "File > Open" and enter my FTP details:
ftp://username:password@ftpserver
It stills opens the FTP site and allows me to browse the remote files. That is what I need to prevent.
ASKER
Netstat -a does not show port 20,21,22, or 990 as open, but I am able to FTP from Wordpad "File>Open" with no problem.
ASKER
I can also FTP from command prompt with no problem.
You can also block the windows ftp application...I believe it's in system32
ASKER
You can block the application using the firewall. Just set a program exception and point it to the FTP.exe. Just blocking the FTP application built into Windows doesn't stop the user from using FTP built into the browser. If you are still able to access FTP out with the ports blocked for FTP then something isn't right with the firewall config. In Windows 7 try going to the basic firewall settings and adding or changing the config from there and within the advanced config block it for all profiles.
Do you need FTP on that server at all?
If not, can you remove the FTP Server role?
If not, can you remove the FTP Server role?
ASKER
I ran netstat as follows:
1) From cmd entered FTP
2) Entered UN and PW
3) Checked status from FTP prompt to ensure it showed "Connected to ...."
4) Opened second cmd window and entered "netstat -abn"
5) Reports:
ftp.exe using
Local Addr Foreign Addr
TCP ip1:49183 ip2:21
also reports svchost.exe and Explorer.exe using same local address on ports 49179, 49181 and same foreign address on ports 21.
Does this mean my server is not using port 21 locally and that is why my blocking rules are not working?
1) From cmd entered FTP
2) Entered UN and PW
3) Checked status from FTP prompt to ensure it showed "Connected to ...."
4) Opened second cmd window and entered "netstat -abn"
5) Reports:
ftp.exe using
Local Addr Foreign Addr
TCP ip1:49183 ip2:21
also reports svchost.exe and Explorer.exe using same local address on ports 49179, 49181 and same foreign address on ports 21.
Does this mean my server is not using port 21 locally and that is why my blocking rules are not working?
do you want deny FTP client or FTP server on the server ?
ASKER
I want to stop all FTP activity. However, my original question is how to stop FTP access from applications "File>Open" dialog.
For example:
1) Open WordPad
2) Click "File > Open"
3) Enter "ftp://username:password@ftp.server"
Voila, the user can now access files via FTP and download to the server.
Ideally I want to stop ALL FTP access to/from the server including from apps "File > Open" dialog.
For example:
1) Open WordPad
2) Click "File > Open"
3) Enter "ftp://username:password@ftp.server"
Voila, the user can now access files via FTP and download to the server.
Ideally I want to stop ALL FTP access to/from the server including from apps "File > Open" dialog.
Do you need FTP services at all?
If not, can you remove the FTP Server role?
If not, can you remove the FTP Server role?
ASKER
No I do not need FTP services at all. I checked and I do not have the FTP server role installed. The only role installed is "Terminal Services". I think the FTP server role is only for incomming connections. My problem is outgoing connections.
ASKER
Sulimanw, I want to stop both FTP client and server activity. I believe the current problem is FTP client activity. See my msg 11/14/10 01:57 PM, ID: 34131814 which describes the exact problem.
ASKER
renazonse, I do not believe it is using the ftp.exe program. When I did my Wordpad test (see 11/14/10 01:57 PM, ID: 34131), netstat does not show ftp.exe as running.
Here is what netstat -anb
Wordpad TCP LocalIP:49193 ForeignIP:21
So it appears that FTP.exe is not running for Wordpad to use FTP services.
Also it appears that the local machine is not using port 21, rather the destination ForeignIP is using port 21.
Here is what netstat -anb
Wordpad TCP LocalIP:49193 ForeignIP:21
So it appears that FTP.exe is not running for Wordpad to use FTP services.
Also it appears that the local machine is not using port 21, rather the destination ForeignIP is using port 21.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Windows 7 and Server 2008 firewall rule command line:
netsh advfirewall firewall add rule name="BlockFTP" protocol=TCP dir=out localport=21 action=block
Or
use the Advanced Firewall configuration GUI to create a rule the blocks traffic outbound on port 21
Blocking access to port 21 on the firewall is the simplest method.