Solved

How to disable FTP access on Windows Server 2008?

Posted on 2010-11-13
19
4,549 Views
Last Modified: 2012-05-10
How do I disable FTP access from Windows Server 2008?  The problem is users are able to access files via ftp from many programs via the "File > Open" command where they then type "ftp:\\..." etc to access files at a remote FTP site.

I want to prevent users from accessing files from any remote sites.  How do I do this?
0
Comment
Question by:deming
  • 10
  • 4
  • 3
  • +1
19 Comments
 
LVL 30

Expert Comment

by:renazonse
ID: 34128995
You can create a local firewall rule on all the machines, block it from the firewall, or create a group policy that blocks traffic on port 21

Windows 7 and Server 2008 firewall rule command line:
netsh advfirewall firewall add rule name="BlockFTP" protocol=TCP dir=out localport=21 action=block

Or
use the Advanced Firewall configuration GUI to create a rule the blocks traffic outbound on port 21

Blocking access to port 21 on the firewall is the simplest method.
0
 

Author Comment

by:deming
ID: 34129019
If I block port 21, couldn't the user simply use a different port number?  For example, they could see another port that is enabled and use it instead?

How do I create the GPO policy to block traffic on port 21?
0
 
LVL 30

Expert Comment

by:renazonse
ID: 34129042
when accessing data using ftp:// the system will default to port 21 and 99.9% of standard FTP sites work over port 21. SFTP would be port 22 and FTPS 990.

This should help you create your GP to define the firewall rules on the machines:
http://technet.microsoft.com/en-us/library/bb490626.aspx
0
 

Author Comment

by:deming
ID: 34129091
Thank you for the GPO link.

I am trying to set it up via the "Admin Tools> Windows Firewall with Advance Security" where I have added:

Block port 20
Block port 21
Block port 22
Block port 990

in both the inbound and outbound rules applicable to everyone.

However, when I open Wordpad and do a "File > Open" and enter my FTP details:
ftp://username:password@ftpserver

It stills opens the FTP site and allows me to browse the remote files.  That is what I need to prevent.
0
 

Author Comment

by:deming
ID: 34129136
Netstat -a does not show port 20,21,22, or 990 as open, but I am able to FTP from Wordpad "File>Open" with no problem.
0
 

Author Comment

by:deming
ID: 34129140
I can also FTP from command prompt with no problem.
0
 
LVL 30

Expert Comment

by:renazonse
ID: 34129147
You can also block the windows ftp application...I believe it's in system32
0
 

Author Comment

by:deming
ID: 34129172
I tried to change permission on the System32\ftp.exe file but it "Unable to save permission changes on ftp.exe"  Access is denied.  I am logged in as Admin.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34129586
it is a system file so you need to remove this attribute.

from CMD

atrrib -s ftp.exe

then change permission.

Question: while you are opening a connection FTP://, what does netstat show on the server ? established connection on port 21 ?
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 30

Expert Comment

by:renazonse
ID: 34130541
You can block the application using the firewall. Just set a program exception and point it to the FTP.exe. Just blocking the FTP application built into Windows doesn't stop the user from using FTP built into the browser. If you are still able to access FTP out with the ports blocked for FTP then something isn't right with the firewall config. In Windows 7 try going to the basic firewall settings and adding or changing the config from there and within the advanced config block it for all profiles.
0
 
LVL 6

Expert Comment

by:RootsMan
ID: 34130859
Do you need FTP on that server at all?
If not, can you remove the FTP Server role?
0
 

Author Comment

by:deming
ID: 34131282
I ran netstat as follows:
1) From cmd entered FTP
2) Entered UN and PW
3) Checked status from FTP prompt to ensure it showed "Connected to ...."
4) Opened second cmd window and entered "netstat -abn"
5) Reports:
ftp.exe using
          Local Addr       Foreign Addr
TCP ip1:49183            ip2:21
also reports svchost.exe and Explorer.exe  using same local address on ports 49179, 49181 and same foreign address on ports 21.

Does this mean my server is not using port 21 locally and that is why my blocking rules are not working?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34131426
do you want deny FTP client or FTP server on  the server ?

0
 

Author Comment

by:deming
ID: 34131814
I want to stop all FTP activity. However, my original question is how to stop FTP access from applications "File>Open" dialog.  

For example:
1) Open WordPad
2) Click "File > Open"
3) Enter "ftp://username:password@ftp.server"

Voila, the user can now access files via FTP and download to the server.

Ideally I want to stop ALL FTP access to/from the server including from apps "File > Open" dialog.
0
 
LVL 6

Expert Comment

by:RootsMan
ID: 34131877
Do you need FTP services at all?
If not, can you remove the FTP Server role?
0
 

Author Comment

by:deming
ID: 34132115
No I do not need FTP services at all. I checked and I do not have the FTP server role installed.  The only role installed is "Terminal Services".  I think the FTP server role is only for incomming connections. My problem is outgoing connections.
0
 

Author Comment

by:deming
ID: 34132122
Sulimanw, I want to stop both FTP client and server activity. I believe the current problem is FTP client activity. See my msg 11/14/10 01:57 PM, ID: 34131814 which describes the exact problem.
0
 

Author Comment

by:deming
ID: 34132132
renazonse,  I do not believe it is using the ftp.exe program. When I did my Wordpad test (see 11/14/10 01:57 PM, ID: 34131), netstat does not show ftp.exe as running.

Here is what netstat -anb

Wordpad  TCP LocalIP:49193           ForeignIP:21

So it appears that FTP.exe is not running for Wordpad to use FTP services.

Also it appears that the local machine is not using port 21, rather the destination ForeignIP is using port 21.

0
 
LVL 23

Accepted Solution

by:
Suliman Abu Kharroub earned 500 total points
ID: 34132777
If the FTP server rule is not installed, then the server is not FTP ( which means no one can upload files to this server by using FTP protocol).

So, you need to block outbound FTP traffic:

from the windows firewall with advance features, create a new outbound rule to block port 21.

I have just test it and it works.

ftp1.PNG
ftp2.PNG
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Entity Framework 7 32
Laptop Using too much memory when no apps loaded 7 45
What are the Scan to network folder ports? 7 38
DHCP Server Service stops on SBS 2011 3 33
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now