Securing FTP Sites with IIS 6.0

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008

FTP is commonly misunderstood as a secure means for transferring data, because the FTP server can be configured to require a valid user name and password combination prior to granting access. Be aware that neither the credentials specified at logon nor the data itself is encrypted or encoded in any way. All credentials are sent across the network in plaintext. In other words, all FTP data can be easily intercepted and analyzed by any station on any network between the FTP client and FTP server. The risk of plaintext credentials is that someone other than the intended users could log on to FTP and download the files you have placed there. If you intend to place sensitive data on your FTP site or if secure communication between clients and your FTP server are important, consider using FTP over an encrypted channel such as a Virtual Private Network secured with Point-to-Point Tunneling Protocol or Secure Internet Protocol (IPSec). You should also consider using WebDAV, which utilizes Secure Sockets Layer (SSL).

Warning

FTP sites or virtual directories that are configured to use Active Directory isolation or FTP load balancing should not be mapped to physical directories that are used for Web sites that use FrontPageĀ® Server Extensions from Microsoft. Doing so can allow users to view any files in that folder structure over the network.

  • For information about installing the FTP service, see FTP Site Setup.

  • To learn how to set up a private network over the Internet using Point-to-Point Tunneling Protocol (PPTP) or how to set up secure IP communications with a Virtual Private Network (VPN) and IPSec, see "PPTP", "VPN", and "IPSec" in Help and Support Center for Windows ServerĀ 2003.