FTP Site Authentication
Applies To: Windows Server 2003, Windows Server 2003 with SP1
Based on your security requirements, you can select one of two IIS authentication methods to validate users requesting access to your FTP pages. Available authentication settings must be set at the site level for FTP sites.
Note
Digest and Integrated Windows authentication cannot be used with FTP sites.
Anonymous FTP authentication. If you select Anonymous FTP authentication for a resource, all requests for that resource are accepted without prompting the user for a user name or password. This is possible because IIS automatically creates a Windows user account called IUSR_ComputerName, where ComputerName is the name of the server on which IIS is running. This is very similar to Web-based Anonymous authentication. If Anonymous FTP authentication is enabled, IIS always tries to use that method first, even if you enable Basic FTP authentication.
Basic FTP authentication. To establish an FTP connection with your Web server by using the Basic FTP authentication method, users must log on with a user name and password corresponding to a valid Windows user account. If the FTP server cannot verify a user's identity, the server returns an error message. Basic FTP authentication provides only low security because the user transmits the user name and password across the network in an unencrypted form.
TableĀ 5.6 compares Anonymous and Basic FTP authentication.
Table 5.6 Comparison of Anonymous and Basic FTP Authentication Methods
| Method | Security Level | How Passwords Are Sent | Crosses Proxy Servers and Firewalls | Client Requirements |
|---|---|---|---|---|
Anonymous FTP authentication |
None |
N/A |
Yes |
Any FTP client |
Basic FTP authentication |
Low |
Plaintext |
Yes |
Any FTP client |