Securing FTP Sites
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 with SP1
Although you can configure the FTP service to require a valid user name and password combination, neither the credentials that are specified at logon nor the data itself is encrypted or encoded in any way. The credentials are sent across the network in plaintext and can be intercepted and analyzed by any station on any network between the FTP client and the FTP server. If your plaintext credentials are intercepted and analyzed by a malicious user, someone other than the intended user can log on to your FTP site and download the files that you placed there or gain access to other network resources, even network resources that require Windows account authentication. For more information about setting the authentication method for your FTP site, see Configuring FTP Site Properties.
If you intend to place sensitive data on your FTP site or if communication between clients and your FTP server is important, consider using FTP over an encrypted channel, such as a virtual private network (VPN) secured with Point-to-Point Tunneling Protocol (PPTP) or Internet Protocol security (IPSec). To learn how to set up a private network over the Internet using PPTP or how to set up IP communications with a VPN and IPSec, see the PPTP, VPN, and IPSec topics in Help and Support Center for Windows Server 2003.
If you need to authorize users or host sensitive content, WebDAV is a good alternative to FTP because WebDAV can take advantage of SSL encryption for communications. For more information about WebDAV, see Securing WebDAV Publishing Directories.