Securing Microsoft FTP Service 7.5 on IIS 7.0: TLS, Users, and Permissions

Securing Microsoft FTP Service 7.5 on IIS 7.0 — TLS, Users, and Permissions

1) TLS (FTP over SSL)

• Create or obtain an SSL certificate
  • Use a CA-signed cert for production; for testing you can create a self-signed cert in Server Certificates (IIS Manager).
• Bind certificate to FTP site
  • In IIS Manager → your FTP site → Bindings / SSL settings: select the certificate and set SSL policy.
• Control channel / data channel options
  • Set “Control Channel” to Require SSL (encrypt credentials).
  • For stronger protection, require SSL for data channel (implicit TLS) or allow client choice (explicit TLS) depending on client support.
• Enforce TLS-only logins
  • In FTP SSL Settings, set “SSL Policy” to Require SSL; disable plain (cleartext) FTP on public endpoints.
• Passive data ports + firewall
  • Configure a passive port range in FTP Firewall Support and open those ports plus TCP 21 and the certificate port in your firewall/NAT.
• Test with TLS-capable client
  • Verify login and data transfer use TLS (explicit AUTH TLS / TLS-C or implicit as configured).

2) Authentication & Users

• Prefer least-privileged Windows accounts
  • Use individual Windows accounts or IIS Manager users (IIS Manager Authentication) rather than shared admin accounts.
• IIS Manager authentication (optional)
  • Install/enable Management Service and create IIS Manager Users if you need non-Windows account management.
• Disable anonymous unless necessary
  • Turn off anonymous authentication for any site requiring authenticated access.
• Use Basic over TLS
  • If using Basic authentication, require SSL so credentials are encrypted.
• Account management best practices
  • Unique accounts per user, strong passwords, periodic rotation, and remove unused accounts promptly.

3) Authorization & File/Folder Permissions

• FTP Authorization Rules
  • In IIS Manager → FTP Authorization Rules, add rules granting only required permissions (Read / Write) to specific users or groups.
• Use user isolation
  • Configure FTP User Isolation so each user is restricted to their home directory (e.g., “Isolate users” or “Isolate users using Active Directory”).
• NTFS permissions
  • Set NTFS ACLs on site folders:
    • Grant users only the minimum (Read for downloads; Write/Create/Delete only where needed).
    • Remove inheritance where necessary and avoid granting Users or Everyone broad rights.
    • For anonymous access, restrict IUSR/IUSR account to read-only where applicable.
• Service account separation
  • Run FTP service under built-in service account; avoid elevating service identity to a high-privilege account.

4) Additional Hardening

• Limit attack surface
  • Bind FTP site to specific IPs; close unused FTP sites.
• Firewall and NAT
  • Restrict management ports (IIS Manager, RDP) and FTP ports to trusted IPs where possible.
• Logging & monitoring
  • Enable detailed FTP logging and monitor logs/ETW for suspicious logins or file activity.
• Rate-limiting / connection settings
  • Configure connection limits and timeouts to mitigate brute-force or resource exhaustion.
• Keep software patched
  • Apply OS and IIS updates; FTP 7.5 shipped out-of-band for IIS 7.0 — ensure the latest supported build and security patches are installed.

5) Quick checklist (implement in this order)

1. Obtain/install SSL certificate.
2. Require SSL for FTP (control channel at minimum).
3. Configure passive port range and open firewall ports.
4. Disable anonymous auth (unless needed); enable Basic or IIS Manager auth.
5. Create per-user accounts (Windows or IIS Manager).
6. Configure FTP Authorization Rules and FTP User Isolation.
7. Harden NTFS permissions (least privilege).
8. Enable logging, set connection limits, and monitor.
9. Patch OS/IIS and review settings periodically.

If you want, I can generate exact IIS Manager steps or PowerShell/command examples for any of the above (certificate binding, passive port range, NTFS ICACLS commands).