RE: Secure FTP setup on SBS 2003 for external site backup
From: James Hallam (JamesHallam_at_discussions.microsoft.com)
Date: 12/03/04
- Next message: Clifton: "Re: Intermittent VPN hiccup / fix"
- Previous message: Kathryn62: "Document Management recommendation?"
- In reply to: James Hallam: "Secure FTP setup on SBS 2003 for external site backup"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 3 Dec 2004 10:55:14 -0800
My original post is wordy, so I'll ask one question I hope I can get answered:
If you *absolutely have to* install some kind of FTP service on SBS 2003,
that is locked to one allowable incoming IP address, is it better to use the
built-in IIS FTP service (which uses Domain users to authorize in clear text,
so may be a security risk), or a 3rd party FTP app that uses authentication
completely seperate from the Domain users (will that minimize risk at all?)?
If there's time for a second question, does changing the port # from the
standard 21 help mitigate the risk at all?
Thanks for your help,
James Hallam
"James Hallam" wrote:
> I know that setting up an FTP server with external access on an SBS machine
> is never encouraged, but I'm looking for any advice I can get on how to
> provide limited service in the most secure way. Besides not offering it at
> all..
>
> Because running a public website is never a good idea on SBS, I have kept
> our website off-site with a web host. The ISP provides an automated back-up
> utility that backs up the site, compresses it to a tar.gz file, and uploads
> it to a remote FTP server. They also have a one-step restore utility that
> will take this tar file and restore the site.
>
> I would like to have this backup tar file automatically backed up with the
> rest of our files by SBS. The ISP's backup service has a static IP, so I can
> limit the incoming connections to that IP on both the Firewall and FTP
> application. Are there any other steps I can take that would make a
> difference? Unfortunately, the nature of this task is that I need to allow
> Upload/Write access.
>
> While I was researching this, I found this quote on another forum:
>
> "From what I understand, if you install IIS on a PDC, the
> IUSR_<ComputerName> account becomes a member of Domain Users, because any
> user account created on the PDC automatically becomes a member of the Domain
> Users group. As a result, anonymous users have the same access as the Domain
> Users."
>
> Is this something I should be concerned about? For my specific application,
> as the remote FTP agent is the only thing that needs external access to the
> internal FTP site, is it better to use a 3rd party FTP app, that doesn't
> transmit any unencrypted user information from the Domain Users Group?
>
>
>
> If anyone has accomplished something similar to this, I would appreciate
> your ideas.
>
> James Hallam
- Next message: Clifton: "Re: Intermittent VPN hiccup / fix"
- Previous message: Kathryn62: "Document Management recommendation?"
- In reply to: James Hallam: "Secure FTP setup on SBS 2003 for external site backup"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
