Re: FTP Server Implementation

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Thank you SuperGumby for the fantastic informative reply. I have been so
afraid of this, but now I understand where my risks are. I do have just a
few more questions - I prefer the DMZ method, so I wil pursue that. Just to
make sure, I think this would require just a simple router from my ISP WAN
connection, and then connect the SBS with its Static IP to one LAN port on
the router, and the FTP server with another static IP to another LAN port on
the router, and then the rest of the LAN would be on the other side of the
SBS. So to get from the SBS LAN to the FTP server I would just create a
static route from one IP to the other. Does this make sense?

Thanks!
Laura

"SuperGumby [SBS MVP]" wrote:

> the main problem with FTP is that the credentials are normally sent in plain
> text format. This means that theoretically someone could sniff your
> user/pass and if the FTP user/pass is also a domain membership credential
> they get access to your doamain.
>
> But you mention WS_FTP. WS_FTP can use either domain credentials via lookup
> to the DC(s) or it's own user database. IIS FTP, if running on a domain
> controller is limited to using domain accounts (no local accounts on a DC).
>
> SO, I reckon you've made a first good step, running WS_FTP. Next good step
> is to use WS_FTP accounts which are not related in any way to domain
> accounts, the users will complain about having different credentials but
> when explaining that it is a security measure it should be acceptable.
>
> Though I agree with all that if it can be avoided running FTP on your DC
> should I am going to suggest that if you run these seperate user accounts
> and _really have to provide_ FTP then two methods are acceptable.
> 1) run it on a server in the DMZ
> Internet
> |
> |
> multiport router - - FTP server
> |
> |
> SBS and LAN (either single or dual NIC setup, depending on router
> capabilities.)
>
> 2) Run it on the SBS
> Internet
> |
> |
> SBS external (with ISA and preferably a simple NAT router in front)
> SBS internal
>
> WS_FTP is told to bind to the internal SBS IP only and the service is
> published via ISA.
> There is very little to be gained by moving the FTP server to another box
> inside the domain.
>
> Running the FTP server in the DMZ is preferable. Doing so normally requires
> users inside the LAN to have accounts on the FTP server and manually
> updating available files, this can be automated by implementing an FTP
> 'mirroring' solution, a client inside the LAN which has access to the
> required internal filespace runs a scheduled task to synch the filespace to
> the server.
>
> The convenience offered by running the FTP on SBS is that internal clients
> can directly manipulate files in the FTP space. Is the convenience worth the
> increased security risk as opposed to DMZ implementation?
>
> WS_FTP Server (and client, but many clients do) also supports SSL. I've only
> played a little with implementing SSL FTP through ISA and never did sort out
> why it was unreliable. I seem to remember a difference in behaviour when
> PASV FTP was/wasn't used. OHH, and whether there was/wasn't a router in
> front of ISA.
>
> "Laura" <Laura@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:96C19258-246E-416B-AB7F-4187C761DB03@xxxxxxxxxxxxxxxx
> >I want to implement a Secure FTP Server, and have seen posted here that it
> >is
> > not a good idea to do this on the SBS itself. How would I set this up?
> > Get
> > a seperate box outside of the SBS Lan and put a hardware firewall in front
> > of
> > both the FTP server and the SBS?
> >
> > Or, since I am using ISA, Couldn't I just have a box inside my LAN running
> > WS_FTP? I don't want to compromise the security of the LAN, but all the
> > big
> > files I want to FTP are inside the LAN.
> >
> > Thanks in Advance for your ideas!
> > Laura
>
>
>
.

Relevant Pages

  • Re: FTP Server Implementation
    ... if you DMZ the FTP server and do your transfers from the SBS LAN to the FTP ...
    (microsoft.public.windows.server.sbs)
  • Re: FTP Server Implementation
    ... >if you DMZ the FTP server and do your transfers from the SBS LAN to the FTP ... >Router WAN 1.2.3.4 DG ISP router ...
    (microsoft.public.windows.server.sbs)
  • Re: Need Simple FTP Service - Two More Questions
    ... > (testing with another computer in my LAN) I had to shut down Windows ... > still let folks outside my LAN access files in the FTP Server? ... As to access there are some routers which cannot translate FTP to any port ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: ftp error message
    ... ftp server is run directly from the SBS 2003 server which is inside the LAN. ... And please tell us this FTP server is not inside your LAN ... Read-write permissions enabled on the Home Directory ...
    (microsoft.public.windows.server.sbs)
  • Re: ftp error message
    ... Why would MS include ftp ... server in SBS 2003 if it's not to be used? ... And please tell us this FTP server is not inside your LAN ... Read-write permissions enabled on the Home Directory ...
    (microsoft.public.windows.server.sbs)