How to secure your server

FTP servers are always vulnerable to attack from unauthorised people, and a number of steps should be taken to minimize the risks of this occurring:

  1. Keep up to date with the latest patches for your operating system. Microsoft regularly publishes security updates, so ensure that they are applied to your host.
  2. Keep up to date with the latest release of CompleteFTP. Each release usually includes at least one security fix, and it is important to keep your installation current.
  3. A good firewall is the first line of defence for security, and should be your first port of call in denying/permitting access to certain IP addresses.
  4. If your server is not required to be accessible from the Internet, ensure that it is only reachable internally. If it is not accessible externally, the only attacks can be from within your organization, greatly reducing the risk.
  5. Use the IP filtering capabilities of CompleteFTP to only permit the IP addresses you want (if this is possible).
  6. Ensure that auto-banning is configured correctly (e.g. the defaults) to prevent dictionary attacks on passwords.
  7. Regularly review log files for unwanted intrusions and take remedial action (such as banning IP addresses).
  8. Disable protocols that aren't being used, e.g. if you are running an SFTP server only, disable FTP, FTPS, HTTP, HTTPS and SCP.
  9. Don't use HTTP - use HTTPS. Usernames, passwords and other sensitive data should not be sent via HTTP.
  10. Don't use FTP - use FTPS. Usernames, passwords and other sensitive data should not be sent via FTP.
  11. Disable SSL 3.0, TLS 1.0, and TLS 1.1. SSL 3.0 is disabled by default. TLS 1.0 and 1.1 are currently enabled by default as some clients still use them. Disable them if possible.
  12. Disable the automatic Windows users feature, so that only explicitly permitted users are permitted.
  13. Use strong password policies - see here. Also disable any anomymous FTP access unless it is required.
  14. For SFTP disable password authentication, and only permit public key authentication. This means users must have valid private keys and have their public keys registered on the server. This is not always possible of course.
  15. For SFTP disable SSH terminal access. This is disabled by default. SSH terminal access permits Windows users who have this feature enabled to execute almost any program or DOS command, and is potentially a significant security hole.
  16. Disable weak algorithms. For SSH, disable weak ciphers such as TripleDES and Blowfish. Disable weak MACs such as HMACMD5 and HMACSHA1. For FTPS/TLS, disable any ciphers using 3DES.
  17. Hide the server product details. This is found in the Settings->Messages section, and conceals the version and name of the product from clients. This is disabled by default. The default welcome message should also be changed, as it identifies the server.
  18. Enforce hashed passwords for database users. If database users are enabled (not the default), make sure any stored passwords are hashed. Even better, use a 'salt' prepended to passwords before they are hashed. See how to configure database users
  19. Enable encryption at rest. This means all files transferred to the server using accounts that have encryption at rest enabled will be encrypted on the server filesystem. This means that if an attacker succeeds in obtaining unauthorized access to the server machine, files are still secure. See here for more details.