IT tutorials
 
Windows
 

Windows Server 2012 : Scalable and elastic web platform (part 6) - FTP Logon Attempt Restrictions

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
3/15/2014 2:06:18 AM

7. FTP Logon Attempt Restrictions

Brute-force attacks can create a Denial-of-Service (DoS) condition that can prevent legitimate users from accessing an FTP server. To prevent this from happening, IIS 8 includes a new feature called FTP Logon Attempt Restrictions that lets you block offending users from logging on to an IIS FTP server for a specified period of time. Unlike the Dynamic IP Address Restrictions described in the previous section, which blacklists any client whose IP address violates the configured dynamic IP address filtering settings, FTP Logon Attempt Restrictions uses a “graylisting” approach that denies only the offending user for a certain period of time. However, by configuring this time period to be slightly more than that specified by your domain account lockout policy, you can prevent malicious users from locking legitimate users out of accessing your FTP server.

Understanding FTP logon attempt restrictions

Running an FTP service on an Internet-facing server has unfortunately yielded an additional surface area for attack for server administrators to manage. Because hackers can connect to an FTP service with a wide array of publicly available or special-purpose FTP clients, an FTP server offers a way for hackers to continuously send requests to guess a username/password combination and gain access to an account on a server.

This situation has required server administrators to implement additional security measures to counter this behavior; for example, server administrators should always disable or rename well-known accounts like the Administrator or Guest accounts. Administrators should also implement policies that enforce strong passwords, password expiration, and password lockouts. An unfortunate downside to password lockouts is that a valid account can be locked out by a hacker who is attempting to gain access to the account; this may require the server administrator to re-enable accounts that have been locked out as a result of good password management practices.

From an FTP 7 perspective, there are additional measures that server administrators can implement; for example, administrators can deny well-known accounts at the global level for their FTP server. In addition, administrators can use one of the alternate built-in authentication providers instead of FTP’s Basic Authentication provider. For example, you can use the ASP.NET Membership Authentication provider; by using this provider, if an account was successfully hacked, that account will have no access to the actual server because it exists only in the ASP.NET Membership database.

In FTP 8, an extra layer of security was added that is called FTP Logon Attempt Restrictions; this feature provides an additional password lockout policy that is specific to the FTP service. Server administrators can use this feature of the FTP server to configure the maximum number of logon attempts that are allowed within a specific time period; once the number of logon attempts has been reached, the FTP service will disconnect the FTP session, and it will block the IP address of the client from connecting until the time period has passed.

Server administrators can configure the FTP Logon Attempt Restrictions feature in combination with their password lockout policies to configure a secure environment for their network, which allows uninterrupted functionality for valid users. For example, if you configured your FTP 8 server for a maximum of four failed logon attempts, you could configure your password lockout policy for a maximum of five failed logon attempts. In this way, a malicious FTP client would be blocked once it reached four failed logon attempts, and yet the valid user would still be able to access the account if he or she attempted to log on during the time period where the attacker was blocked.

Configuring FTP Logon Attempt Restrictions

To configure FTP Logon Attempt Restrictions for FTP sites on your server, select the FTP Logon Attempt Restrictions node for your server in IIS Manager. This displays the settings shown in Figure 6, which let you enable the feature and specify a maximum number of failed logon attempts within a given amount of time. Alternatively, you can enable this feature in logging-only mode to collect data concerning possible brute-force password attacks being conducted against your server.

Library Cards and FTP Servers

But the library is pretty reliable and generally easy to use—even if it’s not cutting-edge. The main drawback is I have to GO there, on THEIR hours.

Think of FTP like a library.

Sure, maybe it’s not the most exciting protocol in the world. But FTP has been around since the 1970s, and it is still found in a large number of environments simply because it is reliable and generally easy to use.

However, like the library, FTP has some drawbacks. Like Simple Mail Transfer Protocol (SMTP) and other older protocols, FTP was never designed to be a highly secure protocol. In its default configuration, FTP users authenticate using a user-name/password combination that is typically sent in clear text. The server can be set up to allow users to connect anonymously as well.

This has often made FTP servers the target of brute-force attacks, where attackers simply try different user name and password combinations over and over until they find a valid combination. To mitigate this, there are several things you might do:

  1. Block the “bad guy’s” IP address . This generally involves combing through your FTP log files to figure out the bad guy’s addresses, which can be very time-consuming and, frankly, a little boring.

  2. Create password lockout policies for user accounts. This was less of a manual process to institute, but it created a different problem. If the bad guy managed to find a valid user name, after a few failed attempts at authentication, the password policy would lock the user account—which then means you have to spend time unlocking user accounts.

Enter Windows Server 2012 and FTP Logon Attempt Restrictions. This feature takes the best of both of these capabilities and combines them into one. The idea is this:

You define the maximum number of failed logon attempts that you want to allow, and the time frame within which those attempts can take place. If the user fails to log on correctly during that time frame, you can either tell the FTP server to write an entry to the log file or you can have the FTP server automatically deny access from the requesting IP address. If you choose to deny the access, the FTP server will drop the connection, and the IP address of the bad guy will be blocked.

Two “gotchas” to keep in mind when configuring this feature:

  1. Writing the entry to the log file does not block further logon attempts. It does exactly what it says—it simply writes an entry to the log file.

  2. The FTP Logon Attempt Restriction setting is defined for the server itself. It cannot be defined on a per-site basis.

So, using FTP Logon Attempt Restrictions will allow you to add a layer of security to your humble, yet functional FTP service.

David Branscome

Senior Premier Field Engineer

Configuring FTP Logon Attempt Restrictions.

Figure 6. Configuring FTP Logon Attempt Restrictions.

 
Others
 
- Windows Server 2012 : Scalable and elastic web platform (part 5) - Application Initialization,Dynamic IP Address Restrictions
- Windows Server 2012 : Scalable and elastic web platform (part 4) - IIS CPU throttling
- Windows Server 2012 : Scalable and elastic web platform (part 3) - Centralized SSL certificate support
- Windows Server 2012 : Scalable and elastic web platform (part 2) - Server Name Indication
- Windows Server 2012 : Scalable and elastic web platform (part 1) - NUMA-aware scalability
- Setting Up Windows 8 Family Safety (part 7) - Viewing Family Safety Online Reports
- Setting Up Windows 8 Family Safety (part 6) - Viewing Family Safety Activity Reports
- Setting Up Windows 8 Family Safety (part 5) - Blocking and allowing Apps
- Setting Up Windows 8 Family Safety (part 4) - Controlling Windows Store and game play
- Setting Up Windows 8 Family Safety (part 3) - Setting time limits
 
25 Inspiring Game of Thrones Quotes
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS