Skip to main content

Hardening FTP

Author(s): a_person

Last Updated: 07-19-2025

Recommended Prerequisites (click to expand)
  • Basic knowledge of Windows
  • Registry
  • Group Policy
  • Previous FTP Article

Note

This article will not follow the same format as others because of the many different FTP servers. Therefore, CIS Benchmarks and DoD stigs won’t be the only sources used.

Microsoft FTP

Mandate Encrypted Connections

The main vulnerability in standard FTP is that it transmits all data, including credentials, in plain text. Enforcing FTPS (FTP over SSL/TLS) secures the entire session with encryption. This makes it safe from eavesdropping and man-in-the-middle attacks.

Location: IIS Manager > [Your Server] > Sites > [Your FTP Site] > FTP SSL Settings
Recommendation: Set the SSL Policy to Require SSL connections.

Disable Anonymous Authentication

Allowing anonymous FTP means anyone can connect without credentials. It must be disabled unless there is a clear and strictly controlled public use case.

Location: IIS Manager > [Your Server] > Sites > [Your FTP Site] > FTP Authentication
Recommendation: Select Anonymous Authentication and click Disable in the Actions pane.

Implement Logon Attempt Restrictions

To counter automated brute-force password attacks at the application level, IIS has a built-in feature that tracks and blocks malicious IPs. This is an important defense against password guessing aimed at the FTP service.

Location: IIS Manager > [Your Server] > Sites > [Your FTP Site] > FTP Logon Attempt Restrictions
Recommendation: Select Enable logon attempt restrictions and set a low threshold, such as Maximum number of failed logon attempts: 5 and Time period (seconds): 60.

Isolate Users to Prevent Directory Traversal

Without user isolation, authenticated users might navigate outside their designated home directory (../). This can let a malicious user access files belonging to other users or sensitive system files. User isolation confines each user to their own directory, which basically sandboxes their session.

Location: IIS Manager > [Your Server] > Sites > [Your FTP Site] > FTP User Isolation
Recommendation: Select the option User name directory (disable global virtual directories).

Restrict Access with IP Address and Domain Restrictions

If the FTP server is not meant for public access, limit its exposure to the internet. By using application-level IP restrictions, you can allow only connections from known, trusted locations to attempt authentication.

Location: IIS Manager > [Your Server] > Sites > [Your FTP Site] > FTP IP Address and Domain Restrictions
Recommendation: Set the default to Deny access and create specific Allow rules for trusted IP addresses or ranges.

Minimize Server Identity and Banner Information

By default, the FTP server banner displays its software name and version. This gives attackers useful information for finding specific exploits. Hiding or generalizing the banner can make it harder for them to gather data.

Location: IIS Manager > [Your Server] > Sites > [Your FTP Site] > FTP Messages
Recommendation: Clear the default text in the Banner Message, Welcome, and Exit message fields, or replace them with a general warning that does not identify the software.

Implement Request Filtering for Files and Commands

This feature gives you control over the FTP protocol to block harmful uploads and commands.

Location: IIS Manager > [Your Server] > Sites > [Your FTP Site] > FTP Request Filtering
Recommendation:

  • File Name Extensions Tab: Create Deny rules for all executable and script file extensions (.exe, .com, .bat, .cmd, .dll, etc. ) to stop malware uploads.
  • Commands Tab: Review the allowed FTP commands and deny any that are not strictly necessary for your users.

Configure a Limited Passive Mode Port Range for Firewall Compatibility

Passive mode FTP needs a range of ports for data transfers. Leaving this undefined can force you to open thousands of ports in your firewall, which increases the risk. Defining a small, specific port range allows for a precise and secure firewall setup.

Location: IIS Manager > [Your Server Name] > FTP Firewall Support
Recommendation: Enter a limited, custom port range (e.g., 50000-51000) in the Data Channel Port Range field. Then, in the Windows Firewall, create an inbound rule allowing TCP traffic only for that specific range, along with port 21.

Implement Strict NTFS File System Permissions (Least Privilege)

Proper file system permissions are essential. If an attacker compromises an FTP account, strict NTFS permissions can stop them from accessing unauthorized data or running malware. This is an application of the least privilege principle.

Location: Windows Explorer > [Right-click FTP root folder] > Properties > Security
Recommendation: For each folder, remove the Everyone and Users groups. Grant permissions only to specific FTP user accounts or groups. For users who only need to download, give them only Read and Read & execute permissions. For folders meant for uploads, grant Write permission but not Read or Execute to create a secure "drop-box". Avoid granting Full Control.

Enable Comprehensive and Secure Logging

Without detailed logs, it’s hard to investigate a security incident. Logs provide an important record of all connections and file operations.

Location: IIS Manager > [Your Server] > Sites > [Your FTP Site] > FTP Logging
Recommendation: Enable logging with the W3C format and select all fields for maximum detail. Store logs on a separate, non-system drive to protect their integrity and prevent the system disk from filling up. Check these logs regularly.

General Tips for Other FTP Servers

Prioritize Secure Protocols (FTPS/SFTP) and Disable Plain FTP

The most important hardening step for any FTP server is to disable the standard, unencrypted FTP protocol. An attacker on the network can easily intercept all traffic, including credentials. Using encryption is necessary.

Recommendation: In your FTP server's main configuration, find the protocol settings. Enable FTPS (FTP over SSL/TLS) and/or SFTP (SSH File Transfer Protocol). Disable any options that allow non-encrypted, standard FTP connections.

Disable Outdated SSL/TLS Protocols and Weak Ciphers

Just enabling encryption is not enough; it must be strong. Older protocols like SSLv3 and TLS 1.0/1.1 have critical flaws (e.g., POODLE, BEAST) that can let attackers decrypt traffic.

Recommendation: In your server's SSL/TLS settings, create a specific list of allowed protocols. Disable SSLv2, SSLv3, TLS 1.0, and TLS 1.1. Allow only TLS 1.2 and TLS 1.3. Also, configure the allowable cipher suite list to exclude known weak ciphers (e.g., those using RC4, 3DES, or any with "NULL" or "ANON").

Run the FTP Service with a Dedicated, Least-Privilege Account

Third-party FTP servers run as a Windows service. This service should not run using a high-privileged account like Local System. If the FTP application has a vulnerability, an attacker could gain the service account's high-level permissions. This control helps limit the damage from any application exploit.

Location: Services (services.msc) > [Your FTP Service] > Properties > Log On
Recommendation: Create a dedicated local user account without interactive logon rights. Grant this account only the specific NTFS permissions it needs to function (e.g., read its own config folder, write to its log folder). Configure the service to log on as this user.

Use Application-Level IP Access Controls and Anti-Hammering

Most dedicated FTP servers have built-in features to block brute-force attacks and manage access. These should be your main defense against such attacks.

Recommendation:
  • IP Access: Find the IP Manager or Access Control settings. Set the default to "Deny" all connections, and then add "Allow" rules only for specific, trusted client IP addresses.
  • Anti-Hammering: Enable auto-banning. Configure it to ban an IP address permanently or temporarily after a small number of failed login attempts (e.g., ban after 5 failures in 1 minute).

Configure Per-User Permissions within the Application

Do not rely only on NTFS permissions. Dedicated FTP servers offer their own per-user permission systems. This allows you to control specific actions like listing directories, creating subdirectories, deleting files, or overwriting files, providing much finer control than NTFS alone.

Recommendation: For every user account created in the FTP server application, review and assign the most limited permissions possible. If a user only needs to upload files, disable their permissions for downloading, deleting, and listing files.

Keep the FTP Server Application Patched and Updated

Third-party FTP server software, like any application, can have security issues. Developers release patches and updates to fix these problems. Failing to apply these updates leaves your server vulnerable to known and often easily exploitable flaws.

Recommendation: Regularly check the software vendor's website for new versions and security notices. Subscribe to their security updates. Apply patches as soon as they are available, after testing them in a non-production environment.

Practice

Apeture Science(~5 vulns) and My Little Pony (2 vulns) are images with FTP. https://images.cypat.guide#gid=0

References & Further Reading