IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 2 IIS 7.0 - FTP Publishing Service - Part 2: Configuration
Peter Schmidt
Network Administration - In this section we will introduce scenarios when improving the security within the FTP server.
Introduce
In this article, I will show you some configuration scenarios to improve the security of an FTP site, use SSL certificates in a new FTP Publishing Service for IIS 7.0. The prerequisite for this third part is that FTP Publishing Service must already be installed on Windows Server 2008 and an FTP site has been configured. To see how to do this, invite you to read part 1 and part 2 in this series. This third part will include two main topics for that configuration:
How to configure a secure FTP site using a commercial SSL certificate
How to configure a secure FTP site using a self-assigned SSL certificate
FTP Publishing Service for IIS 7.0 supports adding SSL certificates to an FTP site. Using an SSL certificate with an FTP site is also known as FTP-S or FTP on Secure Socket Layers (SSL). FTP-S is an RFC standard (RFC 4217), where the SSL certificate is added to an FTP site and thereby makes it possible to secure the file transfer process through TLS (SSL) layer. layer under FTP protocol. By using SSL, FTP transmission is encrypted and secure throughout and all FTP traffic is guaranteed to be congested.
The requirements for users here will be to use an FTP client that can connect using FTP-S. For example, the FTP site client that supports FTP-S can be FileZilla open source FTP client or FTP CuteFTP commercial client.
Configure a secure FTP site using commercial SSL
Below we will describe how to secure an existing FTP site using an SSL certificate. The certificate issued and used below will be created in the Certificate Authority for testing purposes, but the process of issuing the certificate on the server is exactly the same as providing a certificate from a home. provide a third certificate, such as Verisign or Godaddy. You can also create self-signed certificates directly from within IIS, this process will be described below.
Make sure you have an active FTP site and you can log in to that FTP site. FTP site is used as an example in this section ftp.example.com is demonstrated below.
Launch IIS Manager at Start - Administrative Tools - Internet Information Service (IIS) Manager
In IIS Manager, click the FTP server, highlight the server, and select Server Certificates:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 3
Figure A: Server Certificates
In the actions pane, select Create Certificate Request:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 4 Figure B: Server Certificates - Actions
In the dialog window that appears, fill in the required information for the certificate and click Next:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 5 Figure C: Input box for self-signed certificate information
Select the default encryption provider and click Next:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 6 Figure D: Encryption service provider
Save the request to the file and click Finish:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 7 Figure E: Save the certificate request
The certificate request is now made and pending in IIS. The request is now ready to send to the third certificate provider (such as Verisign, Godaddy, .)
Import certificate requirements
When requesting a certificate to be returned from the provider, it needs to be imported into IIS to work.
In IIS Manager, click the FTP server and select Server Certificates:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 8 Figure F: IIS Manager - Server Certificates
Select Complete Certificate Request .:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 9 Figure G: Server Certificates - Complete Certificate Request
Select Certificate request from the provider and enter the name of the site, then click OK:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 10 Figure H: Complete Certificate Request
The certificate is currently displayed in IIS Manager and is ready for use:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 11 Figure I: Server Certificates
Activate the commercial certificate on the FTP site
Once imported, the SSL certificate can be enabled and used for an FTP site. Go to the FTP site you want to use the certificate for.
In IIS Manager, select FTP site and then click FTP SSL settings:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 12 Figure J: FTP site settings - FTP SSL
Select the certificate and SSL (Allow or Required SSL) policy settings, click Apply:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 13 Figure K: FTP SSL settings
SSL certificate is currently used for the FTP site:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 14 Figure L: FTP SSL settings
The FTP site is currently protected and requires connection to the FTP site to become FTP-S by using an FTP client that supports FTP-S.
Configure a secure FTP site with self-assigned SSL
As described earlier, it is possible to create a self-signed certificate directly from within Internet Information Services (IIS) Manager. This process is faster than requiring a commercial certificate. Self-signed certificates are great for checking an FTP site or can be used internally, but not recommended for production use.
Start IIS Manager from Start - Administrative Tools - Internet Information Service (IIS) Manager
In IIS Manager, click the FTP server and select Server Certificates:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 15 Figure M: Server Certificates
In the actions panel, select Create Self-Signed Certificate:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 16 Figure N: Server Certificates - Actions
In the dialog boxes that pop up, name the certificate and click OK:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 17 Figure O: Name the self-signed certificate
The certificate is now created and ready for use:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 18 Figure P: Certificates have been created
The next step is to use and activate the new certificate on an existing FTP site.
Select the FTP site (in this example: ftp.example.com) and click FTP SSL Settings:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 19 Figure Q: FTP site - FTP SSL Settings
Select the certificate and select the necessary settings (Require SSL Connections), click Apply:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 20 Figure R: FTP site settings - FTP SSL
The FTP site is now ready to be used and all traffic is encrypted. FTP client with multiple FTP support will be required to connect to the new FTP site.
Connect to an FTP site
Use the FTP client that supports FTP-S to connect to the FTP site, then test the connection. The example below uses FileZilla. You need to configure the FTP server settings in FileZilla to connect using a lot of FTP, with FileZilla, the settings will be "FTPES - FTP over explicit TLS / SSL".
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 21
Figure S: FileZilla - FTPS settings
The first time you need to log into an active FTP site with your self-signed certificate, the FTP client (FileZilla) will prompt you to know that the root of the certificate is still unknown. If you want to trust and import this certificate, click OK.
The FTP site will be ready to be used in a secure manner.
Conclude
With a new Microsoft FTP Publishing Service, you can fully deploy a secure FTP solution based on Microsoft products, with the integration of Internet Information Services and Active Directory. All FTP communications can now be encrypted because FTP Publishing Service for IIS 7.0 supports FTP-S (FTP over SSL), FTP-S is an RFC standard (RFC 4217) for encrypting FTP traffic. .
Encryption of FTP traffic can be done using a self-assigned or commercial SSL certificate. All configuration is done on the server. Clients connected to secure FTP sites need to use an FTP client that supports FTP-S.