IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site

In this section, we will introduce scenarios when improving security within the FTP server.

IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 1IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 1 IIS 7.0 - FTP Publishing Service - Part 1: Installation
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 2IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 2 IIS 7.0 - FTP Publishing Service - Part 2: Configuration

Peter Schmidt

Network Administration - In this section we will introduce scenarios when improving the security within the FTP server.

Introduce

In this article, I will show you some configuration scenarios to improve the security of an FTP site, use SSL certificates in a new FTP Publishing Service for IIS 7.0. The prerequisite for this third part is that FTP Publishing Service must already be installed on Windows Server 2008 and an FTP site has been configured. To see how to do this, invite you to read part 1 and part 2 in this series. This third part will include two main topics for that configuration:

  1. How to configure a secure FTP site using a commercial SSL certificate
  2. How to configure a secure FTP site using a self-assigned SSL certificate

FTP Publishing Service for IIS 7.0 supports adding SSL certificates to an FTP site. Using an SSL certificate with an FTP site is also known as FTP-S or FTP on Secure Socket Layers (SSL). FTP-S is an RFC standard (RFC 4217), where the SSL certificate is added to an FTP site and thereby makes it possible to secure the file transfer process through TLS (SSL) layer. layer under FTP protocol. By using SSL, FTP transmission is encrypted and secure throughout and all FTP traffic is guaranteed to be congested.

The requirements for users here will be to use an FTP client that can connect using FTP-S. For example, the FTP site client that supports FTP-S can be FileZilla open source FTP client or FTP CuteFTP commercial client.

Configure a secure FTP site using commercial SSL

Below we will describe how to secure an existing FTP site using an SSL certificate. The certificate issued and used below will be created in the Certificate Authority for testing purposes, but the process of issuing the certificate on the server is exactly the same as providing a certificate from a home. provide a third certificate, such as Verisign or Godaddy. You can also create self-signed certificates directly from within IIS, this process will be described below.

Make sure you have an active FTP site and you can log in to that FTP site. FTP site is used as an example in this section ftp.example.com is demonstrated below.

  1. Launch IIS Manager at Start - Administrative Tools - Internet Information Service (IIS) Manager
  2. In IIS Manager, click the FTP server, highlight the server, and select Server Certificates:

IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 3IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 3

Figure A: Server Certificates
  1. In the actions pane, select Create Certificate Request:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 4IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 4
Figure B: Server Certificates - Actions
  1. In the dialog window that appears, fill in the required information for the certificate and click Next:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 5IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 5
Figure C: Input box for self-signed certificate information
  1. Select the default encryption provider and click Next:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 6IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 6
Figure D: Encryption service provider
  1. Save the request to the file and click Finish:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 7IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 7
Figure E: Save the certificate request

The certificate request is now made and pending in IIS. The request is now ready to send to the third certificate provider (such as Verisign, Godaddy, .)

Import certificate requirements

When requesting a certificate to be returned from the provider, it needs to be imported into IIS to work.

  1. In IIS Manager, click the FTP server and select Server Certificates:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 8IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 8
Figure F: IIS Manager - Server Certificates
  1. Select Complete Certificate Request .:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 9IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 9
Figure G: Server Certificates - Complete Certificate Request
  1. Select Certificate request from the provider and enter the name of the site, then click OK:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 10IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 10
Figure H: Complete Certificate Request
  1. The certificate is currently displayed in IIS Manager and is ready for use:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 11IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 11
Figure I: Server Certificates

Activate the commercial certificate on the FTP site

Once imported, the SSL certificate can be enabled and used for an FTP site. Go to the FTP site you want to use the certificate for.

  1. In IIS Manager, select FTP site and then click FTP SSL settings:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 12IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 12
Figure J: FTP site settings - FTP SSL
  1. Select the certificate and SSL (Allow or Required SSL) policy settings, click Apply:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 13IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 13
Figure K: FTP SSL settings
  1. SSL certificate is currently used for the FTP site:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 14IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 14
Figure L: FTP SSL settings

The FTP site is currently protected and requires connection to the FTP site to become FTP-S by using an FTP client that supports FTP-S.

Configure a secure FTP site with self-assigned SSL

As described earlier, it is possible to create a self-signed certificate directly from within Internet Information Services (IIS) Manager. This process is faster than requiring a commercial certificate. Self-signed certificates are great for checking an FTP site or can be used internally, but not recommended for production use.

  1. Start IIS Manager from Start - Administrative Tools - Internet Information Service (IIS) Manager
  2. In IIS Manager, click the FTP server and select Server Certificates:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 15IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 15
Figure M: Server Certificates
  1. In the actions panel, select Create Self-Signed Certificate:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 16IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 16
Figure N: Server Certificates - Actions
  1. In the dialog boxes that pop up, name the certificate and click OK:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 17IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 17
Figure O: Name the self-signed certificate
  1. The certificate is now created and ready for use:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 18IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 18
Figure P: Certificates have been created

The next step is to use and activate the new certificate on an existing FTP site.

  1. Select the FTP site (in this example: ftp.example.com) and click FTP SSL Settings:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 19IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 19
Figure Q: FTP site - FTP SSL Settings
  1. Select the certificate and select the necessary settings (Require SSL Connections), click Apply:
IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 20IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 20
Figure R: FTP site settings - FTP SSL

The FTP site is now ready to be used and all traffic is encrypted. FTP client with multiple FTP support will be required to connect to the new FTP site.

Connect to an FTP site

Use the FTP client that supports FTP-S to connect to the FTP site, then test the connection. The example below uses FileZilla. You need to configure the FTP server settings in FileZilla to connect using a lot of FTP, with FileZilla, the settings will be "FTPES - FTP over explicit TLS / SSL".

IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 21IIS 7.0 - FTP Publishing Service - Part 3: Security for an FTP site Picture 21

Figure S: FileZilla - FTPS settings

The first time you need to log into an active FTP site with your self-signed certificate, the FTP client (FileZilla) will prompt you to know that the root of the certificate is still unknown. If you want to trust and import this certificate, click OK.

The FTP site will be ready to be used in a secure manner.

Conclude

With a new Microsoft FTP Publishing Service, you can fully deploy a secure FTP solution based on Microsoft products, with the integration of Internet Information Services and Active Directory. All FTP communications can now be encrypted because FTP Publishing Service for IIS 7.0 supports FTP-S (FTP over SSL), FTP-S is an RFC standard (RFC 4217) for encrypting FTP traffic. .

Encryption of FTP traffic can be done using a self-assigned or commercial SSL certificate. All configuration is done on the server. Clients connected to secure FTP sites need to use an FTP client that supports FTP-S.

5 ★ | 2 Vote