FTP site login

[Scott]

I have just set up an FTP server and would like to make it
as secure as possible. I have disabled the anonymous
login because that doesn't really seem to do anything
other than add an extra step to getting into the FTP
site. The FTP site now requires a login and there are
only two accounts that have permission to login. This
works great when accessing from a Windowss 2000 or Windows
XP Home client, but with Windows XP Pro access is granted
automatically without the need for a login. What is going
on? Thanks.

 

[Ms]

To make secure FTP site set "enable anonymous only" login
or the world (i.e. network admins) will see all your ftp-passwords

 

[Karl Levinson [x y] mvp]

Agreed. Anonymous FTP is not always "less" secure. It is however a good
idea to prevent anonymous user e.g. IUSR from having both read and write
permission to any FTP folder. If you want to encrypt your FTP traffic, this
is not natively possible with IIS, but there are add-ons that often require
a custom client, or you could consider WebDAV or SSH / PuTTY / SCP. More
info:

http://securityadmin.info/faq.htm#ftpencryption
http://securityadmin.info/faq.htm#harden
http://securityadmin.info/faq.htm#firewall

RE: the login, I have to wonder whether XP is trying to log in using the
currently logged in account and password. I have not known XP FTP to behave
this way, but if this was the case and if the account and password is
identical to an account and password on the FTP server, then that could
allow seemingly "unprompted" access.