I hate to be the devils advocate on this one, but Id be remised in my duties if I didn't.
1) Read/Write access to a FTP site without other controls is just inviting trouble from a Warez, Hacking prespective. I would definitely look to use a 3rd party Secure FTP/SSH process to run this site and control upload/download capability very tightly. Even if its behind a firewall, you might want to put an IDS probe after the firewall interface and before it hits the FTP server to pick off any exploits or Obfruscated code being sent to the ftp server in attempt to buffer overflow the FTP daemon accordingly. 2) Using a secure FTP process has a lot of avantages over just a regular IIS/FTP setup. Accounts that are created are not tied into the OS, so those crackers/hackers can guess all day long if you make the passwords sufficiently long and complex and its going over SSH/SFTP/FTP over SSL you have a reasonable level of priacy/confidentially in your communications to and from this host. Microsoft's implementation vanilla doesn't give you this, maybe using IPSEC rules to encryption the traffic back and forth from the FTP server but that is a pain to admin, and upkeep. I do like Ken's idea about IP restrictions, but we know even IP's can be spoofed) Z -----Original Message----- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Thursday, January 03, 2008 10:00 PM To: NT System Admin Issues Subject: RE: which is more secure? More secure against what threat? Some external user guessing a username/password? Probably the second option. But given that Windows Server 2000 is now out of extended support, I don't really have that much confidence in either option. But another option would be to put the FTP server into the DMZ, and create two FTP sites. One is read-only, and can be accessed by anyone. The second is read/write, but you use IP restrictions to ensure that only users on your internal network are able to connect to it Cheers Ken ________________________________________ From: roger rabus [EMAIL PROTECTED] Sent: Friday, 4 January 2008 11:58 AM To: NT System Admin Issues Subject: which is more secure? hi everyone, Please help me determine which is more secure? 1. a Windows 2000 server set up for read/write Ftp that is in the DMZ with only access thru a firewall both to the inside network and the internet. Some users will have read/write while most will have read only as defined by windows file security access. 2. a Windows2000 server setup for read only Ftp access thru the firewall. internal users will place files on the server via a file sharing via a separate network interface to the server. External users will only have read only ftp access to files. Roger Rabus Logical Solutions ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
