Company wants to use a FTP Server

instant000

geeksquad09 wrote: »

Sorry i wrote thta wrong, Were gonna use te FTP service through Server 2003, Ive set it up and what not the only problem im having is he wants me to do the followingm and im catching hell doing it

-Save a file and make it public.
-Give me instruction on how to get it off site
-Some kind of authentication will be needed after the test phase.

This sounds like you will need to get with your network person (unless that's also you) and set up a translation, from a public to DMZ/internal IP, for the FTP port, so FTP users can hit it from the outside. If you have Cisco devices, there are configuration guides available for this.

FTP products can be set for username/password authentication

You can set the user's home directory.

I think you would first work at getting this working locally, inside your network, then branch out to either having the server in DMZ, and/or have an IP translation to the outside.

Let us know at which point you're stuck.

EDIT: by referring to the user's home directory, I mean the folder the user would connect to when they come on the FTP site, as well as controlling whether or not that user can browse to other folders.

geeksquad09

instant000 wrote: »

This sounds like you will need to get with your network person (unless that's also you) and set up a translation, from a public to DMZ/internal IP, for the FTP port, so FTP users can hit it from the outside. If you have Cisco devices, there are configuration guides available for this.

FTP products can be set for username/password authentication

You can set the user's home directory.

I think you would first work at getting this working locally, inside your network, then branch out to either having the server in DMZ, and/or have an IP translation to the outside.

Let us know at which point you're stuck.

EDIT: by referring to the user's home directory, I mean the folder the user would connect to when they come on the FTP site, as well as controlling whether or not that user can browse to other folders.

I used the link attached below should that link solve all the steps my boss has asked besides the Authentication task

How to configure Network Address Translation in Windows Server 2003

RobertKaucher

At my previous job we used an FTP server basedo on IIS on Server 2003. It was probably very insecure but what you do needs to fit the business needs of the company. I had a word document with screen shots that I used to send to customers who needed to access the site. It provided step by step instructions for them.

What exactly are you having issues setting up right now? My suggestion is set it up internally, test it, get authentication working as you expect and only then publish it outside the firewall.

WITHOUT AUTHENTICATION DO NOT PUBLISH THIS USING NAT!!!! You will have a server with an HDD full of pr0n in seconds!!!

geeksquad09

RobertKaucher wrote: »

At my previous job we used an FTP server basedo on IIS on Server 2003. It was probably very insecure but what you do needs to fit the business needs of the company. I had a word document with screen shots that I used to send to customers who needed to access the site. It provided step by step instructions for them.

What exactly are you having issues setting up right now? My suggestion is set it up internally, test it, get authentication working as you expect and only then publish it outside the firewall.

WITHOUT AUTHENTICATION DO NOT PUBLISH THIS USING NAT!!!! You will have a server with an HDD full of pr0n in seconds!!!

Im having issues with the following

-Saving a file and make it public.
-Give me instruction on how to get it off site
-Some kind of authentication will be needed after the test phase.

RobertKaucher

geeksquad09 wrote: »

Im having issues with the following

-Saving a file and make it public.
-Give me instruction on how to get it off site
-Some kind of authentication will be needed after the test phase.

FTP Site Setup (IIS 6.0)

Configure FTP Server Authentication (IIS 6.0)

Setting up FTP via Windows Explorer

Who ever is getting the files would take steps similar to the thrid link. You already found a link about publishing the FTP service outside your firewall. That should be all you need. Make sure you communicate clearly with the boss about the chances of 0wnage.

geeksquad09

RobertKaucher wrote: »

FTP Site Setup (IIS 6.0)

Configure FTP Server Authentication (IIS 6.0)

Setting up FTP via Windows Explorer

Who ever is getting the files would take steps similar to the thrid link. You already found a link about publishing the FTP service outside your firewall. That should be all you need. Make sure you communicate clearly with the boss about the chances of 0wnage.

Completed The 1st link, and i emailed my boss the 3rd link, The 2nd one is giving me a bit of complications. Could i use my bosses log in and password as the authentication Username and Password

blargoe

I would not set up a Windows FTP server without the following characteristics:

- At LEAST Windows 2008. You're only going to see security updates for Windows 2003 for a couple more years. Also Windows 2008 FTP is much more secure.

- FTP Root on separate partition from System Root drive

- Enable the File Server Resource Manager feature and create a policy to block all executable content from being saved in the FTP folders on the file system (or any other file types that you don't intend to allow... videos and music, for example)

- Execute the Security Configuration Wizard (or whatever the equivalent is called in 200 and lock down the server as much as possible.

- Create Software Restriction Policies in local Group Policy to block executables unauthorized executables from running on the server.

- Host the server in a perimeter network

- Have an IDS at the perimeter

- Install host-based security protection

You can make a Windows FTP server pretty tight but you really need to do the above for best results.

MentholMoose

geeksquad09 wrote: »

Completed The 1st link, and i emailed my boss the 3rd link, The 2nd one is giving me a bit of complications. Could i use my bosses log in and password as the authentication Username and Password

What part specifically are you having trouble with? If you want to use authentication, skip the Anonymous FTP section and do the Basic FTP section.

RobertKaucher wrote: »

At my previous job we used an FTP server basedo on IIS on Server 2003. It was probably very insecure but what you do needs to fit the business needs of the company.

IIS FTP on Server 2003 provides the most basic FTP functionality. Both the authentication and data channels are unencrypted. If everyone accessing the FTP server is either on site (wired or secured wireless) or connecting by VPN, it is relatively safe. If, however, the FTP server is Internet accessible and a user connects via an unsecured wireless hotspot, then anyone near them with a laptop and a wireless capture tool (e.g. the free Aircrack-ng) can get the plain text credentials and the data itself (and log on with the credentials later to get more data, or try to find more things they can access with those credentials).

IIS FTP on Server 2008 supports FTPS, which uses SSL to encrypt the authentication and/or data channels, so if you care about security at all, use that over Server 2003. This wasn't included in Server 2008 RTM but I think it is included in 2008 SP1 and 2008 R2 by default. blargoe has some good points about hardening this server.
FTPS in IIS7 is sweeter - eXtreme. tech. - Site Home - TechNet Blogs

it_consultant

You know...this is one time the cloud may be called for. Have you considered using something like box.net?

geeksquad09

it_consultant wrote: »

You know...this is one time the cloud may be called for. Have you considered using something like box.net?

Ok but how could we use "Box.net" to transfer the companies files back and foward to one another. we have our own domain "TRIUMPH"

it_consultant

I assume that the reason for using an FTP server is to move files from your inside network to a partner company or customers. Box.net allows something called "sync" where you can sync folders on your file server to box.net servers. Your clients could log into box.net and see those same files and folders. You can "share" the folders with whomever your choose or you could create box.net logins for them and set their access to appropriate levels.

I am not trying to be harsh but if you need this thing to work correctly right out of the gate, this is a better solution for you. FTP is great but it seems like you have a lack of experience with FTP and I fear you are setting yourself up for failure.

RobertKaucher

it_consultant wrote: »

I am not trying to be harsh but if you need this thing to work correctly right out of the gate, this is a better solution for you. FTP is great but it seems like you have a lack of experience with FTP and I fear you are setting yourself up for failure.

Especially with the considerable security issues that are involved with this.

geeksquad09

it_consultant wrote: »

I assume that the reason for using an FTP server is to move files from your inside network to a partner company or customers. Box.net allows something called "sync" where you can sync folders on your file server to box.net servers. Your clients could log into box.net and see those same files and folders. You can "share" the folders with whomever your choose or you could create box.net logins for them and set their access to appropriate levels.

I am not trying to be harsh but if you need this thing to work correctly right out of the gate, this is a better solution for you. FTP is great but it seems like you have a lack of experience with FTP and I fear you are setting yourself up for failure.

I already have now ive hit this speed bump, we were using the I.P address to log onto server 2003 and now i cant get in im getting this following message.

when tyring to connect to remote desktop the following error consists of
- remote access to the server isnt enabled
- the remote computer is turned off
- the remote computer isnt available on network

RobertKaucher

geeksquad09 wrote: »

I already have now ive hit this speed bump, we were using the I.P address to log onto server 2003 and now i cant get in im getting this following message.

when tyring to connect to remote desktop the following error consists of
- remote access to the server isnt enabled
- the remote computer is turned off
- the remote computer isnt available on network

Did you enable the FTP feature and publish it outside the firewall without enabling authentication?

geeksquad09

RobertKaucher wrote: »

Did you enable the FTP feature and publish it outside the firewall without enabling authentication?

No i mean im using a company computer and he wanted me to do remote access to the server computer since it was a few floors down and when i tried to connect to it that message popped up

when tyring to connect to remote desktop the following error consists of
- remote access to the server isnt enabled
- the remote computer is turned off
- the remote computer isnt available on network

instant000

geeksquad09: What is your IT background? It seems that you're being tasked to do something above your skill level.

You need to enable remote desktop at that server, in order to connect to it.

If you can remote desktop to it from other locations, it could be a network configuration issue.

MentholMoose

geeksquad09 wrote: »

No i mean im using a company computer and he wanted me to do remote access to the server computer since it was a few floors down and when i tried to connect to it that message popped up

Did you do any troubleshooting? The error message tells you some possible problems, so check them out.

geeksquad09 wrote: »

when tyring to connect to remote desktop the following error consists of
- remote access to the server isnt enabled

Is remote desktop enabled on the server?

geeksquad09 wrote: »

- the remote computer is turned off

Is the server powered on?

geeksquad09 wrote: »

- the remote computer isnt available on network

Does the server have network access?

geeksquad09

instant000 wrote: »

geeksquad09: What is your IT background? It seems that you're being tasked to do something above your skill level.

You need to enable remote desktop at that server, in order to connect to it.

If you can remote desktop to it from other locations, it could be a network configuration issue.

I enabled it at the server, when i attempt to connect from a local computer it doesnt connect it displays the message i posted in the previous posts

blargoe

Then the computer is either totally unreachable from your location, or you have a host firewall on your computer and/or the server itself blocking you.

instant000

blargoe wrote: »

Then the computer is either totally unreachable from your location, or you have a host firewall on your computer and/or the server itself blocking you.

Or a network ACL somewhere. Do you have contact with the network guy (you don't seem to be him), so you can check on if there are filters set up against RDP traffic?

but, the simplest things to check would be the stations under your control at this time, which appear to be the workstation and the server, just to narrow those down (though enabling RDP is supposed to automatically configure the firewall to allow it on the server side)

Can this workstation RDP to other servers, and just not this one particular server? just trying to get some baseline of something known to be working, and then branching from there, on the differences.

kriscamaro68

As others have said it sounds like a firewall issue or maybe you are on a different network. I would do a tracert from your computer and see the jumps it makes if any. If you have a firewall somewhere you need to open port 3389 for rdp connections. Also when your at the server do the same thing by trying to ping and tracert to your workstation and see where that gets you. Check the server for a firewall that is on. If it is on and not configured it will pretty much stop anyting that isn't port 80 or 443.