IIS 7.0 – FTP Publishing Service – Part 3: Securing an FTP site

If you would like to read the other parts in this article series please go to:

• IIS 7.0 – FTP Publishing Service – Part 1: Installation
• IIS 7.0 – FTP Publishing Service – Part 2: Configuration

Introduction

This article will cover the different configuration scenarios of enhancing security of an FTP site, using a SSL certificate in the new FTP Publishing Service for IIS 7.0. The prerequisite for this article is that the FTP Publishing Service is already installed on Windows Server 2008 and an FTP site has been configured. To see how this is done, please refer to part 1 and part 2 of this article series. This article will contain two main configuration topics each divided into its own sections:

• How to configure a secure FTP site using a commercial SSL certificate
• How to configure a secure FTP site using a self-signed SSL certificate

The new FTP Publishing Service for IIS 7.0 supports adding an SSL certificate to an FTP site. Using an SSL certificate with an FTP site is also known as FTP-S or FTP over Secure Socket Layers (SSL). FTP-S is a RFC standard (RFC 4217) where an SSL certificate is added to an FTP site and thereby making it possible to perform secure file transfers using a TLS (SSL) layer below the FTP protocol. By using SSL, the FTP transmission is encrypted and secured from point to point and all FTP traffic is thereby guarded against interception.

The requirements for the users would be to use an FTP client that is able to connect using FTP-S to connect to the FTP site. Examples or FTP clients which support FTP-S could be the open-source FTP client FileZilla or the commercial FTP client CuteFTP.

Configure a secure FTP site using a commercial SSL

Below I will describe how to secure an existing FTP site using a SSL certificate. The certificate issued and used below will be created on an internal Certificate Authority made for testing purpose only, but the certificate enrollment process on the server is the same as when ordering a certificate from a third party certificate provider such as Verisign or Godaddy. It is also possible to create a self-signed certificate directly from within IIS, this process will be described later in the article.

Make sure you have the FTP site running and that you are able to log in to the FTP site. The FTP site used as example in this article ftp.example.com as illustrated below.

1. Start the IIS Manager found at Start – Administrative Tools – Internet Information Service (IIS) Manager
2. In IIS Manager click the FTP server and mark the server and choose Server Certificates:

Figure A: Server Certificates

3. In the actions pane, choose Create Certificate Request:

Figure B: Server Certificates – Actions

4. In the dialog windows that pops up, fill out the required information for the certificate and click Next:

Figure C: Self-signed Certificate – Name

5. Choose the default cryptographic service provider and click Next:

Figure D: Cryptographic Service Provider

6. Save the request to a file and click Finish:

Figure E: Save Certificate request

The certificate request has now been done and is pending in IIS. The request is now ready to be sent off to a commercial 3rd party certificate provider (e.g. Verisign, Godaddy etc.).

Import Certificate request

When the certificate request gets back from the certificate provider, it needs to be imported into IIS to work.

1. In IIS Manager click the FTP server and choose Server Certificates:

Figure F:
IIS Manager – Server Certificates

2. Choose Complete Certificate Request…:

Figure G: Server Certificates – Complete Certificate Request

3. Select the Certificate request, that came back from the certificate provider and enter the common name of the site and click OK:

Figure H: Complete Certificate Request

4. The certificate is now displayed in the IIS Manager and ready for use:

Figure I: Server Certificates

Enable the commercial certificate on the FTP site

When imported the SSL certificate can be enabled and applied to an FTP site. Go to the FTP site, which you want to apply the certificate to.

1. In IIS Manager select the FTP site and click FTP SSL Settings:

Figure J: FTP site – FTP SSL Settings

2. Select the certificate and the SSL policy (Allow or Required SSL) settings and click Apply:

Figure K:

FTP SSL Settings

3. The SSL certificate has now been applied to the FTP site:

Figure L: FTP SSL Settings

The FTP site is now secured and requires the connection to the FTP site to be FTP-S, using a FTP client which supports FTP-S.

Configure a secure FTP site using a self-signed SSL

As described previously it is also possible to generate a self-signed SSL certificate, directly from within the Internet Information Services (IIS) Manager. This process is quicker, than compared to requesting a commercial certificate. Self-signed certificates are great for testing FTP sites or maybe internal use, but not recommended for production use.

1. Start the IIS Manager found at Start – Administrative Tools – Internet Information Service (IIS) Manager
2. In IIS Manager click the FTP server and choose Server Certificates:

Figure M: Server Certificates

3. In the actions pane, choose Create Self-Signed Certificate:

Figure N: Server Certificates – Actions

4. In the dialog windows that pops up, give the certificate a friendly name and click OK:

Figure O: Self-signed Certificate – Name

5. The certificate is now generated and ready for use:

Figure P: Server Certificates – Generated certificates

Next step is to apply and enable this new certificate on an existing FTP site.

6. Select the FTP site (in this example: ftp.example.com) and click on FTP SSL Settings:

Figure Q: FTP site – FTP SSL Settings

7. Choose the certificate and select the settings needed (Require SSL Connections) and click apply:

Figure R: FTP site – FTP SSL Settings

The FTP site is now ready to be used and all traffic will be encrypted. An FTP client that supports FTPs is now required to connect to the new FTP site.

Connecting to an FTP site

Use an FTP client which supports FTP-S to connect to the FTP site and test the connectivity. In the example below FileZilla is used. It is important to configure the FTP server setting in FileZilla to connect using FTPs, with FileZilla the settings would be “FTPES – FTP over explicit TLS/SSL”.

Figure S: FileZilla – FTPS Settings

The first time you logon to an FTP site running with a self-signed certificate, the FTP client (FileZilla) will prompt and tell you that the root of the certificate is not known. If you want to trust it and import it, click OK.

The FTP site is now ready to be used in a secure manner.

Summary

With the new Microsoft FTP Publishing Service it is now possible to deploy a secure FTP solution based on a Microsoft product, with the integration to Internet Information Services and Active Directory. All FTP communication can now be encrypted because the FTP Publishing Service for IIS 7.0 supports FTP-S (FTP over SSL), FTP-S is a RFC standard (RFC 4217) for encryption FTP traffic.

Encryption of your FTP traffic can be done using a commercial or self-signed SSL certificate. All the configuration is done on the server. The clients connecting to the new secure FTP site, need to use an FTP client that supports FTP-S.

This concludes part 3 of this 3 part article series about the new FTP Publishing Service for Internet Information Services 7.0 (IIS 7.0).

Related links

• IIS.net – Microsoft’s IIS website: http://www.iis.net

If you would like to read the other parts in this article series please go to:

• IIS 7.0 – FTP Publishing Service – Part 1: Installation
• IIS 7.0 – FTP Publishing Service – Part 2: Configuration