Documentos de Académico
Documentos de Profesional
Documentos de Cultura
The first thing you need to do is disable Socket Pooling for the FTP Service. Socket Pooling
allows IIS to listen on all IP addresses assigned to a particular server.
You can check this by typing the following command at the command prompt: netstat -na
Perform these steps to disable Socket Pooling for the FTP Service :
Check with netstat –na to confirm that TCP port 21 is now listening on one IP address instead of
listening on 0.0.0.0.
Step 2 : Configure the FTP service to listen only on the internal interface
1. Open the Internet Information Services console from the Administrative Tools
2. Right click on the default and click Properties
3. In the Default FTP Site Properties dialog box, select the IP address where your FTP
server must listen on, click Apply and then OK
4. After making these changes, restart the FTP Service.
Some implementations of FTP servers allow a PORT command to open a connection between
the FTP server and an arbitrary port on another machine. This allows the attacker to establish
connections to arbitrary ports on machines other than the actual source machine.
If you use the Web Publishing Wizard you can publish multiple FTP Servers with the same IP
address on the external interface of the ISA Server. If you use the Server Publishing Wizard, you
can only publish a single FTP server per IP address.
1. Open the ISA Management console, expand your server and then expand the Publishing
node. Click on Server Publishing Rules, click New and then click Rule.
2. On the Welcome page type a name for the FTP server publishing rule then click Next.
3. On the Address Mapping page, type in the IP address of the internal interface of the ISA
server IP address of internal server text box and the IP address of the external interface in
the External IP address on ISA server text box, click Next.
4. On the Protocol Settings page select FTP Server protocol, then click Next.
5. On the Client Type page select either Any request or Specific computer option, click
Next.
6. On the last page of the wizard, confirm your settings and click Finish.
The problem with FTP server authentication is that anyone with a network sniffer program can
capture your authentication request. The username and password are sent in clear text over the
Internet. If the files the user downloads are in clear text format, someone with a network sniffer
program can capture your files and read their contents. This can be a major security risk.
Since SSL is not supported with this standard tool (ftp.exe), we can use IPSec to encrypt only
FTP traffic from the client and to the ISA server.
We just created a IP Filter List, now it’s time to create the actual policy.
19. The policy is not affected immediately, You have to restart the IP Security Policy Agent
from the Services console in Administrative Tools.
The target computer is the computer that connects to your ISA server. Actually it is a computer
on the Internet.
1. Open Local Security Policy from the Administrative Tools menu.
2. Expand IP Security Policies on Local Machine.
3. You see a list of three default policies, since these policies encrypt some IP traffic
specified in this rule, they encrypt to much for our purpose. So, we create a new policy.
4. Right click on IP Security Policies on Local Machine.
5. Select Manage IP filter lists and filter actions.
6. On the Manage IP Filter Lists tab, click Add.
7. In the IP Filter List dialog box, type the name of the filter, example FTP Secure, click
Add.
8. An IP Filter Wizard shows up, click Next.
9. On the IP Traffic Source Page, My IP address from the list box, click Next.
10. On the IP Traffic Destination Page, select a Specific IP Address from the list box. In the
IP Address text box, type in the external IP address of the ISA server click Next.
11. On the IP Protocol Type page, select TCP from the list box, click Next.
12. On the IP Protocol Port page, select
From any port
To this port : 21
13. Click Next and Finish.
14. Close and Close again.
Note: It is important to use the same preshared key on both systems; otherwise a connection
couldn’t be established.
Note: You can only use IPSec on Windows 2000 and Windows XP clients and IPSec is not
supported on Windows 9x Family.