File Transfer Protocol (FTP) servers must be configured to prevent anonymous logons.

From Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide

Part of Prohibited FTP Logins

Associated with: CCI-000366

SV-52106r2_rule File Transfer Protocol (FTP) servers must be configured to prevent anonymous logons.

Vulnerability discussion

The FTP service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult.Using accounts that have administrator privileges to log on to FTP risks that the userid and password will be captured on the network and give administrator access to an unauthorized user.

Check content

If FTP is not installed on the system, this is NA. Determine the IP address and port number assigned to FTP sites from documentation or configuration. If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". Select "Sites" under the server name. For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. Open a "Command Prompt". Attempt to log on as the user "anonymous" with the following commands: Note: Returned results may vary depending on the FTP server software. C:\> "ftp" ftp> "Open IP Address Port" (Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) (Connected to IP Address 220 Microsoft FTP Service) User (IP Address): "anonymous" (331 Anonymous access allowed, send identity (e-mail name) as password.) Password: "password" (230 User logged in.) ftp> If the response indicates that an anonymous FTP login was permitted, this is a finding. If accounts with administrator privileges are used to access FTP, this is a CAT I finding.

Fix text

Configure the FTP service to prevent anonymous logons.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer