|
Creating a Blind Drop FTP Server
by Steve Schofield
This article covers how-you
setup an anonymous “blind drop” FTP server using Microsoft Windows
2003. The concepts and NTFS permissions covered in the article
are based on the
KB article 314932. HOW TO: Create an FTP Folder with Read
Access but Not List Access.
You maybe wondering, what is
a “blind drop” server? A “blind drop” FTP server
provides individuals or companies a method to anonymously transfer files
using FTP files without having permission to list files or retrieve files
on the FTP site. In other words, you can “drop” files onto the
server but not see what’s there or retrieve files if you did know what was
there. There are benefits for both the end-user and FTP
administrator. The end-user doesn’t have to remember a user id and
password. The FTP administrator uses NTFS permissions so anonymous
users can’t browse or retrieve files. The biggest benefit for the
FTP administrator is that they don’t have to maintain user ids and
passwords for everyone needing FTP access.
One reason for writing
this article is I discovered through my testing that the Microsoft article
doesn’t prevent people from retrieving files after they have been placed
on the FTP site. There are automated tools looking for ways to
dump illegal files and do a “blind get” for later retrieval.
If you’re responsible for running an FTP server, I’m sure your logs are
full of automated robots scanning for anonymous FTP sites. The only
benefit to the knowledge article is that if you follow the instructions,
it prohibits people from having list access but still can retrieve the
file if they know the filename and path.
The FTP protocol has been
around since the Internet was introduced. It’s an easy way for
people to share files back in forth without having to know a user ID and
password. As the Internet has grown, FTP remains one of the
most common ways to share files. However this doesn’t come without
security risks. Traditional anonymous FTP sites allow anyone
to drop any type of file without it being checked, this can offer free
storage for all types of files including mp3’s, movies or illegal
software.
When would it be applicable
to use this type of setup? This type of FTP setup isn’t for
everyone, but it still has its place. Some examples would be:
Dealing with 100’s of individuals and/or businesses sending files and you
do not need to authenticate users, “ready to print jobs” sent via FTP,
technical support centers uploading logs, memory dumps, or sharing files
with 3rd party vendors that are too large to send via
email.
One thing to remember
is FTP protocol is not secure by default. There is no encryption of
any kind unless you’re using some type of VPN or some other means to
secure the connection across the internet. Nothing can be guaranteed
to be 100% secure. This would also include any type of user
credentials. Before proceeding with this type of
setup, carefully evaluate what types of data being sent via
FTP. Security is a necessary evil, and as administer, you have
to be creative when providing solutions that are secure as possible and
still provide services for the business.
How
to setup your “Blind Drop” server
As this point, I’m
assuming a few things are in-place. The server is running is Windows
2003, web, standard or enterprise edition. You’re server has a
C:\ drive with
the Operating System and a D:\ drive for
data. The FTP
Service has been installed and configured with the root directory to
D:\FTPRoot. If you’re not sure if FTP is t installed and
need to know how to configure the FTP root directory, please refer to the
Microsoft article
323384
The steps
below have you create FTP root folder with one sub folders below the FTP
root folder. For security reasons, I suggest these folders not to be
hosted on the same drive as server OS is installed on.
Create FTP folder
structure
Create FTPRoot folder
structure
Log into
the machine as an administrative account,
Click the Start Menu, select
Program Files, Accessories, and launch Windows Explorer,
Create a
subfolder
Create a
folder called D:\FTPRoot\Incoming
Setting up NTFS Permissions
When you
setup a folder, the default permissions might be similar to the picture
listed below. We are going to remove the CREATOR OWNER,
SYSTEM, Users listed below.
Browse to D:\FTPRoot
Right
click on FTPRoot directory,
Select
Properties,
Select the Security
Tab,
Click Advanced, and remove the
checkmark from
“Allow inheritable permissions from the parent to propagate to this object
and all child objects, Include these with entries explicitly defined
here.
You’ll
receive a message box, similar to the one
below.
Click
COPY,
this copies
permissions that were on the folder.
Click
OK
Select and
remove CREATOR OWNER, SYSTEM, Users
Group from being
listed. When you’re done this will look like this picture
below.
Click Add, put the
local machine’s Anonymous FTP user. By default, the user id would
be
machineName\IUSR_MACHINENAME. For this article, I’m going to use the default FTP
anonymous user account. You can customize the anonymous user
Id. You would have to create an account, set a password and
configure inside the Internet Information Services
MMC.
Click the Check
Names
button. This will fill it in with the correct information.
Click
OK
Remove
Read &
Execute and
Read
permissions
Click
OK
When completed the following
permissions will be on the FTPRoot folder
Administrators (Full Control)
Internet Guest Account
(MachineName\IUSR_MachineName) List Folder Contents
Set Permissions on Incoming
directory
Within
Windows Explorer, navigate to D:\FTPRoot\Incoming
Right-Click, select Properties
Select Security
Tab.
Click
Advanced
Tab.
Remove the checkmark from
“Allow inheritable permissions from the parent to propagate to this
object and all child objects, Include these with entries explicitly
defined here.
Click Copy on message
box. //This is same as picture mentioned above.
Make sure the
Internet
Guest Account is highlighted like picture
below.
Click
Advanced
Note:
The Internet guest has
Read and Execute listed on anonymous user
We’ll be removing these
permissions in the following steps below while the Internet Guest Account
is highlighted,
Click
Edit
Setting up FILES
Permissions
In message
box that appears, in the Apply onto dropdown box,
Select the
FILES ONLY
listed
Make sure the ONLY things
that are checked are List Folder /Read
Data and
Read
Permissions. Verify
everything else is unchecked.
Click
ok
Click
Add
Type
IUSR_MACHINENAME, Click
Check
Names
Click
OK
Select in
the Apply
onto dropdown
box This
Folder Only
Make sure the following items are
checked
·
Create
Files/Write Data,
·
Create
Folders/Append Data,
·
Write
Attributes,
·
Write
Extended Attributes,
· Read
Permissions
This is what the
advanced tab should look like when its done
Click OK
Click
OK, again.
Click OK to return to Windows Explorer.
When completed the following
permissions will be on the D:\FTPRoot\Incoming
folder
Administrators (Full
Control)
Internet Guest Account (Files Only)
List Folder/Read Data, Read Permissions
Checked
Internet Guest Account (This Folder Only)
Create Files/Write Data, Create Folders/Append Data,
Write Attributes, Write Extended Attributes, Read
Permissions
In
conclusion, this setup allows for an anonymous FTP user to create folders
and files files on the remote FTP server. The NTFS permissions put
in place prevent anyone from listing or retrieving the files. A
couple of limitations I want to mention with this setup. The
permissions prevent the same file being written, this can be handy however
because the automated scripts I’ve seen use files named 1kbtest.ptf,
1mbtest.ptf. Once these are in the directory, other robots will bomb
on these files and discontinue probing your FTP server. The
second drawback that I couldn’t around the creation of folders. As I
mentioned earlier in the article, automated robots looking for anonymous
FTP servers create directories as tests, then try to remove them.
One thing I did to try to help with this was create a scheduled task that
removed all files and folders on a timely basis. Another
option would be to implemented a “standardized” file name format, in the
script monitoring the directory have it validate filename and copy to a
different location then delete the FTPRoot/Incoming folder. This is
just a suggestion but this would be a method to track legitimate
files. This isn’t a perfect solution, but it has greatly reduced my
user administration and provided a secure, as possible, anonymous FTP
server. In
running this on the Internet for the last 4 months, no illegal files have
been uploaded. Your experience may vary. In part an on-going
series how to use the FTP service within Windows 2003, we’ll explore how
to provide a “Blind Get” server. Any questions or feedback please let me know at steve@iislogs.com |
