Creating a Blind Drop FTP Server
This article covers how-you setup an anonymous “blind drop” FTP server using Microsoft Windows 2003. The concepts and NTFS permissions covered in the article are based on the KB article 314932. HOW TO: Create an FTP Folder with Read Access but Not List Access.
You maybe wondering, what is a “blind drop” server? A “blind drop” FTP server provides individuals or companies a method to anonymously transfer files using FTP files without having permission to list files or retrieve files on the FTP site. In other words, you can “drop” files onto the server but not see what’s there or retrieve files if you did know what was there. There are benefits for both the end-user and FTP administrator. The end-user doesn’t have to remember a user id and password. The FTP administrator uses NTFS permissions so anonymous users can’t browse or retrieve files. The biggest benefit for the FTP administrator is that they don’t have to maintain user ids and passwords for everyone needing FTP access.
One reason for writing this article is I discovered through my testing that the Microsoft article doesn’t prevent people from retrieving files after they have been placed on the FTP site. There are automated tools looking for ways to dump illegal files and do a “blind get” for later retrieval. If you’re responsible for running an FTP server, I’m sure your logs are full of automated robots scanning for anonymous FTP sites. The only benefit to the knowledge article is that if you follow the instructions, it prohibits people from having list access but still can retrieve the file if they know the filename and path .
The FTP protocol has been around since the Internet was introduced. It’s an easy way for people to share files back in forth without having to know a user ID and password. As the Internet has grown, FTP remains one of the most common ways to share files. However this doesn’t come without security risks. Traditional anonymous FTP sites allow anyone to drop any type of file without it being checked, this can offer free storage for all types of files including mp3’s, movies or illegal software.
When would it be applicable to use this type of setup? This type of FTP setup isn’t for everyone, but it still has its place. Some examples would be: Dealing with 100’s of individuals and/or businesses sending files and you do not need to authenticate users, “ready to print jobs” sent via FTP, technical support centers uploading logs, memory dumps, or sharing files with 3rd party vendors that are too large to send via email.
One thing to remember is FTP protocol is not secure by default. There is no encryption of any kind unless you’re using some type of VPN or some other means to secure the connection across the internet. Nothing can be guaranteed to be 100% secure. This would also include any type of user credentials. Before proceeding with this type of setup, carefully evaluate what types of data being sent via FTP. Security is a necessary evil, and as administer, you have to be creative when providing solutions that are secure as possible and still provide services for the business.
How to setup your “Blind Drop” server
As this point, I’m assuming a few things are in-place. The server is running is Windows 2003, web, standard or enterprise edition. You’re server has a C:\ drive with the Operating System and a D:\ drive for data. The FTP Service has been installed and configured with the root directory to D:\FTPRoot. If you’re not sure if FTP is t installed and need to know how to configure the FTP root directory, please refer to the Microsoft article 323384
The steps below have you create FTP root folder with one sub folders below the FTP root folder. For security reasons, I suggest these folders not to be hosted on the same drive as server OS is installed on.
Create FTP folder structure
Create FTPRoot folder
Browse to D:\FTPRoot
Select the Security Tab,
Click Advanced, and remove the checkmark from “Allow inheritable permissions from the parent to propagate to this object and all child objects, Include these with entries explicitly defined here.
You’ll receive a message box, similar to the one below.
Click COPY, this copies permissions that were on the folder.
Select and remove CREATOR OWNER, SYSTEM, Users Group from being listed. When you’re done this will look like this picture below.
Click Add, put the local machine’s Anonymous FTP user. By default, the user id would be machineName\IUSR_MACHINENAME. For this article, I’m going to use the default FTP anonymous user account. You can customize the anonymous user Id. You would have to create an account, set a password and configure inside the Internet Information Services MMC.
Click the Check Names button. This will fill it in with the correct information.
Remove Read & Execute and Read permissions
Administrators (Full Control)
Set Permissions on Incoming directory
Windows Explorer, navigate to D:\FTPRoot\Incoming
Setting up FILES Permissions
box that appears, in the Apply onto dropdown box,
· Create Files/Write Data,
· Create Folders/Append Data,
· Write Attributes,
· Write Extended Attributes,
· Read Permissions
This is what the advanced tab should look like when its done
When completed the following
permissions will be on the D:\FTPRoot\Incoming
Internet Guest Account (Files Only)
In conclusion, this setup allows for an anonymous FTP user to create folders and files files on the remote FTP server. The NTFS permissions put in place prevent anyone from listing or retrieving the files. A couple of limitations I want to mention with this setup. The permissions prevent the same file being written, this can be handy however because the automated scripts I’ve seen use files named 1kbtest.ptf, 1mbtest.ptf. Once these are in the directory, other robots will bomb on these files and discontinue probing your FTP server. The second drawback that I couldn’t around the creation of folders. As I mentioned earlier in the article, automated robots looking for anonymous FTP servers create directories as tests, then try to remove them. One thing I did to try to help with this was create a scheduled task that removed all files and folders on a timely basis. Another option would be to implemented a “standardized” file name format, in the script monitoring the directory have it validate filename and copy to a different location then delete the FTPRoot/Incoming folder. This is just a suggestion but this would be a method to track legitimate files. This isn’t a perfect solution, but it has greatly reduced my user administration and provided a secure, as possible, anonymous FTP server. In running this on the Internet for the last 4 months, no illegal files have been uploaded. Your experience may vary. In part an on-going series how to use the FTP service within Windows 2003, we’ll explore how to provide a “Blind Get” server. Any questions or feedback please let me know at email@example.com