Securing an FTP Site with TLS

FTP supports an anonymous access mode, which typically is used for public read-only FTP sites. For private sites (read-only, or read/write—enabled), enabling a password requirement results in the user's username and password being transmitted in cleartext between the FTP client and FTP server. The use of TLS allows the administrator to encrypt the transmission of information between client and server.

The use of TLS to secure transmission of data does incur a processing overhead on both client and server. For a server with many concurrent connections, this can become a significant overhead. To help alleviate this potential problem, FTP 7 supports encrypting the control channel (used for sending commands between client and server), the data channel (used for transferring data), or both channels. Additionally, an option exists to encrypt only the credentials sent across the control channel, and nothing else.

For administrators who want to protect the usernames and passwords of their end users, the option to encrypt the control channel only will be attractive. Files transferred over the data channel in this scenario will be transferred in cleartext; however, they won't incur any overhead in encryption and decryption.

With IIS's FTP server, it is possible to add an FTP binding to an existing, defined website. With this option, you can easily enable content to be published to a website using FTP and have that secured using TLS. Alternatively, you can explicitly ...