6.1 Ensure FTP requests are encrypted - Control Channel Sites

Information

FTP Publishing Service for IIS supports adding an SSL certificate to an FTP site. Using an SSL certificate with an FTP site is also known as FTP-S or FTP over Secure Socket Layers (SSL). FTP-S is an RFC standard (RFC 4217) where an SSL certificate is added to an FTP site and thereby making it possible to perform secure file transfers.

Rationale:

By using SSL, the FTP transmission is encrypted and secured from point to point and all FTP traffic as well as credentials are thereby guarded against interception.

Impact:

SSL will be needed for the FTP transmission.

Solution

To configure FTP over SSL at the server level using AppCmd.exe or PowerShell:
Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites /siteDefaults.ftpServer.security.ssl.controlChannelPolicy:'SslRequire' /siteDefaults.ftpServer.security.ssl.dataChannelPolicy:'SslRequire' /commit:apphost

OR

Enter the following commands in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.applicationHost/sites/siteDefaults/ftpServer/security/ssl' -name 'controlChannelPolicy' -value 'SslRequire'

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.applicationHost/sites/siteDefaults/ftpServer/security/ssl' -name 'dataChannelPolicy' -value 'SslRequire'

Default Value:

By default, FTP sites are not SSL enabled.

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Windows

Control ID: 21aa3f51df46802b43cff7f6a7bd37e4666216e0536041ceb2a83a7c459504c6