5.1 Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Not Installed' (STIG only)

Information

This policy setting enables the server to be a File Transfer Protocol (FTP) server.

The STIG recommended state for this setting is: Not Installed

Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (

Internet Information Services - FTP Server

).

Hosting an FTP server (especially a non-secure FTP server) from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased.

Note: This security concern applies to any FTP server application installed on a workstation, not just IIS.

Solution

To establish the recommended configuration via GP, set the following UI path to: Not Installed

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Microsoft FTP Service

OR

To Uninstall the

FTP Server

role:

- Start

Server Manager

- Select the server with the role
- Scroll down to

ROLES AND FEATURES

in the right pane
- Select

Remove Roles and Features

from the drop-down

TASKS

list
- Select the appropriate server on the

Server Selection

page and click Next
- Deselect

FTP Server

under

Web Server (IIS)

on the

Roles

page
- Click Next and

Remove

as prompted (if installed).

Impact:

The computer will not function as an FTP server.

See Also

https://workbench.cisecurity.org/benchmarks/15105

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Windows

Control ID: 776b6ca0609a7c3302fcb0bb024b24449c98fb6d91407f9767c05d13d257ace1