Information
This policy setting ensures that File Transfer Protocol (FTP) servers are configured to prevent anonymous logons.
The STIG recommended state for this setting is: Disabled
The FTP service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult and can allow attackers to gain access to data and store malware and launch attacks from the system.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To configure the FTP service to prevent anonymous logons:
- Open
Internet Information Services (IIS) Manager
- Select the
server
, double-click
FTP Authentication
- Select
Anonymous Authentication
- Select Disabled under
Actions
Impact:
Using accounts that have administrator privileges to log on to FTP risks that the userid and password will be captured on the network and give administrator access to an unauthorized user.