FTP Server Security (Windows Embedded CE 6.0)
1/6/2010
The FTP Server included with Windows Embedded CE is a sample intended to show you how to create networking services that correctly interact and register with Services.exe. The FTP Server sample is also useful for debugging.
The FTP server is included as a teaching tool but not for commercial distribution without further modifications. The security on the FTP sample is very light and vulnerable to security attacks. Microsoft recommends that you carefully review the code and the security needs for the target deployment, and if necessary, enhance the security infrastructure before distributing this functionality in a release product.
Best Practices
Set the User List and Domain variables to prevent attacks by unauthorized users
If the FTP Server functionality is used without appropriate values set for the User List and Domain variables, the FTP server will be vulnerable to attacks by unauthorized users. These variables are not set by default. An unauthorized user must only guess the device's password, the way it is set in Control Panel, to obtain access to the server.
To prevent such an attack, the user name in the UserList registry value must be set for each of the servers that are currently running. The user will then need to log in with the specified user name and appropriate password to use the server.
You can set the domain variable in the DefaultDomain registry value, which is located under the HKEY_LOCAL_MACHINE\Comm\Redir registry key. Setting the DefaultDomain registry value will require FTP clients to have valid domain credentials to log in. For more information on this registry value, see Windows Networking API/Redirector Registry Settings.
Enable a firewall on your network device
For enterprise environments, Microsoft recommends the use of a network firewall with intrusion protection, such as Microsoft Internet Security and Acceleration (ISA) Server. For more information, visit this Microsoft Web site.
For non-enterprise environments or for added protection, Microsoft recommends that you include and configure the Windows Embedded CE Firewall on the network device. For more information about the Windows Embedded CE IP Firewall and how to configure it, see Firewall.
For information about configuring the IP firewall to properly manage traffic destined for the internal network, see IP Firewall Reference.
Default Registry Settings
You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.
For FTP Server registry information, see FTP Server Registry Settings.
Ports
The FTP server uses port 21 to receive FTP connections. This value cannot be changed.
See Also
Concepts
FTP Server OS Design Development
FTP Server Registry Settings