I have published an FTP server using ISA Server 2004 SP2. It is a private FTP server that does not allow anonymous access and is protected by NTFS permissions.
For the last couple of months, various users have been attempting to access the server via bute force - presumably to use for illegal file sharing.
I have in place a password policy that locks out accounts after three wrong attempts, and regularly the administrator account on that server gets locked out through these access attempts. I also enforce strong passwords in our domain, and it is extremely unlikely that the password would ever be guessed in the near future given that they only have three attempts at a time, but it does concern me that this is a possibility.
What I want to achieve is to actually restrict access to the FTP server at the firewall to certain select accounts, so these brute force attempts can't even be attempted unless someone managed to guess an account name (or tries an automated attack on the accounts as well as the passwords). The trouble is that there seems no way to restrict access to certain users via the server publishing rules.
What I did try was to create a deny access rule for the FTP server protocol from the external network to the internal network and then excluded the few accounts I wanted to have access. I then placed this rule above the FTP server publishing rule. Unfortunately, when I look at the ISA logs for the FTP protocol, I note that the rule isn't even used - it is simply skipped and the publishing rule is invoked which lets everyone through.
Am I missing something? Is this the right direction to take, or is there no way of controlling FTP access by user at the firewall?
If anyone could give me some hints I'd appreciate it.
ISA can *not* do pre-authentication for non-web based protocols, only protocol level checks can be done. So, it's not possible what you ask for on ISA!
quote:
I have in place a password policy that locks out accounts after three wrong attempts, and regularly the administrator account on that server gets locked out through these access attempts. I also enforce strong passwords in our domain, and it is extremely unlikely that the password would ever be guessed in the near future given that they only have three attempts at a time, but it does concern me that this is a possibility.
Some thoughts: - if you enable account lockout, you open yourself for DOS account attacks. - remember that passwords are sent in the clear by FTP. - ...
I had the same problem with script kiddies filling up my logfiles with repeated brute force attempts. Knowing the constraint of FTP as is, I had to give it some thought, but what I came up with works great:
Publish your FTP server on another port.
Yes, it creates new challenges as your users need to know to configure their client appropriately, otherwise it'll keep the legitimate traffic out, but it works like a charm for the script kiddies. If they want to get in so badly that they'll start trying the entire range of ports you have other problems, and besides, before that ever happens I've found that most ISPs worldwide are very receptive and responsive - maybe they won't beat the SK's to a bloody pulp, much though you and I may want them to, they certainly will kill accounts in a hurry.
It did cross my mind, and I may well do so. It's sad however when you need to put yourself and others out by deviating from a standard because of the inconsiderate actions of others.