Configuring IIS To Host an FTP Site (Part 3)

by [Published on 23 April 2009 / Last Updated on 23 April 2009]

Using IIS to host an FTP site: How to enable SSL encryption for FTP.

If you would like to read the other parts in this article series please go to:

Introduction

In the previous article in this series, I showed you how you could get the IIS 7.0 version of the FTP services. In this article, I will show you how to add SSL encryption to your FTP site.

Acquiring an SSL Certificate

Before your FTP server will be able to provide SSL encryption, you will need an X.509 certificate. You can either purchase the certificate from a commercial certificate authority such as VeriSign or Thawte, or you can use an in house certificate authority to issue the certificate.

For the purposes of this article, I am going to assume that you have a Windows 2008 server that is configured to act as an enterprise certificate authority. I will show you how to issue a certificate request and download the necessary certificate in the next section. If you are getting the SSL certificate from a commercial certificate authority, then you can skip the next section.

Acquiring an SSL Certificate

In order to use SSL encryption, we need to issue a request to our Enterprise Certificate Authority. For the purpose of this article, I am going to assume that your FTP server is a member of the same Active Directory forest as your Enterprise Certificate Authority.

To request the necessary certificate, open Internet Explorer, and enter the URL that is associated with your Enterprise Certificate Authority. By default, the URL is https://<server name>/CertSrv. When entering this URL, you will usually have to enter your Enterprise Certificate Authority’s fully qualified domain name rather than just entering the server’s NetBIOS name.

Once you enter the Enterprise Certificate Authority’s URL, log into the Active Directory Certificate Services Web site add a domain administrator (if necessary). After doing so, click on the Request a Certificate link. You should now see a screen asking you if you would like to request a user certificate, or if you would like to submit an advanced certificate request. Click on the Advanced Certificate Request option.

The following screen gives you a choice of issuing a request directly to the certificate authority or of uploading a certificate request file that is encoded in Base-64 or in PKCS #10 format. Click on the Create and Submit a Request to This CA link.

At this point, you may be prompted to install an ActiveX control. If that happens, go ahead and install the control and allow it to run.

You should now be at the main Advanced Certificate Request screen. Select the Web Server option from the Certificate Template drop down list. You must now enter some basic identification information that can be included within your certificate. This includes things such as your name, E-mail address, mailing address, and phone number.

In the Key Options section, choose the option to Create a New Key Set. You should also verify that the Cryptographic Service Provider (CSP) is set to Microsoft RSA SChannel Cryptographic Provider, and that the Key Size is set to 1024, as shown in Figure A.


Figure A: You must make sure that the Cryptographic Service Provider (CSP) is set to Microsoft RSA SChannel Cryptographic Provider, and that the Key Size is set to 1024

Now, scroll down to the bottom of the interface, and click the Submit button. You should see a warning message telling you that the Web site is trying to generate a certificate request. Click Yes to allow the request to go through. When the process completes, you should see a message telling you that a certificate was issued to you, and asking you if you want to install it. Go ahead and click the Install This Certificate link. Once again, you will see a warning message telling you that the Web site is attempting to install a certificate. Click Yes to allow the operation.

You should see a message telling you that the certificate was installed successfully, but we need to make sure. To do so, enter the MMC command at the Run prompt on your FTP server. When you do, Windows will open an empty instance of the Microsoft Management Console. At this point, you must choose the Add / Remove Snap-In command from the console’s File menu. This will cause Windows to display the Add or Remove Snap-ins dialog box.

Choose the Certificates option from the list of available snap-ins, and click the Add button. You will now be asked if the console should be used to manage certificates for your user account, a service account, or the computer account. Choose the Computer Account option, and click the Next button.

The following screen will ask you if you want to manage certificates for the local computer, or if you want to manage certificates for another computer on the network. Make sure that the Local Computer option is selected, and then click the Finish button, followed by the OK button.

The console should now load the Certificates snap-in. You must now navigate through the console tree to Console Root | Certificates (Local Computer) | Personal | Certificates. When you select the Certificates container, the Details pane should show you the certificate that has been issued.

Enabling SSL for the FTP Server

Now that we have an SSL certificate, we can enable SSL encryption for our FTP server. To do so. Open the Internet Information Services (IIS) Manager. Navigate through the console tree to <your server> | Sites | <your FTP site>. With your FTP site selected, double click on the FTP SSL settings icon, located in the Details pane.

The console should now display the FTP SSL Settings page. Select your SSL certificate from the SSL Certificate drop down list, as shown in Figure B. You then have the option of either allowing SSL connections or of requiring SSL connections. You can also choose to use 128 bit encryption for stronger security. Click the Apply button to save your changes.


Figure B: Select your certificate from the SSL Certificates drop down list.

To Use SSL or not to use SSL?

At first, having the option to use SSL for your FTP site probably sounds like a no brainer. After all, encryption is a good thing, right? Not necessarily.

One of the drawbacks to using SSL encryption is that the encryption process increases the CPU’s workload. The extra workload is probably worth it if you are transmitting sensitive information back and forth, or if the FTP site is only used occasionally. If you anticipate the FTP site being heavily used though, then it is a good idea to do some testing to make sure that the encryption process is not going to cause performance problems for the server.

I recommend monitoring the Performance Monitor’s Processor / %Processor Time counter both before and after SSL encryption is enabled. Spikes in CPU activity are normal, but the average utilization should remain below 80%. Otherwise, it means that the CPU is having trouble keeping up with the demands that are being made of it.

Conclusion

Having the ability to encrypt your FTP site is nice, but it is not everything. Without proper security it is still possible for someone to log onto your FTP site anonymously, even if SSL encryption is enabled. In Part 4, I will conclude the series by discussing authorization for FTP sites.

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links