Editing Securing your Windows Service installation
From FileZilla Wiki
Jump to navigationJump to searchWarning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
== User accounts concepts == | == User accounts concepts == | ||
− | On any modern versions of a Windows operating system you can secure your system in same manner as you can on most *nix systems, by using unique user accounts | + | On any modern versions of a Windows operating system you can secure your system in same manner as you can on most *nix systems, by using unique user accounts. Modern Windows operating systems are also all capable of running with multiple user accounts logged in simultaneously, again, just like most *nix systems. |
Every time a Windows system runs, there may be other user accounts logged in besides the account of the user that is accessing the console of the system. This is commonly the case when background programs need to be run in a particular security context. Desktop versions of Windows provided to consumers are typically configured to make the account of the first person to use a newly installed system an admin level account. This can make the system more vulnerable to security issues if that user of the system is not well versed proper security techniques and practices. This is no different than *nix users choosing to use the root account for their daily activities and as their primary login. You can setup Windows user accounts to not be admin level accounts and this will significantly help with the process of securing the operating system and Filezilla. | Every time a Windows system runs, there may be other user accounts logged in besides the account of the user that is accessing the console of the system. This is commonly the case when background programs need to be run in a particular security context. Desktop versions of Windows provided to consumers are typically configured to make the account of the first person to use a newly installed system an admin level account. This can make the system more vulnerable to security issues if that user of the system is not well versed proper security techniques and practices. This is no different than *nix users choosing to use the root account for their daily activities and as their primary login. You can setup Windows user accounts to not be admin level accounts and this will significantly help with the process of securing the operating system and Filezilla. | ||
Line 8: | Line 8: | ||
- Set a password for your Administrator account(*nix root equivalent) and store it written in secure location, in case of future system wide upgrades or software installation needs. | - Set a password for your Administrator account(*nix root equivalent) and store it written in secure location, in case of future system wide upgrades or software installation needs. | ||
− | |||
- Create new Limited User account for your daily work, or remove your current account from Administrators group, or use "Control Panel/Users/Limited User" option and protect it with password if necessary. | - Create new Limited User account for your daily work, or remove your current account from Administrators group, or use "Control Panel/Users/Limited User" option and protect it with password if necessary. | ||
Reminder: Incorrect use of accounts and permissions and not understanding Windows security concepts can have devastating effects. Please make sure you understand the changes you are making to accounts on any Windows systems before attempting any security related changes. | Reminder: Incorrect use of accounts and permissions and not understanding Windows security concepts can have devastating effects. Please make sure you understand the changes you are making to accounts on any Windows systems before attempting any security related changes. | ||
+ | |||
== Configuration == | == Configuration == | ||
+ | |||
To secure your Filezilla server we will assume you wish to run the Filezilla server program as a user with limited permissions on the Windows system. This will limit the potential damage that could be caused by someone compromising the Filezilla server program or a mistake made to file system permissions in parts of the system used by Filezilla. | To secure your Filezilla server we will assume you wish to run the Filezilla server program as a user with limited permissions on the Windows system. This will limit the potential damage that could be caused by someone compromising the Filezilla server program or a mistake made to file system permissions in parts of the system used by Filezilla. | ||
You will need to create a user level account on the Windows system for FileZilla Server to run under. This account must NOT be a member of the Administrators group in Windows. For basic security requirements it should only be assigned to the Users group in Windows. If you are more security conscious then you should create a dedicated security group for use with Filezilla and assign the new user account to that group instead of Users. If you do this you may need to grant additional permissions within the operating system to that group to allow for proper operation of Filezilla. This article does not discuss what exact additional permissions may be required. | You will need to create a user level account on the Windows system for FileZilla Server to run under. This account must NOT be a member of the Administrators group in Windows. For basic security requirements it should only be assigned to the Users group in Windows. If you are more security conscious then you should create a dedicated security group for use with Filezilla and assign the new user account to that group instead of Users. If you do this you may need to grant additional permissions within the operating system to that group to allow for proper operation of Filezilla. This article does not discuss what exact additional permissions may be required. | ||
− | You will then need to configure your Filezilla Server FTP server service to use the new user level account you have created. To do this you will to go into the Services control panel and locate the service named "Filezilla Server FTP server". Edit the service properties and go the Log On tab. On this tab you change from the Log on as option from Local System account (the default) to "This account". You will then select the user level account you have created and enter the password you assigned to the account twice. Once you click OK you may be notified that this account has been granted "Logon as a service" rights. This is expected and required for the account to work properly. | + | You will then need to configure your Filezilla Server FTP server service to use run with the new user level account you have created. To do this you will to go into the Services control panel and locate the service named "Filezilla Server FTP server". Edit the service properties and go the Log On tab. On this tab you change from the Log on as option from Local System account (the default) to "This account". You will then select the user level account you have created and enter the password you assigned to the account twice. Once you click OK you may be notified that this account has been granted "Logon as a service" rights. This is expected and required for the account to work properly. |
+ | |||
+ | |||
Make sure you are logged in as '''Administrator'''. | Make sure you are logged in as '''Administrator'''. | ||
− | === Add filezilla user | + | === Add filezilla user === |
− | |||
# press '''«'''WINDOWS'''»''' + '''«'''R'''»'''; "Run" dialog appears | # press '''«'''WINDOWS'''»''' + '''«'''R'''»'''; "Run" dialog appears | ||
# type in "lusrmgr.msc" and hit '''«'''ENTER'''»'''; "Local Users and Groups" MMC Console appears | # type in "lusrmgr.msc" and hit '''«'''ENTER'''»'''; "Local Users and Groups" MMC Console appears | ||
Line 39: | Line 41: | ||
# click "OK"; dialog closes | # click "OK"; dialog closes | ||
# close "Local Users and Groups" window | # close "Local Users and Groups" window | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== Change FileZilla Server Service logon === | === Change FileZilla Server Service logon === | ||
Line 85: | Line 57: | ||
# locate "FileZilla Server.xml" file, service requires write permissions to this file | # locate "FileZilla Server.xml" file, service requires write permissions to this file | ||
#* If you have "Simple File Sharing" enabled (no "Security" tab in file properties) | #* If you have "Simple File Sharing" enabled (no "Security" tab in file properties) | ||
− | #*# | + | #*# clik "Tools" in Explorer menu, select "Folder options"; "Folder Options" dialog appears |
#*# select "View" tab | #*# select "View" tab | ||
#*# uncheck "Use simple file sharing (Recommended)" | #*# uncheck "Use simple file sharing (Recommended)" | ||
Line 103: | Line 75: | ||
# congratulations you have secured your FZS server! | # congratulations you have secured your FZS server! | ||
# logout from Administrator account | # logout from Administrator account | ||
− | |||
== Troubleshooting == | == Troubleshooting == |