Securing your Windows Service installation

From FileZilla Wiki
Jump to navigationJump to search

And I was just wonedinrg about that too!

Configuration

Make sure you are logged in as Administrator.

Add filezilla user

  1. press «WINDOWS» + «R»; "Run" dialog appears
  2. type in "lusrmgr.msc" and hit «ENTER»; "Local Users and Groups" MMC Console appears
  3. navigate to "Users" folder, right click to white space and select "New User" from popup menu; "New User" dialog appears.
  4. fill-in the dialog like this:
    • user name "filezilla"
    • type in password (this is required)
    • uncheck "User must change password at next logon",
    • check "Password never expires"
    • check "User cannot change password"
    • uncheck "Account is disabled"
  5. click "Create"; "filezilla" user is created
  6. right click "filezilla" user and select "Properties"; "Properties" dialog appears
  7. double check on the "Member Of" that only user group this account belongs to, is "Users"
  8. click "OK"; dialog closes
  9. close "Local Users and Groups" window

Change FileZilla Server Service logon

  1. press «WINDOWS» + «R»; "Run" dialog appears
  2. type in "services.msc" and hit «ENTER»; "Services" MMC Console appears
  3. locate "FileZilla Server FTP server" service and double click; properties dialog appears
  4. click "Stop" to stop service if running
  5. switch to "Log On" tab and set following:
    • select "This account"
    • into the account field type in ".\filezilla"
    • type in both passwords defined in previous phase
  6. click "OK" but DO NOT START the service (as it will fail and will be unkillable unless you use special tools)

Prepare permissions

  1. with Windows Explorer navigate to "FileZilla Server" installation directory
  2. locate "FileZilla Server.xml" file, service requires write permissions to this file
    • If you have "Simple File Sharing" enabled (no "Security" tab in file properties)
      1. clik "Tools" in Explorer menu, select "Folder options"; "Folder Options" dialog appears
      2. select "View" tab
      3. uncheck "Use simple file sharing (Recommended)"
      4. click OK
    • right click "FileZilla Server.xml" select "Properties"; "Properties" dialog appears
      1. select "Security" tab, click "Add" button; "Select User or Group" dialog appears
      2. type "filezilla" into "Enter object names to select" textbox
      3. click "OK"; "filezilla" user is added to permissions list
      4. select "filezilla" user and check "Write" in "Allow" column
      5. click "OK"; permissions are now saved
  3. if you use logging, set "Write" access to "Logs" folder too
  4. if you upload to some folders set "Full Control" to each topmost writable folder you want to use, the changes are propagated to children
  5. if you use SSL, double check if both the SSL certificate file and private key file are readable by "filezilla" account, to not break the SSL connection
  6. if you want hide "Security" tab, enable "Simple File Sharing" back on
  7. switch to back to "Services" console and start "FileZilla Server FTP server" service; it should run now in "filezilla" account context
  8. verify FTP and FTPS/FTPES connection and check uploading to writable directories
  9. congratulations you have secured your FZS server!
  10. logout from Administrator account

Troubleshooting

1.  I set logon account for FZS service to "filezilla" and started it but forgot to set permissions, now I can not connect admin interface and I can not stop it!
     FZS needs write access to "FileZilla Server.xml" where server settings are stored, if it's unwritable it's stuck in infinite loop and doesn't respond to "STOP" command. To kill such service invoke Task Manager and kill it manually or use Sysinternals Process Explorer. You need Administrator rights to kill the service.
2.  Service starts I am unable to create SSL (FTPS/FTPES) connection!
     FZS needs read access to certificate files otherwise it sends empty strings/garbage as SSL certificates. Make sure the certificate files are readable by "filezilla" account by checking it's presence in the user list of the security tab for each certificate file used.
3.  I get access denied errors on uploading and file deletion although I have set Write/Delete right in FileZilla Server Admin interface properties!
     FZS needs OS "Write/Modify" access to upload files and create directories and "Full Control" to delete them, so make sure you assigned those rights to "filezilla" account for your upload directories.
4.  I setup everything as mentioned here but FZS service still fails to start!
     There is some access rights issue, you can trace it with Process Monitor from Sysinternals, but that is not for the faint-hearts. You can always revert to SYSTEM account by selecting "Local System account" in service properties "Log On" tab. Don't forget to kill the service if it doesn't respond to "STOP" command before restarting.

Tips & Tricks

  • You can script setting up permissions using CACLS, XCACLS or SetACL into the bat file.
  • With Secondary Logon (Run As...) service you can execute commands as administrator even from LUA account.
  • You can use suDown to achieve LUA with Administrator account.
  • Windows XP Home, "Security" tab cannot be enabled by default, but you can install update to enable it.

Conclusion

Advantages of this solution are obvious. Should there be vulnerability in FZS, only those files and folders can be manipulated to which FZS has write/delete rights. Rest of the computer is shielded from damage. To limit Denial Of Service attacks by filling disk where writable folders are, you can setup disk Quotas in Windows XP Pro and Windows 2003 Server. Moreover you will learn more about multi-user security principles.

Retrieved from "https://wiki.filezilla-project.org/wiki/index.php?title=Securing_your_Windows_Service_installation&oldid=9854"