Expert: Carolyn Meinel - 5/4/2007

Question
Thanks for your help with the whole WebDAV vs. FTP thing for sharing of files.  It seems to me that FTP is very secure, especially if you are running it on say Windows 2003 Server, and that is your main file server (domain controller).  You can set up a new user in your Active Directory (create a password for them) that can only access the FTP site, and nothing else.  They cannot log into the company domain and see anything else on the network, except that FTP folder.  If someone intercepted that username and password then they would NOT be able to hack the network or server.  They would only have access to what's in the FTP folder.  It seems to me that if you didn't have Active Directory, then yes, you would have to use a Windows User Account that is set up on a local computer.  Then someone could essentially use that username and password to log into the domain from that computer and then can get access to the network.  Am I correct in all of this?  Is this the way to keep things secured?  Thanks again for your help.

Answer
You are right, intruders can steal your ftp data. IMHO, this is such a terrible flaw that Microsoft is inexcusably irresponsible to pretend that there is anything secure about this arrangement. So I would call ftp TOTALLY INSECURE. That is, unless you don't mind sharing your ftp data or worse letting kiddie hackers use your ftp server to store what they call "pron." This is especially dangerous if you aren't monitoring your network to find and shut down any modems and wireless LANS that may appear, as these are the back doors through which the kiddie hackers -- and dangerous criminals -- enter your network. Also, you have to watch out for insider attacks even if you carefully keep modems and wireless LANS out of your network.