While doing some web development work on a website for a client I realised that their server (windows 2003 VM) has Anonymous ftp enabled. This is not something they want.
I'm attempting to turn it off for them as follows:
under
IIS Manager -> FTP Sites -> Properties -> Security Accounts
there is a checkbox Allow anonymous connections which I assume I need to uncheck. BUT when I uncheck it the following warning message appears:
The authentication option you have selected results in passwords being transmitted over the network without data encryption. Someone attempting to compromise your system security could use a protocol analyzer to examine user passwords during the authentication process. For more detail on user authentication, consult the online help. This warning does not apply to HTTPS (or SSL) connections.
now, that doesn't sound like something I want either.
Is this my only option – disable anonymous ftp but enable unencrypted passwords – or is the unencrypted passwords not a relevant issue?
I am a developer and I usually work in linux environments so I'm a bit out of my depth here on two counts.
Best Answer
It's warning you because you're using FTP in general, which is plaintext. Disabling anonymous connections would then require a username/password pair, which is what Windows is complaining about. It's safe to do (although FTP in general isn't "safe").