I wanted to increase security of the Microsoft IIS FTP service of my web server so I thought I restricted access to it to my IP. But since my IP is a dynamic IP I had to setup a dynamic domain service. With this I had to enable domain lookup on the IP filtering of the FTP service. The problem with this solution was that every time I accessed the server, the MSFTP service simple crashed and stopped. Searching the internet for a solution was not successful. So headed into another direction: SSL and certificates. I don’t really know if this is better than IP restriction (and I suspect it is an open ended discussion) but it would allow me to access the FTP on the road, where it would be an internet access different from the one where the dynamic domain service is configured.
So here is the task list:
- Securing the FTP server with SSL
- Use a client certificate to authenticate the user.
The SSL is an easy task since there are tons of articles on that. Summarizing you just have to have a server certificate and enable some configurations on IIS Manager. The second item is more troublesome, but let’s start them all.
The first thing is to make sure the server role “IIS Client Certificate Mapping Authentication” is enabled on Microsoft Windows 2012 server. A component with the same name is available on Windows 8.1 (and probably earlier) and It can be accessed using the “Add Windows Features” dialog in “Add/Remove Programs” of Control Panel.
Enable the Windows Features / Server Role: “Internet Information Services / World Wide Web Services/Security/IIS Client Certificate Mapping Authentication”.
At this time make sure the FTP site is created and working properly. Basic authentication is required since the client certificate will be mapped onto a specific user with connection rights to the FTP server.
2. Issue the certificates
Issue the root self-signed certificate using the makecert.exe utility. In the article “Testing with client certificate authentication in a development environment on IIS 8.5” by Ronald Wildenberg this is described thoroughly. You will probably have to launch a Command Prompt with Administrator privileges to run the commands.
First make the self-signed root certificate:
makecert -r -pe -n "CN=WebSSLSelfRoot" -b 01/01/2014 -e 01/01/2016 -ss root -sr localmachine -len 2048
Then issue the certificate to use on the SSL connections. Note that this certificate is issued using the root certificate from the previous step:
makecert -pe -n "CN=vserver153.3essentials.com" -b 01/01/2014 -e 01/01/2016 -eku 188.8.131.52.184.108.40.206.1 -is root -ir localmachine -in WebSSLSelfRoot -len 2048 -ss WebHosting -sr localmachine
These two certificates are enough for SSL communications. The third certificate is the client certificate, again issued by the root certificate:
makecert -pe -n "CN=SSLClientAuthClientFTP01" -eku 220.127.116.11.18.104.22.168.2 -is root -ir localmachine -in WebSSLSelfRoot -ss my -sr currentuser -len 2048
After these three commands the certificates are created and installed.
3. Enable SSL on FTP server
First, on IIS manager, check if the server certificate appears on “Server Certificates” configuration at the server level. Then select the FTP site and enter the “FTP SSL Settings” configuration. There, select the server certificate we just created and choose “Require SSL connections”.
Click “Apply” on the Actions panel.
4. Test the FTP SSL connection.
I’m using FlashFXP, and the connection must be configured as “FTP using Explicit SSL (AuthSSL)” and “TLSv1” to work properly.
In the process of the connection being established, FlashFXP requests you to accept the certificate the server provides. Just accept the certificate.
5. Transport the client certificate to the client computer.
Since we just established an SSL connection to your FTP server, we will use this connection to transport the generated client certificate to the client computer.
On the server, using the certificates management console (type “certificate” on Start screen to find “Manage user certificates” on Settings) find the client certificate under the “Personal” folder.
Using the context menu on the certificate, select “All Tasks / Export”. This enters the Certificate Export Wizard.
On the second step of the wizard select to export the private key and advance to the next step. In the file format step only one format is available (.PFX file) since we chose to export the private key. Make sure the “Include all certificates in the certification path if possible” is selected so the self-signed root certificate is also included. In the next step define a password that will be needed afterwards when installing the certificate on the client computer. Save the file to the FTP home directory on the next step.
Saving to the FTP home directory will enable you to easily download the file since we have already setup FTP and tested it. The name of the file is not important but to keep things clean, call it the name of the certificate “SSLClientAuthClientFTP01.pfx”. Then just finish the wizard.
While we are in the certificate manager, we will have to export the same certificate again but now in .CER file format. We will need this at a later step, when enabling client certificate on the FTP server. To accomplish that export, choose not to export the private key, and select the “Base-64 encoded X.509 (CER)” file format option.
After transferring the PFX file to the local computer double click on the file and the Certificate Import Wizard appears. Follow the wizard and provide the password defined when exporting the certificate. Choose to automatically select the certificate store and proceed. A warning dialog appears and you have to confirm to install the root certificate.
6. Enable Client authentication
At this time we will enable the client authentication for the FTP site. This comprises two different steps. One is to configure the IIS to request a client certificate and the other one is to map a specific client certificate (the one we generated above) to a specific FTP user.
For the first step, there is a configuration element that needs to be added by “hand”. This is well documented in the reference library of iis.net. Load the applicationHost.config (default location is on C:WindowsSystem32inetsrvconfig) in Notepad (you will probably need to launch Notepad with Administrator privileges to be able to save the file) and edit your FTP site entry as indicated on the article. Basically add the following line under the “ftpServer/security” section:
<sslClientCertificates clientCertificatePolicy="CertRequire" useActiveDirectoryMapping="false" />
The second step is very similar to the documented in the article “Configuring One-to-One Client Certificate Mappings” which is related to configuring client certificate on a web site. From there, only execute steps 1 and 2, since step 3 corresponds to the “sslClientCertificates” configuration entry we just added on the first step.
The article says in the pre-requisites that you need the .cer file for the certificate. This was generated in a previous step and you need to open it on notepad to reformat it as a single line. This is a tricky operation because even with the “Word Wrap” disabled, Notapad will show a linebreak when the line is too big. The way I find it easier is to position the cursor at the beginning of each line and press backspace. Note that on the last line the backspace seems to have no effect, but it has. This is the too-big-line I mentioned. Just ignore the line break that seems to still be there and copy all text to the clipboard. You will need to paste it at a configuration mentioned on the article.
8. Configure the FTP client software to use the client certificate.
The last step is to configure the FTP client software to use the client certificate we downloaded previously. I recommend that we try to connect without this last configuration to verify that the connection is refused without the client certificate.
Continuing the configuration on FlashFXP, we have to import the client certificate.
We should now be able to connect to the FTP server. Remember that you will have to install the client certificate on every machine that you will use to access that server.