Securing FTP Sites with IIS 6.0 (IIS 6.0)
FTP is commonly misunderstood as a secure means for transferring data, because the FTP server can be configured to require a valid user name and password combination prior to granting access. Be aware that neither the credentials specified at logon nor the data itself is encrypted or encoded in any way. All credentials are sent across the network in plaintext. In other words, all FTP data can be easily intercepted and analyzed by any station on any network between the FTP client and FTP server. The risk of plaintext credentials is that someone other than the intended users could log on to FTP and download the files you have placed there. If you intend to place sensitive data on your FTP site or if secure communication between clients and your FTP server are important, consider using FTP over an encrypted channel such as a Virtual Private Network secured with Point-to-Point Tunneling Protocol or Secure Internet Protocol (IPSec). You should also consider using Web Authoring with WebDAV (WebDAV), which utilizes Secure Sockets Layer (SSL).
FTP sites or virtual directories that are configured to use Active Directory isolation or FTP load balancing should not be mapped to physical directories that are used for Web sites that use FrontPageŽ Server Extensions from Microsoft. Doing so can allow users to view any files in that folder structure over the network.