Back

Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary.


CONTROL ID
01479
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Disable all unnecessary services unless otherwise noted in a policy exception., CC ID: 00880

This Control has the following implementation support Control(s):
  • Configure anonymous FTP to restrict the use of restricted data., CC ID: 16314
  • Disable anonymous access to File Transfer Protocol., CC ID: 06739


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • FTP should be disabled to prevent passwords from being transmitted in clear text. (Pg 87, Pg 129, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • Only enable FTP if absolutely necessary. (§ 2.4, The Center for Internet Security AIX Benchmark, 1.0.1)
  • Only enable FTP if absolutely necessary. (§ 2.3, The Center for Internet Security FreeBSD Benchmark, 1.0.5)
  • Only enable FTP if absolutely necessary. (§ 2.3, The Center for Internet Security HP-UX Benchmark, 1.4.2)
  • The FTP service transmits passwords in clear text over the network and should never be used. (§ 2.9, The Center for Internet Security Mac OS X Tiger Level I Security Benchmark, 1)
  • FTP is insecure and should not be used and should be disabled. It sends user account names and passwords across the network in clear text. If FTP is needed, NetWare supports Secure FTP (SFTP) and this should be used. (§ 7.8, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • Only enable FTP if absolutely necessary. (§ 2.4, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.0.5)
  • Only enable FTP if absolutely necessary. (§ 2.4, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.1.1)
  • Only enable FTP if absolutely necessary. (§ 2.4, The Center for Internet Security Slackware Linux Benchmark, 1.1)
  • Only enable FTP if absolutely necessary. (§ 2.20, The Center for Internet Security Solaris 10 Benchmark, 2.1.2)
  • Only enable FTP if absolutely necessary. (§ 2.3, The Center for Internet Security Solaris Benchmark, 1.5.0)
  • Only enable FTP if absolutely necessary. (§ 2.4, The Center for Internet Security SuSE Linux Enterprise Server Benchmark, 2)
  • The FTP Publishing Service is part of the IIS suite and makes your files available to other users on the network. It is not installed by default. This service should be Disabled or removed. (§ 4.1.5, The Center for Internet Security Windows 2000 Professional Benchmark, 2.2.1)
  • The FTP Publishing Service is part of the IIS suite and makes your files available to other users on the network. It is not installed by default. This service should be Disabled or removed. (§ 4.1.5, The Center for Internet Security Windows 2000 Server Benchmark, 2.2.1)
  • The organization must only enable FTP Publishing Service if absolutely necessary. It also states that it is not installed by default. It is used for making files on your local machine available to other users on your network or the Internet. (§ 4.1.7, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • When Apache is used for web services, is anonymous access to File Transfer Protocol disabled? (§ G.21.3.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • For Solaris, the organization must configure the system to disable FTP. (Table F-6, CMS Business Partners Systems Security Manual, Rev. 10)
  • If FTP is not required, the service should be disable, deleted, or turned off. If the service is not deleted, patches should be installed, when available. The Information Assurance Officer should ensure Anonymous FTP connections are not allowed. (§ 8.3, § 8.3.1, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
  • The use of FTP is not recommended since it passes information over the network in clear text. If the FTP service is not required, it should be deleted or disabled. If it is disabled, all appropriate security patches should still be installed when they are released. The system administrator should en… (§ 4.8, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • The File Transfer Protocol (FTP) Publishing service should be disabled. The service should be documented if enabling it is required. (§ 5.2.2.1, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The File Transfer Protocol (FTP) Publishing service should be Disabled, unless absolutely necessary. If it is Enabled, there should be a documented and justified reason. (§ 5.2.2.1, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • The ftp account should exist or not as appropriate Technical Mechanisms: via /etc/passwd Parameters: exist/not exist References: 10.8.10.5.2.4 (9) (CCE-5765-3, Common Configuration Enumeration List, Combined XML: AIX 5.3, 5.20130214)
  • ftp service should be enabled or disabled as appropriate Technical Mechanisms: via inetd via inetd.conf Parameters: enabled/disabled References: 10.8.10.5.4.1 (11) #13 (CCE-5780-2, Common Configuration Enumeration List, Combined XML: AIX 5.3, 5.20130214)
  • The ftp account should exist or not as appropriate Technical Mechanisms: via /etc/passwd Parameters: exist/not exist References: 10.8.10.5.2.4 (9) (CCE-5261-3, Common Configuration Enumeration List, Combined XML: HP-UX 11.23, 5.20130214)
  • ftp service should be enabled or disabled as appropriate Technical Mechanisms: via inetd via inetd.conf Parameters: enabled/disabled References: 10.8.10.5.4.1 (11) #13 (CCE-5607-7, Common Configuration Enumeration List, Combined XML: HP-UX 11.23, 5.20130214)
  • The ftp account should exist or not as appropriate Technical Mechanisms: via /etc/passwd Parameters: exist/not exist References: 10.8.10.5.2.4 (9) (CCE-6515-1, Common Configuration Enumeration List, Combined XML: Red Hat Enterprise Linux 4, 5.20130214)
  • ftp service should be enabled or disabled as appropriate Technical Mechanisms: via xinetd Parameters: enabled/disabled References: 10.8.10.5.4.1 (11) #13 (CCE-6499-8, Common Configuration Enumeration List, Combined XML: Red Hat Enterprise Linux 4, 5.20130214)
  • The FTP service should be enabled or disabled as appropriate. Technical Mechanisms: via svcadm Parameters: enabled / disabled / offline References: Section: 2.4.5,Value:disabled CCE-U-103 (CCE-4007-1, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • The ftp account should exist or not as appropriate Technical Mechanisms: via /etc/passwd Parameters: exist/not exist References: 10.8.10.5.2.4 (9) (CCE-6779-3, Common Configuration Enumeration List, Combined XML: Sun Solaris 8, 5.20130214)
  • ftp service should be enabled or disabled as appropriate Technical Mechanisms: via inetd via inetd.conf Parameters: enabled/disabled References: 10.8.10.5.4.1 (11) #13 (CCE-6119-2, Common Configuration Enumeration List, Combined XML: Sun Solaris 8, 5.20130214)
  • The ftp account should exist or not as appropriate Technical Mechanisms: via /etc/passwd Parameters: exist/not exist References: 10.8.10.5.2.4 (9) (CCE-6688-6, Common Configuration Enumeration List, Combined XML: Sun Solaris 9, 5.20130214)
  • ftp service should be enabled or disabled as appropriate Technical Mechanisms: via inetd via inetd.conf Parameters: enabled/disabled References: 10.8.10.5.4.1 (11) #13 (CCE-7067-2, Common Configuration Enumeration List, Combined XML: Sun Solaris 9, 5.20130214)
  • For all Windows XP environments, this service should be Disabled. (§ 6.5, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • This service uses the MMC IIS snap-in to provide connectivity and administration. The FTP Publishing service should be Disabled. (Pg 68, NSA Guide to Security Microsoft Windows XP)
  • Only enable FTP if absolutely necessary. The FTP protocol is unencrypted, which means passwords and other data transmitted during the session can be captured by sniffing the network, and that the FTP session itself can be hijacked by an external attacker. (App C § 2.3, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0)