FTP - User can access to any website if he knows the Domain name

Question: A user can FTP to any other web site if he knows the domain name by giving it in Default Remote Directory in the FTP client.

Solution:
This security problem is due to insufficient security settings on the server. Your server's security is set to default installation which is not suitable for a hosting server.

Follow the security guide lines below to secure the FTP access to the server.

Step 1: Remove Everyone from Root

First, we need to replace the default permission for "Everyone" or anonymous users to access your drives (including anonymous users/guests). 

  1. Go to Windows Explorer, expand My Computer, right-click on your hard drive(s), and select Properties.
  2. Go into the Security tab. Select Everyone, Click Remove.
  3. Click Add button, select Administrators and SYSTEM, click Add, click OK. Select Administrators and System one-by-one and enable check box labeled Full Control, and click OK.

Step 2: Set Default FTP Home Directory

Set a folder where FTP user should land in case if he can not access his home folder. 

  1. Open Internet Services Manager. To open Internet Services Manager, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Internet Services Manager.
  2. In the Internet Information Services console, click to expand your server name, and then click Default FTP Site folder, click Properties.
  3. On the Home Directory tab, provide a local path such as c:\inetpub\ftproot and verify that the Read check box is checked. Click OK.

Step 3: Set Read Permissions for Everyone on Default FTP Site's Local Path 

Everyone should be given Read permission otherwise FTP error 530 Home Directory Inaccessible will result.

  1. To set Everyone control, follow these steps: Open My Computer, select the directory of Local Path that you checked in step 3 above (e.g. c:\inetpub\ftproot), and open its property sheets.
  2. Make sure windows account group Everyone is listed on the Security property sheet. Under Permissions, select the Read access for the Everyone group. Use Allow to specifically allow access and Deny to specifically deny access.

Note:

  • If in account group Everyone is not listed, you may add it by clicking the Add button.
  • If PHP, Perl, ColdFusion is installed on the server then you are required to give Everyone Full Control on PHP/Perl/CF installation folder otherwise scripts may not run.