I have set up FTP on my file server so that way family can get at pictures and such, and I can access my files from home or school/whathaveyou.

I've:

Removed Anonymous access (you have to have a user account and pass)
Set it to Read Only. Can't modify or delete anything.
Set up logging IP addresses
Account Lockout after 3 attempts, with 30 minute renewal.

Anything that I've missed?

I want to keep it as simple as possible for the girlfriend/family to get on, so I've used my no-ip that I've used previously so they don't need to constantly get/remember a new set of ip numbers. Ideally I would like to have FTP over SSL, or something similar, but I'm not sure firefox/IE has that integrated and I don't think it was added to windows server until the 2008 version. Being able to access it like a web page makes it far easier for them to deal with too, instead of a 3rd program or cli.

If you're going for simple id say ditch the ftp idea. You could either just put them on www with http auth or use some sort of php file manager.
If you do wanna stay with ftp first thing to do is get it off the default port, close every other port and make sure that fxp is disabled to prevent ftp bounce attacks (im presuming you'd have no need for it).
I have absolutely no clue about windows ftp software but if possible run it in a chrooted envoirnment. About ssl/tls again i have no idea about windows but if this server is just for family members id say its over complicating things.

I am avoiding the http thing as I don't know if my internet provider blocks or throttles incoming port 80 traffic, and to get everything set up only to find that out sucks.

I went with ftp as all they have to do is:

1: Boot up firefox or IE
2: Type or bookmark "ftp://myserver.com", edited for obvious reasons.
3: Login

And Boom, they are in and can get what they need in a more visual environment than most programs or cli's.

I just wasn't sure if there was anything else I can do to secure basic ftp. I know its not encrypted and if anyone is sniffing their packets their password and username is exposed. But I want to make sure that worse case, they are just going to have read access to my pictures, music, and such.

Not much more you can do and keep it simple.

You could use something like SFTP, BUT it would mean installing an SSH server on your side, which is pretty easy. The big problem comes in on the other side where your target audience would need to install and SFTP client, such as WinSCP. Its pretty easy to install, but I totally understand that can be a lot easier said then done.

On the http side, check out Relay (http://www.ecosmear.com/relay/) its pretty cool, not necessarily the easiest to setup server side, but really cool once its up and running.

VPN would be another thing, but again we are back to client side setup.

This is all stuff you already know, it looks like you have taken about the best possible methods you can to secure your FTP. If your site isn't very high traffic you should be just fine.

EDIT: One thing you might consider is using an ftp server that is not integrated into windows. Main reason is it uses virtual user accounts so they are not actual users on the OS. Also in most cases it will automatically lock those users into a single directory. Filezilla is a pretty decent ftp server, and its free, and will do all that I have mentioned. I am not sure but I think it supports SSL as well.

Good luck and good job!

Ya, I thought about sftp and vpn but in trying to keep it as simple as possible for my mom/aunt and brothers makes going those routes more difficult.

I get enough headaches with 'how do I use this' or spending hours trying to walk my brother through installing a graphics card with him telling me hes not a retard over and over again, when I've not said a word but give instructions, yet when i give specific instructions to the t, he chooses not to follow them because he thinks he knows best. Two hours later after going back and finally listening it works, lol.

Relay does seem pretty cool. But functionally wise, doesn't seem to add a whole lot to what ftp through a browser does. I DO like how images get thumbnails though. Not sure how taxing php/mysql/apache/perl would be on a 800Mhz p3. I had a decent size/pretty large database on a 3.0Ghz Celeron with 1gb ram at one point that slowed down quite a bit at points.

As for traffic, I doubt if there will ever be more than one person accessing it at a time.

If anyone can think of anything else I can do while keeping it simple for them, please let me know. :)

yah.. thats pretty much what I figured with your end users..

As for Relay.. one benefit is you could use HTTPS, and then your user names and passwords wouldn't be transmitted in clear text.

Ohh really. That might be my tipping point. You think all that would run fine on a p3 800Mhz with 768mB ram?

If so, the benefits being secure and showing thumbnails on pictures would be worth the effort if its all the same of going to the address and logging in.

Is there anything I am missing? Are there any open vulnerabilities I am missing? I understand that by using ftp people could get my users usernames and passwords and login, but what else could happen? Would worse case mean that they could download everything on my server?

Over winter break I might look into trying Relay, but for now does having ftp open expose my network or server to anything else other than downloads? At most I will have 10 different users have access, and none are admin accounts.

The only other service I have going is to allow remote desktop from within the network, as the server runs headless, this gives me access from my main desktop to restart, create user accounts and such, but only accessible from my one admin account. I've not forwarded any ports to have access from outside the network, unless you don't need that to get in?

I just want to make sure I am doing everything I can within basic reason to cover everything. I understand going with a secure connection would solve most of my worries, but for now am I covered with what I've done? If all that I have to worry about is the possibility of someone downloading my data without my permission, then that I can deal with for now.

And I just spent more time going through Relay's wiki. It seems like it hasn't been updated in over 2 years, and is still in 0.1beta. Not sure about using something that doesn't really seem to have much support, and of which I can't know much about its stability.

Also I read on the page that the server freaks if a user tries to upload a file larger than the amount of memory in the server. That would definitely be an issue, as the server only has 768Mb, I could get it up to 896Mb, but thats the most Ram I have, and the server only supports a max of 1Gb. This wasn't a problem the other day, but yesterday my brother asked me to create atleast one folder with write access so he could store stuff. Every folder is read only but the one upload folder, but if he uploads something large for some reason, the server could potentially freak.

Hmmm... guess I will still have to search for more options.

yah.. thats pretty much what I figured with your end users..

As for Relay.. one benefit is you could use HTTPS, and then your user names and passwords wouldn't be transmitted in clear text.

This was my first concern .. not everyone realises ftp passwords and usernames are sent as unencrypted ASCII data.

The other thing you could look into is using webDAV for sharing files, offers more security than ftp.

http://www.webdav.org/

Introduction

WebDAV stands for "Web-based Distributed Authoring and Versioning". It is a set of extensions to the HTTP protocol that lets users collaboratively edit and manage files on a remote web server.

You can lock the editing abilities and just let users look. Using WebDAV you install a little file on the users pc's and they have a drag and drop folder that looks local but is actually on your server. I've not used it but am currently investigating it. I think it would be the simplest solution to your needs.

WebDAV is recommended over other solutions for puters running Vista which struggle badly with ftp over https.

CrazyB

ps just found this: edit2: (think this is fixed is sp1)

"Connecting to your site's Resources using WebDAV on a computer running Windows Vista (http://kb.iu.edu/data/auhq.html) does not work reliably. Developers are currently investigating this issue. However, Microsoft has a software update available that may help correct connection problems for some users. For information about the update and how to download it, see article 907306 in Microsoft's knowledge base."

I think some of this stuff may be related to IPv6 in Vista?

I will take a look into webdav later on tonight when I finish my Archaeology paper.

I understand the risks of running ftp, but just didn't know if it left me exposed to anything other than unauthorized people getting my data.

Its just media for the most part, with Linux iso's, drivers, freeware, and such, so no personal data really other than some pictures.

But please keep the end user easy alternatives coming, as I really need to find a more longterm solution than ftp I think.

With webDAV installed you go to my computer map --> network drive --> put in the https or ftp address and then username and password on first connect.

Done. It's always available as a local drag and drop folder. Couldn't be more simpler. :D

Just don't tell people the URL?

Hmmm, if its as simple as that then I will definitely have to check it out. I would really prefer a secure connection instead of ftp.

As for not telling people the address, that's not really the issue. As even if I was on a secure connection if my family gave the address to another person, ftp or secure they are in.

The issue is that I can't monitor where my users are logging in from. FTP doesn't employ any type of encryption of the transmissions, so anything, even usernames and passwords are available to be grabbed up by anyone sniffing packets somewhere in between my users computers and my server.

I can't do anything about them giving away their login information or the servers address whether I was using a secure protocol or ftp. If the information gets leaked, its leaked.

But I want to limit random strangers from easily getting access.

Looks like I am going to have to look into webDAV or something similar, as ftp over firefox isn't working for them on bigger files.

Firefox doesn't run passive ftp, and after a large amount has been downloaded it just stops and says it can't dl or something according to them. Getting an exact error message from them is impossible it seems.

Its not timeout, as I've set the server to 100,000 seconds instead of 900, as i thought that was the issue, but that didn't fix it.