A Microsoft Windows NT service on servers running Microsoft Internet Information Server, or a Windows 2000 service on servers running Internet Information Services (IIS). The FTP service supports the Internet standard File Transfer Protocol (FTP), and allows users to upload and download files between FTP clients and FTP servers such as IIS.
FTP supports only user-level authentication. In other words, FTP servers such as IIS that are running the FTP service support only anonymous authentication or Basic Authentication. When an FTP client attempts to connect to an FTP server configured to use Basic Authentication, the user’s name and password are transmitted as clear text over the network, which is insecure.
The best way to secure FTP services is to enable anonymous authentication on all FTP servers, which requires users to log on with the username “anonymous.” (They can enter anything for the password, but the FTP server’s welcome message usually requests that they politely use their e-mail address as their password for logging purposes.) You should configure the FTP service on IIS to allow only anonymous logons to prevent users from passing their credentials over the network. Then simply avoid storing critical information on your FTP servers, and use them for access to public information only.
You will probably also want to configure your FTP servers to allow only downloads and prohibit all uploads. If your corporate users must upload files remotely using FTP, you can create an FTP drop box for them.An FTP drop box is a folder on an NTFS volume, configured as a virtual directory that has write permission on it but no read permission. In other words, users can upload files to the directory but cannot read what has already been uploaded.