One more quote from that site which obviously you didn't bother to look at..
It's not "the nature of the beast" to always allow someone from =ANY= IP to
enter a username/password combo and them trying to guess at which range of
IP's is accepted, using almost any other FTP software, isn't very likely.
Enabling this server with no sort of accept/deny scripts is opening an easy
path into a network.
-----------------
Considering that FTP is a remote service that involves cleartext exchange of
authentication information, removing the capability to easily prevent
entire classes from IPs from even *offering* the correct username/password
shared secrets can do much to increase site security. Even if IPs aren't
particularly cryptographically secure, the simple knowledge of which IPs
are allowed access can be a secret unto itself, and spoofing IPs outside
the local LAN is an order of magnitude more difficult as well.
I have looked at "the site", and documentation on FTP on many systems.
Most of the time that you have a known list of IPs that you can
restrict FTP to, there are better alternatives. If you are going to
use it in a lan environment normal file sharing protocols are better
and faster. If you are doing it over the internet, then it is not
likely the ftp clients will be in unique IP ranges. You might use it
if you are transfering files from remote offices, and all ends have
static IP, but even there spoofing IPs is not that hard, and it is
also easy to watch what transfers if someone is interested. If you are
setting up an FTP site for people on the road, for example, then IP
lists will not be a practical solution unless you also are using some
type of VPN, which solves the security problems anyway.
FTP is not very secure. If you set up an FTP site that allows
anonymous downloads, the Win2k FTP server is not functionally
different than the others. You can also setup "user" accounts that
only have access to the ftp directory on the machine for more secure
uploads.
