I have two Filezilla server instances on different WAN connections, both mapping to the same /test directory on the file server.
To validate that clients have connectivity I have a read/list only test account (e.g. test) with a simple password that can be given verbally over the phone (e.g. pass). This saves a lot of hassle when on-boarding new clients, or debugging routing problems.
I have tended to disable the test account when not required, but this is somewhat of an inconvenience as it requires logging on to the server and can be required multiple times per week.
What, if any, risks would I be taking if I left the test account enabled with a weak or easy to guess password? Are there any known exploits that could be used to access or deny access to the server?
Note: The server is set to autoban IP addresses for 2 hours after 10 failed login attempts. Syslog monitoring on the firewall is also set to flag suspicious activity. This could be extended to banning naughty IPs at the perimeter.
EDIT: I mentioned FTP for expediency but the servers are actually set to require FTPS with unencrypted FTP disallowed.
I'm not sure there's an objective answer to this. It depends entirely on such factors as what's on the file server, what your business is, whether the usernames and passwords are used elsewhere (ftp transmits credentials plaintext), whether you're subject to any type of legislation that requires greater cautiousness (HIPAA, FERPA, PCI), etc. That said, there's always risk, it just depends on how much risk you're comfortable with.
For example: If you're a vendor and no customer data is allowed to touch the file server because it's segregated on its own system, you might decide that leaving the ftp accounts enabled is an acceptable risk. If you're an elementary school and the file server has grades and student addresses on it, probably not. If the ftp accounts reside on a web server that takes credit cards, don't do it.
Short answer: disable it.
Longer answer: it depends on the level of risk that you're comfortable with.
There may be exploits that work against the version of the software you're using, or that haven't been discovered yet, that could allow unauthorized access. It's up to you how much risk you are willing to take: if you're happy that the monitoring is good enough then by all means leave it open. Personally I would disable such an account or at the very least give it a complex-but-readable password (CVC triplets are good and easy to dictate/remember, e.g. 'lef-tok-tar'. Or use a sequence of words a la XKCD), and heavily monitor any access attempts (successful or otherwise) to it.
If it is just read permissions, I can't think of any important risk but you may want to make sure you are using the latest/safest FTP server software to be on the safer side.
You may want to create a script on your desktop to enable/disable the account from your desktop.
The risk is always there when servers are public facing, another way to lessen the risk a bit is to run the service at a non standard port, say 8021. Do you have the option of doing that ?