Internet Information Services 6 (IIS 6) is a powerful platform for building and hosting web sites for both the Internet and corporate intranets. IIS 6 is also equally useful for setting up FTP sites for either public or corporate use, and in this article we''ll walk through the process of creating and configuring FTP sites using both the GUI (IIS Manager) and scripts included in Windows Server 2003. The specific tasks we''ll walk through in this article are:
Creating an FTP Site
Controlling Access to an FTP Site
Configuring FTP Site Logging
Stopping and Starting FTP Sites
Implementing FTP User Isolation
For sake of interest, we''ll again explain these tasks in the context of a fictitious company called TestCorp as it deploys FTP sites for both its corporate intranet and for anonymous users on the Internet.
Preliminary Steps As mentioned in the previous article, IIS is not installed by default during a standard installation of Windows Server 2003, and if you installed IIS using Manage Your Server as described in the previous article this installs the WWW service but not the FTP service. So before we can create FTP sites we first have to install the FTP service on our IIS machine. To do this, we need to add an additional component to the Application Server role we assigned our machine when we used Manage Your Server to install IIS
Begin by opening Add or Remove Programs in Control Panel and selecting Add/Remove Windows Components. Then select the checkbox for Application Server:
Click Details and select the checkbox for Internet Information Services (IIS):
Click OK twice and then Next to install the FTP service. During installation you''ll need to insert your Windows Server 2003 product CD or browse to a network distribution point where the Windows Server 2003 setup files are located. Click Finish when the wizard is done.
Creating an FTP Site
As with web sites, the simplest approach to identifying each FTP site on your machine is to assign each of them a separate IP address, so let''s say that our server has three IP addresses (172.16.11.210, 172.16.11.211 and 172.16.11.212) assigned to it. Our first task will be to create a new FTP site for the Human Resources department, but before we do that let''s first examine the Default FTP Site that was created when we installed the FTP service on our machine. Open IIS Manager in Administrative Tools, select FTP Sites in the console tree, and right-click on Default FTP Site and select Properties:
Just like the Default Web Site, the IP address for the Default FTP Site is set to All Unassigned. This means any IP address not specifically assigned to another FTP site on the machine opens the Default FTP Site instead, so right now opening either ftp://172.16.11.210, ftp://172.16.11.211 or ftp://172.16.11.212 in Internet Explorer will display the contents of the Default FTP Site.
Let''s assign the IP address 172.16.11.210 for the Human Resources FTP site and make D:\HR the folder where its content is located. To create the new FTP site, right-click on the FTP Sites node and select New --> FTP Site. This starts the FTP Site Creation Wizard. Click Next and type a description for the site:
Click Next and specify 172.16.11.210 as the IP address for the new site:
Click Next and select Do not isolate users, since this will be a site that anyone (including guest users) will be free to access:
Click Next and specify C:\HR as the location of the root directory for the site:
Click Next and leave the access permissions set at Read only as this site will only be used for downloading forms for present and prospective employees:
Note in the status bar at the bottom of the IE window that you are connected as an anonymous user. To view all users currently connected to the Human Resources FTP site, right-click on the site in Internet Service Manager and select Properties, then on the FTP Site tab click the Current Sessions button to open the FTP User Sessions dialog:
Note that anonymous users using IE are displayed as IEUser@ under Connected Users.
Now let''s create another FTP site using a script instead of the GUI. We''ll create a site called Help and Support with root directory C:\Support and IP address 172.16.11.211:
Here's the result of running the script:
The script we used here is Iisftp.vbs , which like Iisweb.vbs and Iisvdir.vbs which we discussed in the previous article is one of several IIS administration scripts available when you install IIS on Windows Server 2003. A full syntax for this script can be found here . Once you create a new FTP site using this script you can further configure the site using IIS Manager in the usual way.
Note : At this point you could add structure to your FTP site by creating virtual directories, and this is done in the same way as was described in the previous article for working with web sites.
Controlling Access to an FTP Site
Just like for web sites, there are four ways you can control access to FTP sites on IIS: NTFS Permissions, IIS permissions, IP address restrictions, and authentication method. NTFS permissions are always your first line of defense but we can't cover them in detail here. IIS permissions are specified on the Home Directory tab of your FTP site's properties sheet:
Note that access permissions for FTP sites are much simpler (Read and Write only) than they are for web sites, and by default only Read permission is enabled, which allows users to download files from your FTP site. If you allow Write access, users will be able to upload files to the site as well. And of course access permissions and NTFS permissions combine the same way they do for web sites.
Like web sites, IP address restrictions can be used to allow or deny access to your site by clients that have a specific IP address, an IP address in a range of addresses, or a specific DNS name. These restrictions are configured on the Directory Security tab just as they are for web sites, and this was covered in the previous article so we won't discuss them further here.
FTP sites also have fewer authentication options than web sites, as can be seen by selecting the Security Accounts tab:
By default Allow anonymous connections is selected, and this is fine for public FTP sites on the Internet but for private FTP sites on a corporate intranet you may want to clear this checkbox to prevent anonymous access to your site. Clearing this box has the result that your FTP site uses Basic Authentication instead, and users who try to access the site are presented with an authentication dialog box:
Click Next and then Finish to complete the wizard. The new Human Resources FTP site can now be seen in IIS Manager under the FTP Sites node:
To view the contents of this site, go to a Windows XP desktop on the same network and open the URL ftp://172.16.11.210 using Internet Explorer:
Note in the status bar at the bottom of the IE window that you are connected as an anonymous user. To view all users currently connected to the Human Resources FTP site, right-click on the site in Internet Service Manager and select Properties, then on the FTP Site tab click the Current Sessions button to open the FTP User Sessions dialog:
Note that anonymous users using IE are displayed as IEUser@ under Connected Users.
Now let''s create another FTP site using a script instead of the GUI. We''ll create a site called Help and Support with root directory C:\Support and IP address 172.16.11.211:
Here's the result of running the script:
The script we used here is Iisftp.vbs , which like Iisweb.vbs and Iisvdir.vbs which we discussed in the previous article is one of several IIS administration scripts available when you install IIS on Windows Server 2003. A full syntax for this script can be found here . Once you create a new FTP site using this script you can further configure the site using IIS Manager in the usual way.
Note : At this point you could add structure to your FTP site by creating virtual directories, and this is done in the same way as was described in the previous article for working with web sites.
Controlling Access to an FTP Site
Just like for web sites, there are four ways you can control access to FTP sites on IIS: NTFS Permissions, IIS permissions, IP address restrictions, and authentication method. NTFS permissions are always your first line of defense but we can't cover them in detail here. IIS permissions are specified on the Home Directory tab of your FTP site's properties sheet:
Note that access permissions for FTP sites are much simpler (Read and Write only) than they are for web sites, and by default only Read permission is enabled, which allows users to download files from your FTP site. If you allow Write access, users will be able to upload files to the site as well. And of course access permissions and NTFS permissions combine the same way they do for web sites.
Like web sites, IP address restrictions can be used to allow or deny access to your site by clients that have a specific IP address, an IP address in a range of addresses, or a specific DNS name. These restrictions are configured on the Directory Security tab just as they are for web sites, and this was covered in the previous article so we won't discuss them further here.
FTP sites also have fewer authentication options than web sites, as can be seen by selecting the Security Accounts tab:
By default Allow anonymous connections is selected, and this is fine for public FTP sites on the Internet but for private FTP sites on a corporate intranet you may want to clear this checkbox to prevent anonymous access to your site. Clearing this box has the result that your FTP site uses Basic Authentication instead, and users who try to access the site are presented with an authentication dialog box:
Note that Basic Authentication passes user credentials over the network in clear text so this means FTP sites are inherently insecure (they don't support Windows integrated authentication). So if you're going to deploy a private FTP site on your internal network make sure you close ports 20 and 21 on your firewall to block incoming FTP traffic from external users on the Internet.
Configuring FTP Site Logging
As with web sites, the default logging format for FTP sites is the W3C Extended Log File Format, and FTP site logs are stored in folders named
%SystemRoot%\system32\LogFiles\MSFTPSVCnnnnnnnnnn
where nnnnnnnnnn is the ID number of the FTP site. And just as with web sites, you can use the Microsoft Log Parser, part of the IIS 6.0 Resource Kit Tools , to analyze these FTP site logs.
Stopping and Starting FTP Sites
If an FTP site becomes unavailable you may need to restart it to get it working again, which you can do using IIS Manager by right-clicking on the FTP site and selecting Stop and then Start. From the command-line you can type net stop msftpsvc followed by net start msftpsvc or use iisreset to restart all IIS services. Remember that restarting an FTP site is a last resort as any users currently connected to the site will be disconnected.
Implementing FTP User Isolation
Finally, let's conclude by looking at how to implement the new FTP User Isolation feature of IIS in Windows Server 2003. When an FTP site uses this feature, each user accessing the site has an FTP home directory that is a subdirectory under the root directory for the FTP site, and from the perspective of the user their FTP home directory appears to be the top-level folder of the site. This means users are prevented from viewing the files in other users' FTP home directories, which has the advantage of providing security for each user's files.
Let's create a new FTP site called Staff that makes use of this new feature, using C:\Staff Folders as the root directory for the site and 172.16.11.212 for the site's IP address. Start the FTP Site Creation Wizard as we did previously and step through it until you reach the FTP User Isolation page and select the Isolate users option on this page:
Continue with the wizard and be sure to give users both Read and Write permission so they can upload and download files.
Now let's say you have two users, Bob Smith (bsmith) and Mary Jones (mjones) who have accounts in a domain whose pre-Windows 2000 name is TESTTWO. To give these users FTP home directories on your server, first create a subfolder named \TESTTWO beneath \Staff Folders (your FTP root directory). Then create subfolders \bsmith and \mjones beneath the \Accounts folder. Your folder structure should now look like this:
C:\Staff Folders \TESTTWO \bsmith \mjones
To test FTP User Isolation let's put a file name Bob's Document.doc in the \bsmith subfolder and Mary's Document.doc in the \mjones subfolder. Now go to a Windows XP desktop and open Internet Explorer and try to open ftp://172.16.11.212, which is the URL for the Staff FTP site we just created. When you do this an authentication dialog box appears, and if you're Bob then you can enter your username (using the DOMAIN\username form) and password like this:
When Bob clicks the Log On button the contents of his FTP home directory are displayed:
Note that when you create a new FTP site using FTP User Isolation, you can't convert it to an ordinary FTP site (one that doesn't have FTP User Isolation enabled). Similarly, an ordinary FTP site can't be converted to one using FTP User Isolation.
We still need to explore one more option and that's the third option on the FTP User Isolation page of the FTP Site Creation Wizard, namely Isolate users using Active Directory. Since we've run out of IP addresses let's first delete the Help and Support FTP site to free up 172.16.11.211. One way we can do this is by opening a command prompt and typing iisftp /delete "Help and Support" using the iisftp.vbs command script. Then start the FTP Site Creation Wizard again and select the third option mentioned above (we'll name this new site Management):
Click Next and enter an administrator account in the domain, the password for this account, and the full name of the domain:
Click Next and confirm the password and complete the wizard in the usual way. You'll notice that you weren't prompted to specify a root directory for the new FTP site. This is because when you use this approach each user's FTP home directory is defined by two environment variables: %ftproot% which defines the root directory and can be anywhere including a UNC path to a network share on another machine such as \\test220\docs, and %ftpdir% which can be set to %username% so that for example Bob Smith's FTP home directory would be \\test220\docs\bsmith and this folder would have to be created beforehand for him. You could set these environment variables using a logon script and assign the script using Group Policy, but that's beyond the scope of this present article.
nstall Internet Information Services and the FTP Service
loadTOCNode(2, 'summary'); Because FTP depends on Microsoft Internet Information Services (IIS), IIS and the FTP Service must be installed on the computer. To install IIS and the FTP Service, follow these steps. NOTE : In Windows Server 2003, the FTP Service is not installed by default when you install IIS. If you already installed IIS on the computer, you must use the Add or Remove Programs tool in Control Panel to install the FTP Service.
1.
Click Start , point to Control Panel , and then click Add or Remove Programs .
2.
Click Add/Remove Windows Components .
3.
In the Components list, click Application Server , click Internet Information Services (IIS) (but do not select or clear the check box), and then click Details .
4.
Click to select the following check boxes (if they are not already selected):
Common Files File Transfer Protocol (FTP) Service Internet Information Services Manager
5.
Click to select the check boxes next to any other IIS-related service or subcomponent that you want to install, and then click OK .
6.
Click Next .
7.
When you are prompted, insert the Windows Server 2003 CD-ROM into the computer's CD-ROM or DVD-ROM drive or provide a path to the location of the files, and then click OK .
8.
Click Finish .
IIS and the FTP service are now installed. You must configure the FTP Service before you can use it.
Back to the top
Configure The FTP Service
loadTOCNode(2, 'summary'); To configure the FTP Service to allow only anonymous connections, follow these steps:
1.
Start Internet Information Services Manager or open the IIS snap-in.
2.
Expand Server_name , where Server_name is the name of the server.
3.
Expand FTP Sites
4.
Right-click Default FTP Site , and then click Properties .
5.
Click the Security Accounts tab.
6.
Click to select the Allow Anonymous Connections check box (if it is not already selected), and then click to select the Allow only anonymous connections check box. When you click to select the Allow only anonymous connections check box, you configure the FTP Service to allow only anonymous connections. Users cannot log on by using user names and passwords.
7.
Click the Home Directory tab.
8.
Click to select the Read and Log visits check boxes (if they are not already selected), and then click to clear the Write check box (if it is not already cleared).
9.
Click OK .
10.
Quit Internet Information Services Manager or close the IIS snap-in.
The FTP server is now configured to accept incoming FTP requests. Copy or move the files that you want to make available to the FTP publishing folder for access. The default folder is drive :\Inetpub\Ftproot, where drive is the drive on which IIS is installed.
User Isolation
Introduction
Microsoft has created a new FTP service that has been completely rewritten for Windows Server 2008 (code name "Longhorn"). This new FTP service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.
This document will walk you through the various FTP user isolation settings using the new FTP user interface and by directly editing the IIS configuration files.
Note : This walk-through contains a series of steps where you will be logging in to your FTP site using the local administrator account. These steps should only be followed on the server itself using the loopback address or over SSL from a remote server. If you prefer to use a separate user account instead of the administrator account, you will need to create the appropriate folders and set the correct permissions for that user account when necessary.
Prerequisites
The following items are required to complete the procedures in this article:
1. IIS 7 must be installed on your Windows Server 2008 RC0 server, and the Internet Information Services Manager must be installed.
2. The new FTP service must be installed. You can download and install the FTP service from the www.iis.net web site using one of the following links:
FTP for IIS 7.0 (x64)
FTP for IIS 7.0 (x86)
3. You will need to create a root folder for FTP publishing:
a. Create a folder at "%SystemDrive%\inetpub\ftproot"
b. Set the permissions to allow anonymous access:
i. Open a command prompt.
ii. Type the following command:
CACLS "%SystemDrive%\inetpub\ftproot" /G IUSR:R /T /E
iv. Close the command prompt.
4. You will need to create additional content folders:
a. Create a folder at "%SystemDrive%\inetpub\ftproot\LocalUser\Public"
b. Create a folder at "%SystemDrive%\inetpub\adminfiles"
Configuring FTP user isolation using the IIS Manager
Step 1: Use the FTP Site Wizard to create an FTP site
In this first step we will create a new FTP site that can be opened for Read-only access by anonymous users and Read/Write access by the administrator account.
1. In IIS Manager, in the Connections pane, click the Sites node in the tree.
2. As shown in the image below, right-click the Sites node in the tree and click Add FTP Site , or click Add FTP Site in the Actions pane.
3. When the Add FTP Site wizard appears:
a. Enter "My New FTP Site" in the FTP site name box, then navigate to the "%SystemDrive%\inetpub\ftproot" folder that you created in the Prerequisites section. Note that if you choose to type in the path to your content folder, you can use environment variables in your paths.
b. When you have completed these items, click Next .
4. On the next page of the wizard:
a. You would normally choose an IP address for your FTP site from the IP Address drop-down, or you could choose to accept the default selection of "All Unassigned." Because you will be using the administrator account later in this walk-through, you want to make sure that you restrict access to the server and enter the local loopback IP address for your computer by typing "127.0.0.1" in the IP Address box.
b. You would normally enter the TCP/IP port for the FTP site in the Port box. For this walk-through, you will choose to accept the default port of 21.
c. For this walk- through, you will not use a host name, so make sure that the Virtual Host box is blank.
d. Make sure that the Certificates drop-down is set to "Not Selected" and that the Allow SSL option is selected.
e. When you have completed these items, click Next .
5. On the next page of the wizard:
a. Select Anonymous for the Authentication settings.
b. For the Authorization settings, choose "Anonymous users" from the Allow access to drop-down, and select Read for the Permissions option.
c. When you have completed these items, click Finish .
11. When the FTP Authorization Rules page is displayed, click Add Allow Rule in the Actions pane.
12. When the Add Allow Authorization Rule dialog box is displayed
a. Select Specified users , then type "administrator" in the box.
b. For Permissions , select both Read and Write .
c. When you have completed these items, click OK .
Summary
To recap the items that you completed in this step:
1. You created a new FTP site named "My New FTP Site", with the site's content root at "%SystemDrive%\inetpub\ftproot".
2. You bound the FTP site to the local loopback address for your computer on port 21, and we chose not to use Secure Sockets Layer (SSL) for the FTP site.
3. You created a default rule for the FTP site to allow anonymous users "Read" access to the files.
4. You added an authorization rule that allows the administrator account both "Read" and "Write" permissions for the FTP site.
5. You added Basic Authentication to the FTP site.
Step 2: Examining the new FTP user isolation settings
1. In IIS Manager, click the node for the FTP site that you created; this will display the icons for all of the FTP features.
2. Double-click the FTP User Isolation icon to open the FTP user isolation feature.
3. When the FTP User Isolation feature page is displayed, notice that you have five different options available:
11. When the FTP Authorization Rules page is displayed, click Add Allow Rule in the Actions pane.
12. When the Add Allow Authorization Rule dialog box is displayed
a. Select Specified users , then type "administrator" in the box.
b. For Permissions , select both Read and Write .
c. When you have completed these items, click OK .
Summary
To recap the items that you completed in this step:
1. You created a new FTP site named "My New FTP Site", with the site's content root at "%SystemDrive%\inetpub\ftproot".
2. You bound the FTP site to the local loopback address for your computer on port 21, and we chose not to use Secure Sockets Layer (SSL) for the FTP site.
3. You created a default rule for the FTP site to allow anonymous users "Read" access to the files.
4. You added an authorization rule that allows the administrator account both "Read" and "Write" permissions for the FTP site.
5. You added Basic Authentication to the FTP site.
Step 2: Examining the new FTP user isolation settings
1. In IIS Manager, click the node for the FTP site that you created; this will display the icons for all of the FTP features.
2. Double-click the FTP User Isolation icon to open the FTP user isolation feature.
3. When the FTP User Isolation feature page is displayed, notice that you have five different options available:
4. These five options are defined as:
1. Do not isolate users. Start users in :
a. FTP root directory i. This option specifies that all FTP sessions will start in the root directory for the FTP site. ii. Note : This option is new in this FTP server, and simply disables all user isolation or starting folder logic.
b. User name directory i. This option specifies that all FTP sessions will start in the physical or virtual directory with the same name of the currently logged on user if the folder exists; otherwise, the FTP session will start in the root directory for the FTP site. ii. Note : This option is the same as choosing no user isolation in the IIS 6.0 FTP server. For additional information about using this option, see the "Do Not Isolate Users Mode" section in the Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0) topic.
2. Isolate users. Restrict users to the following directory :
a. User name directory (disable global virtual directories) i. This option specifies that you want to isolate FTP user sessions to the physical or virtual directory with the same name of the FTP user account. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the physical or virtual directory tree. Any global virtual directories that are created will be ignored. ii. Note : This option is new in this FTP server.
b. User name physical directory (enable global virtual directories) i. This option specifies that you want to isolate FTP user sessions to the physical directory with the same name of the FTP user account. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the physical directory tree. Any global virtual directories that are created will apply to all users. ii. Note : This option is the same as choosing user isolation in the IIS 6.0 FTP server.
c. FTP home directory configured in Active Directory i. This option specifies that you want to isolate FTP user sessions to the home directory that is configured in the Active Directory account settings for each FTP user. ii. Note : This option is the same as choosing Active Directory user isolation in the IIS 6.0 FTP server. For additional information about using this option, see the "Isolate Users Using Active Directory Mode" section in the Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0) topic.
Step 3: Configuring User Isolation Settings by Physical Directories
When isolating users by physical directories only, all FTP user sessions are restricted to the physical directory with the same name of the FTP user account. However, any global virtual directories that are created will apply to all users.
1. In IIS Manager, click the node for the FTP site that you created; this will display the icons for all of the FTP features.
2. Double-click the FTP User Isolation icon to open the FTP user isolation feature.
3. When the FTP User Isolation feature page is displayed, select the User name physical directory (enable global virtual directories) option, then click Apply in the Actions pane.
Logging in to your FTP site
You can now log in to your FTP site using user isolation, but the following information applies:
1. If you log in to your FTP site anonymously, your session will be restricted to the "LocalUser\Public" folder that you created in the Prerequisites section.
Logging in to your FTP site
You can now log in to your FTP site using user isolation, but the following information applies:
1. As with Step 3, if you log in to your FTP site anonymously, your session will be restricted to the "LocalUser\Public" folder that you created in the Prerequisites section.
2. If you log in to your FTP site using the administrator account, your session will be restricted to the "/LocalUser/administrator" virtual directory that you just created.
Summary
To recap the items that you completed in this step, you configured FTP user isolation using the User name directory (disable global virtual directories) option. When using this mode of user isolation, all FTP user sessions are restricted to the virtual or physical directory with the same name of the FTP user account, and any global virtual directories that are created will be ignored.
To create home directories for each user, you first need to create a virtual or physical directory under your FTP server's root folder that is named after your domain or named LocalUser for local user accounts. Next, you need to create a virtual or physical directory for each user account that will access your FTP site. The following table lists the home directory syntax for the authentication providers that ship with the FTP service:
User Account Types
Physical Home Directory Syntax
Anonymous users
%FtpRoot%\LocalUser\Public
Local Windows user accounts (requires basic authentication)
%FtpRoot%\LocalUser\%UserName%
Windows domain accounts (requires basic authentication)
%FtpRoot%\%UserDomain%\%UserName%
IIS Manager or ASP.NET custom authentication user accounts
%FtpRoot%\LocalUser\%UserName%
( Note : In the above table, %FtpRoot% is the root directory for your FTP site; for example, C:\Inetpub\Ftproot.)
Global virtual directories are ignored; all virtual directories that are configured at the root-level of your FTP site cannot be accessed by any FTP users. All virtual directories must be explicitly defined under a user's physical or virtual home directory path.
Configuring FTP user isolation by editing the IIS configuration files
You can also configure user isolation for the new FTP service by editing the IIS configuration files. Note : Editing your applicationHost.config file requires full administrative permissions. This is best accomplished using one of two methods:
1. Log in to your computer using the local "administrator" account.
2. If you are logged in using an account with administrative permissions that is not the local "administrator" account, open Notepad using the "Run as Administrator" option.
Note : The above steps are required because the User Account Control (UAC) security component in the Windows Vista and Windows Server 2008 operating systems will prevent access to your applicationHost.config file. For more information about UAC, please see the following documentation:
http://technet.microsoft.com/en-us/windowsvista/aa906022.aspx
The following steps will walk you through all of the required settings to user several different user isolation modes.
Using a text editor such as Windows Notepad, open your applicationHost.config file, which is located in your %SystemRoot%\System32\inetsrv\config folder by default.
Locate the
Copy the entire section for the Default Web Site and paste it on a new line just below the closing tag.
Change the site's settings to create a unique FTP site:
1. Modify the name and id attributes for the new site to respectively contain "Default FTP Site" and "2". ( Note : You may need to choose a different number than "2" for the site ID if any site is currently using that site identifier.)
2. Change the value of the protocol attribute on the binding element to contain "ftp".
3. Change the physicalPath attribute to "%SystemDrive%\inetpub\ftproot".
3. Change the port value of the bindingInformation attribute to contain "21".
Add an
Your
< enabled = "true"> < mode = "None">
Scroll to the bottom of your applicationHost.config file and add a location section for your Default FTP Site that will contain your authorization settings. Note : As shown in this example, the authorization settings for FTP sites are configured per URL, and specifically these settings enable Read permissions for all users, and Read/Write permissions for the administrator account. < path = "Default FTP Site"> <> <> <> < accesstype = "Allow" users = "*" permissions = "Read"> < accesstype = "Allow" users = "administrator" permissions = "Read, Write">
Save your applicationHost.config file.
Step 1: Starting in a User's Home Directory
To configure user isolation so that each user session begins in their home directory:
To create a home directory for the administrator account, create a folder for the administrator account at "%SystemDrive%\inetpub\ftproot\administrator".
Set the value of the mode attribute on the userIsolation element to "StartInUsersDirectory". Your userIsolation element should resemble something like the following example. Note : If a user's directory does not exist, the user session will begin in the root folder for the FTP site. For this example that fouled would be "%SystemDrive%\inetpub\ftproot". Even if the user's home directory exists, the user can still change directory to the the root folder for the FTP site. < name = "Default FTP Site" id = "2"> < path = "/"> < path = "/" physicalpath = "%SystemDrive%\inetpub\ftproot"> <> < protocol = "ftp" bindinginformation = "*:21:"> <> <> <> < enabled = "true" username = "IUSR"> < enabled = "true"> < mode = "StartInUsersDirectory">
Save your applicationHost.config file.
When logging in to your FTP site:
1. If you log in to your FTP site using the administrator account, your session will begin in the administrator folder that you just created.
2. If you log in to your FTP site anonymously, your session will begin in the root folder for the FTP site. To create a home directory for anonymous access, create a folder at "%SystemDrive%\inetpub\ftproot\anonymous". If you log in to your FTP site anonymously, your session will now begin in the anonymous folder that you just created.
Step 2: Configuring User Isolation Settings for the Root Directory
The following steps will walk you through configuring the "IsolateRootDirectoryOnly" mode of user isolation, which will restrict all users to a physical folder that must be created for each user. To configure "IsolateRootDirectoryOnly" user isolation:
Create a folder for the anonymous user at "%SystemDrive%\inetpub\ftproot\LocalUser\Public".
Set the value of the mode attribute on the userIsolation element to "IsolateRootDirectoryOnly". Your userIsolation element should resemble something like the following example. Note : If a user's home directory does not exist, the user will not be able to log in. After a user has successfully logged in, the user is restricted to their home directory and cannot change directory to the the root folder for the FTP site. < name = "Default FTP Site" id = "2"> < path = "/"> < path = "/" physicalpath = "%SystemDrive%\inetpub\ftproot"> <> < protocol = "ftp" bindinginformation = "*:21:"> <> <> <> < enabled = "true" username = "IUSR"> < enabled = "true"> < mode = "IsolateRootDirectoryOnly">
Save your applicationHost.config file.
When logging in to your FTP site:
1. If you log in to your FTP site anonymously, your session will be restricted to the "LocalUser\Public" folder that you just created.
2. If you attempt to log in to your FTP site using the administrator account, your logon request will be denied because you do not have a home directory defined. To allow the administrator account to log in:
a. Create a home directory for the administrator account at "%SystemDrive%\inetpub\ftproot\LocalUser\Administrator".
b. If you log in to your FTP site using the administrator account, your session will be restricted to the "LocalUser\Administrator" folder that you just created.
Note : After logging out of your FTP site, delete the "%SystemDrive%\inetpub\ftproot\LocalUser\Administrator" folder.
Step 3: Configuring User Isolation Settings for All Directories
The following steps will walk you through configuring the "IsolateAllDirectories" mode of user isolation, which will restrict all users to either a virtual directory or a physical folder that must be created for each user. To configure "IsolateAllDirectories" user isolation:
Create a folder for administrator account at "%SystemDrive%\inetpub\adminfiles".
Set the value of the mode attribute on the userIsolation element to "IsolateAllDirectories".
Add a virtual directory to the application section named "/LocalUser/administrator" that points to the "%SystemDrive%\inetpub\adminfiles" folder that you just created.
Your Default FTP Site should now resemble something like the following example. Note : If a user's virtual or physical directory does not exist, the user will not be able to log in. After a user has successfully logged in, the user is restricted to their home directory and cannot change directory to the the root folder for the FTP site. < name = "Default FTP Site" id = "2"> < path = "/"> < path = "/" physicalpath = "%SystemDrive%\inetpub\ftproot"> < path = "/LocalUser/administrator" physicalpath = "%SystemDrive%\inetpub\adminfiles"> <> < protocol = "ftp" bindinginformation = "*:21:"> <> <> <> < enabled = "true" username = "IUSR"> < enabled = "true"> < mode = "IsolateAllDirectories">
Save your applicationHost.config file.
When logging in to your FTP site:
a. If you log in to your FTP site anonymously, your session will be restricted to the physical "LocalUser\Public" folder that you created when configuring "IsolateRootDirectoryOnly" user isolation.
b. If you log in to your FTP site using the administrator account, your session will be restricted to the "/LocalUser/administrator" virtual directory that you just created.
Summary
In this task you configured FTP user isolation by editing the IIS configuration files. To recap the items that you completed in this step:
1. You created a new FTP site by using the Default Web Site's settings as a template.
2. You configured the following authorization rules for the FTP site:
a. All users have Read permissions.
b. The administrator account had Read/Write permissions.
3. You configured the following three user isolation modes:
a. Starting in a User's Home Directory
b. User Isolation for the Root Directory
c. User Isolation for All Directories
Active Directory FTP User Isolation Mode (IIS 6.0)
[Today's post comes to us courtesy of Wayne McIntyre]
**DISCLAIMER
FTP is an older protocol which has been replaced with better methods of hosting files. FTP is also unsecure and your username/passwords are sent in clear text which poses a major security risk. For a list of better methods in lieu of FTP please consider using a secure SharePoint site, a secured website, or Secure FTP to host and share files. However, if you have no choice but to use FTP and need to isolate Users continue reading.
IIS 6.0 introduced a new feature for companies hosting an FTP site on their server to isolate users so they are “locked” in to their home directory and cannot browse the root of the FTP server. There are two ways of accomplishing this goal with user isolation, one method is to isolate users by creating a folder structure which has their username and another method is using Active Directory attributes to isolate the user(s). Here are the steps for configuring AD Isolation mode.
1. Install the FTP Service from add/remove windows components.
2. Open IISManager
3. Delete the Default FTP Site as it does not get created in isolation mode by default
4. Create a New FTP Site by right clicking FTP Sites and going to new FTP Site
5. This will launch the FTP Site Creation Wizard, Click Next
6. Enter a Description for Your FTP Site
7. Set the IP address and Port to use for your FTP Site
*note if you have ISA 2000/2004 installed on this server do not select All Unassigned, select the internal IP address only.
8. Next screen will be the FTP User Isolation options, Select Isolate users using Active Directory
9. Next you will need to select a User that has Access to Active Directory, any domain admin account will suffice. Click Next and re-enter password to Confirm
10. Select the required Permissions and click Next and then Click Finish
11. The IIS portion is now finished and now on to AD.
12. There are 2 schema attributes in AD that reside in the User Class that will allow us to define the users home directory for FTP. They are msIIS-FTPRoot which defines the root of the FTP server and msIIS-FTPDir which defines the users Home Directory. The problem here is that there is no GUI interface to define these attributes so for the purpose of this demonstration I will use ADSIEDIT from Support tools to modify these attributes, however you can also run the below script to do it as well.
Iisftp.vbs /SetADProp UserName FTPRoot Server \ Share
Iisftp.vbs /SetADProp UserName FTPDir Directory
13. Load Up Adsiedit and drill down to the user account you want to isolate and go to the properties of that account and modify the 2 attributes mentioned above
14. Now whenever that user connects to your FTP server the user will be isolated to the Home Directory that was defined in Active Directory.
No comments:
Post a Comment