· Creating an FTP Site
· Controlling Access to an
FTP Site
· Configuring FTP Site
Logging
· Stopping and Starting
FTP Sites
· Implementing FTP User
Isolation
For sake of interest,
we''ll again explain these tasks in the context of a fictitious company called
TestCorp as it deploys FTP sites for both its corporate intranet and for
anonymous users on the Internet.
Preliminary Steps
As mentioned in the
previous article, IIS is not installed by default during a standard installation
of Windows Server 2003, and if you installed IIS using Manage Your Server as
described in the previous article this installs the WWW service but not the FTP
service. So before we can create FTP sites we first have to install the FTP
service on our IIS machine. To do this, we need to add an additional component
to the Application Server role we assigned our machine when we used Manage Your
Server to install IIS.
Begin by opening Add or
Remove Programs in Control Panel and selecting Add/Remove Windows Components.
Then select the checkbox for Application Server:
Click Details and select
the checkbox for Internet Information Services (IIS):
Click Details and select
the checkbox for File Transfer Protocol (FTP) Services.
Click OK twice and then
Next to install the FTP service. During installation you''ll need to insert your
Windows Server 2003 product CD or browse to a network distribution point where
the Windows Server 2003 setup files are located. Click Finish when the wizard is
done.
Creating an FTP Site
As with web sites, the
simplest approach to identifying each FTP site on your machine is to assign each
of them a separate IP address, so let''s say that our server has three IP
addresses (172.16.11.210, 172.16.11.211 and 172.16.11.212) assigned to it. Our
first task will be to create a new FTP site for the Human Resources department,
but before we do that let''s first examine the Default FTP Site that was created
when we installed the FTP service on our machine. Open IIS Manager in
Administrative Tools, select FTP Sites in the console tree, and right-click on
Default FTP Site and select Properties:
Just like the Default
Web Site, the IP address for the Default FTP Site is set to All Unassigned. This
means any IP address not specifically assigned to another FTP site on the
machine opens the Default FTP Site instead, so right now opening either
ftp://172.16.11.210, ftp://172.16.11.211 or ftp://172.16.11.212 in Internet
Explorer will display the contents of the Default FTP Site.
Let''s assign the IP
address 172.16.11.210 for the Human Resources FTP site and make D:\HR the folder
where its content is located. To create the new FTP site, right-click on the FTP
Sites node and select New --> FTP Site. This starts the FTP Site Creation
Wizard. Click Next and type a description for the site:
Click Next and specify
172.16.11.210 as the IP address for the new site:
Click Next and select Do
not isolate users, since this will be a site that anyone (including guest users)
will be free to access:
Click Next and specify
C:\HR as the location of the root directory for the site:
Click Next and leave the
access permissions set at Read only as this site will only be used for
downloading forms for present and prospective employees:
Click Next and then
Finish to complete the wizard. The new Human Resources FTP site can now be seen
in IIS Manager under the FTP Sites node:
To view the contents of
this site, go to a Windows XP desktop on the same network and open the URL
ftp://172.16.11.210 using Internet Explorer:
Note in the status bar
at the bottom of the IE window that you are connected as an anonymous user. To
view all users currently connected to the Human Resources FTP site, right-click
on the site in Internet Service Manager and select Properties, then on the FTP
Site tab click the Current Sessions button to open the FTP User Sessions
dialog:
Note that anonymous
users using IE are displayed as IEUser@ under Connected Users.
Now let''s create
another FTP site using a script instead of the GUI. We''ll create a site called
Help and Support with root directory C:\Support and IP address
172.16.11.211:
Here's the result of
running the script:
The script we used here
is Iisftp.vbs, which like
Iisweb.vbs and Iisvdir.vbs which we discussed in
the previous
article
is one of several IIS administration scripts available when you install IIS on
Windows Server 2003. A full syntax for this script can be found here. Once you create a new
FTP site using this script you can further configure the site using IIS Manager
in the usual way.
Note: At this point you
could add structure to your FTP site by creating virtual directories, and this
is done in the same way as was described in the previous
article for working with web
sites.
Controlling Access to an FTP Site
Just like for web sites,
there are four ways you can control access to FTP sites on IIS: NTFS
Permissions, IIS permissions, IP address restrictions, and authentication
method. NTFS permissions are always your first line of defense but we can't
cover them in detail here. IIS permissions are specified on the Home Directory
tab of your FTP site's properties sheet:
Note that access
permissions for FTP sites are much simpler (Read and Write only) than they are
for web sites, and by default only Read permission is enabled, which allows
users to download files from your FTP site. If you allow Write access, users
will be able to upload files to the site as well. And of course access
permissions and NTFS permissions combine the same way they do for web sites.
Like web sites, IP
address restrictions can be used to allow or deny access to your site by clients
that have a specific IP address, an IP address in a range of addresses, or a
specific DNS name. These restrictions are configured on the Directory Security
tab just as they are for web sites, and this was covered in the previous
article so we won't discuss them
further here.
FTP sites also have
fewer authentication options than web sites, as can be seen by selecting the
Security Accounts tab:
By default Allow
anonymous connections is selected, and this is fine for public FTP sites on the
Internet but for private FTP sites on a corporate intranet you may want to clear
this checkbox to prevent anonymous access to your site. Clearing this box has
the result that your FTP site uses Basic Authentication instead, and users who
try to access the site are presented with an authentication dialog
box:
Note that Basic
Authentication passes user credentials over the network in clear text so this
means FTP sites are inherently insecure (they don't support Windows integrated
authentication). So if you're going to deploy a private FTP site on your
internal network make sure you close ports 20 and 21 on your firewall to block
incoming FTP traffic from external users on the Internet.
Configuring FTP Site Logging
As with web sites, the
default logging format for FTP sites is the W3C Extended Log File Format, and
FTP site logs are stored in folders named
%SystemRoot%\system32\LogFiles\MSFTPSVCnnnnnnnnnn
where nnnnnnnnnn is the
ID number of the FTP site. And just as with web sites, you can use the Microsoft
Log Parser, part of the IIS
6.0 Resource Kit Tools, to analyze these FTP
site logs.
Stopping and Starting FTP Sites
If an FTP site becomes
unavailable you may need to restart it to get it working again, which you can do
using IIS Manager by right-clicking on the FTP site and selecting Stop and then
Start. From the command-line you can type net
stop msftpsvc followed by
net
start msftpsvc or use iisreset to restart all IIS
services. Remember that restarting an FTP site is a last resort as any users
currently connected to the site will be disconnected.
Implementing FTP User Isolation
Finally, let's conclude
by looking at how to implement the new FTP User Isolation feature of IIS in
Windows Server 2003. When an FTP site uses this feature, each user accessing the
site has an FTP home directory that is a subdirectory under the root directory
for the FTP site, and from the perspective of the user their FTP home directory
appears to be the top-level folder of the site. This means users are prevented
from viewing the files in other users' FTP home directories, which has the
advantage of providing security for each user's files.
Let's create a new FTP
site called Staff that makes use of this new feature, using C:\Staff Folders as
the root directory for the site and 172.16.11.212 for the site's IP address.
Start the FTP Site Creation Wizard as we did previously and step through it
until you reach the FTP User Isolation page and select the Isolate users option
on this page:
Continue with the wizard
and be sure to give users both Read and Write permission so they can upload and
download files.
Now let's say you have
two users, Bob Smith (bsmith) and Mary Jones (mjones) who have accounts in a
domain whose pre-Windows 2000 name is TESTTWO. To give these users FTP
home directories on your server, first create a subfolder named \TESTTWO beneath
\Staff Folders (your FTP root directory). Then create
subfolders \bsmith and \mjones beneath the \Accounts folder. Your folder
structure should now look like this:
C:\Staff
Folders
\TESTTWO
\bsmith
\mjones
To test FTP User
Isolation let's put a file name Bob's Document.doc in the \bsmith subfolder and
Mary's Document.doc in the \mjones subfolder. Now go to a Windows XP desktop and
open Internet Explorer and try to open ftp://172.16.11.212, which is the URL for
the Staff FTP site we just created. When you do this an authentication dialog
box appears, and if you're Bob then you can enter your username (using the
DOMAIN\username form) and password like this:
When Bob clicks the Log
On button the contents of his FTP home directory are displayed:
Note that when you
create a new FTP site using FTP User Isolation, you can't convert it to an
ordinary FTP site (one that doesn't have FTP User Isolation enabled). Similarly,
an ordinary FTP site can't be converted to one using FTP User Isolation.
We still need to explore
one more option and that's the third option on the FTP User Isolation page of
the FTP Site Creation Wizard, namely Isolate users using Active Directory. Since
we've run out of IP addresses let's first delete the Help and Support FTP site
to free up 172.16.11.211. One way we can do this is by opening a command prompt
and typing iisftp
/delete "Help and Support" using the iisftp.vbs command script. Then
start the FTP Site Creation Wizard again and select the third option mentioned
above (we'll name this new site Management):
Click Next and enter an
administrator account in the domain, the password for this account, and the full
name of the domain:
Click Next and confirm
the password and complete the wizard in the usual way. You'll notice that you
weren't prompted to specify a root directory for the new FTP site. This is
because when you use this approach each user's FTP home directory is defined by
two environment variables: %ftproot% which defines the root directory and can be
anywhere including a UNC path to a network share on another machine such as
\\test220\docs, and %ftpdir% which can be set to %username% so that for example
Bob Smith's FTP home directory would be \\test220\docs\bsmith and this folder
would have to be created beforehand for him. You could set these environment
variables using a logon script and assign the script using Group Policy, but
that's beyond the scope of this present article.
This comment has been removed by a blog administrator.
ReplyDelete