Config.of FTP server in IIS

[ofelas 0]

Hi all, few questions;

 

1/ Can I configure separate root directories for each accessing client ?

 

2/ For FTP only access, should the clients be Users or Guests ?

 

3/ Any explanations of File/folder permissions & access rights for different users connected to my system would be great...FTP specific would be appreciated.

 

I've used Serv-U & G6; while they're easier for me to configure as far as user access goes, I kinda like the idea of using NTFS to lockdown security...

 

Thanks in advance,

 

Chip.

[clutch 1]

1. http://www.iisanswers.com/Top10FAQ/t10-FTPuersfolder.htm

 

2. The "Guest" account is a user account as well. It's just used as a default account when the user as no credentials. Now, if you mean "anonymous" connections, then you will be allowing for anyone to access your site/directories.

 

3. If you are familiar with NTFS permissions already, then you will be fine when setting up NTFS through FTP. IIS uses pass-thru authentication for directories when using either the WWW or FTP services (this includes the index server, but that's another topic). Just make sure that if someone is supposed to have write ability to a site/directory, to make sure that they not only have that permission in NTFS, but that it's setup in FTP as well. I tend to allow write access in the FTP properties for everything and cut access using NTFS.

[ofelas 0]

Hey, nice site for an newbie like me...OK then...here goes, I'm getting ready to wade through file/folder permissions, sharing,security, web sharing, etc. etc.

 

thanks, I'll keep bugging ya if I get stuck in the NTFS morass...

[ofelas 0]

Couple more things;

 

1/ I'd like to install the FTP server by itself; I don't really have to install the Web Server component as well, do I ?

 

2/ Installing the Web Server component in IIS install results in yet another tab under File/Folder properties-'Web Sharing'.

 

3/ I don't have to enable Web Sharing or even regular sharing, right ?

What I'm trying to do is set up different folders for different users who will ONLY access my system via FTP.

All the users are known/trusted, so I don't really need any anonymous logins.

Should I completely stop anonymous logins ?

 

Thanks...

[clutch 1]

Install the IIS suite, and then stop all the websites using the MMC snap-in for IIS. As far as I know, you will have to install both WWW and FTP functions to get FTP. In addition, I would disable anonymous login and assign ONLY the permissions needed to each folder being used on the FTP server. I have never used a web sharing tab, and I have setup quite a few sites over the last few years using this method. I just setup the virtual directory leaving r/w access open, setup the permissions on it in NTFS, and disable anonymous logons if not needed. I do the same thing with my web services as well. I make accounts in my domain for people using the FTP server as well. If you want a person to use a resource, then you are better off creating an account to manage that resource. I have several accounts on my home FTP server for friends, and they each have their own account, plus I have a domain group setup for them so I can assign group permissions to general folders. If I want someone in the group to have different access (like write rather than read-only) I add them seperately to the resource with the required permissions.

[ofelas 0]

Thanks, clutch;

 

I installed the entire suite, then, when I tried to access help via the FTP site/properties/help, i got a message saying "fsconfig.HLP" was not available; a search produced no results either. Any ideas ?

 

Next, your suggestion re. no anonymous users makes sense-the only people who access my ftp[ site are known, and have Guest accounts (under 'Other').

 

My directory structure is as follows-

 

1/ a main folder on a different partition

2/ a subfolder for each user

3/ two subfolders under each user subfolder-

a/ downloads

b/ uploads

 

A user (Guest) must ONLY read/list from subfolder (a) &

ONLY write to subfolder (.

Can I delete the "Eveyone" setting for the above folders

& subfolders, so only Administrators & System have

total access, while each user (Guest) has Read/Write for

only their specific subfolders ?

Hopefully that should prevent my evn going into the

Advanced tab under Security...?

 

 

4/ For my FTP site, one Virtual Directory per user (Guest)

mapped to their user subfolder (as explained above).

Read/Write/Log checked on each Virtual Directory.

 

5/ My FTP site's root folder is the default inetpub/ftproot

with Read/Log checked (it's completely empty, + I don't

want anyone to write to it)

 

6/ I plan to uncheck both 'Anonymous' boxes on my Site

Properties; what about the 'allow IIS secure

password/encryption/authentication' box ?

 

7/ Lastly,if I keep the lower 'anonymous' box checked under

FTP site properties, do I actually have to create

different Guests in Control Panel-Users & passwords,

or since I have different Virtual Directories with the

same names as the FTP users, they would all log on using

the FTP site's built-in Guest account ? None of my users

will be local/log in to my actual system, just via FTP.

 

I apologize for these long-winded questions...

 

Thanx,

Chip.

[clutch 1]

I am getting the impression that you are not familiar with administering a NT server a network. Basically, you can administer the FTP/WWW directories in the same manner as any other directory/share. When I stated "In addition, I would disable anonymous login and assign ONLY the permissions needed to each folder being used on the FTP server", I meant to can ANY and ALL extraneous permissions on the directories. That includes the "Everyone" container that was granted access to those directories. What I do is assign admin and remove everyone at the same time. You can also use CACLS.EXE (view the help files by typing CACLS /? at the command prompt for more info) and edit the ACLs (Access Control Lists-metadata attached to each file for permissions and properties usage) for total control over who can do what. In addition, please do not continue referring to users as "guests" if they have accounts. I am not sure what you mean by using that term. If a person has an account, then they should be in the "Domain Users" or "Users" groups depending on the model of network that you are using.

 

If you are not sure how to do what you are looking to do, I would suggest that you try a simpler setup procedure rather than all the repeated directories and subdirectories until you get familiar with the permissions structure of NT.

 

And as far as number 6 goes, I have no idea what you are talking about. Please submit a screenshot of this prompt, as I can't find anything on my server with that wording.

[clutch 1]

I see that you posted another question while I was responding. OK, how about you tell me what your experience with NT/2K is on a network, and we will see if there is some sort a parallel that I can draw on for you. You have to realize that when using NTFS permissions, your server will be vali[censored] against ITS OWN DOMAIN CREDENTIALS. There are NO other accounts that you can create "just" for IIS that will not be in the domain/workgroup accounts. If you want to use NTFS, then you have use IIS AND create those accounts in the domain/workgroup in question. That's it, bottom line. That is how NTFS credential validation works; it checks against the prevailing account databases (SAMs) to see if a person has the proper credentials to access a resource. This can be on a local PC/Server, all the way up to a multi-master domain with 2-way trusts. If you want to give someone access to something, you HAVE to give them an account. You also want to get rid of any unnecessary accounts (like that awful "everyone" container) to close up holes in your system.

[ofelas 0]

Yes, I have very limited experience in administering a network.

 

I'm basically trying to setup an FTP site for 6 clients to upload/download inventory databases.

 

Gotcha-I'll create 6 user accounts for them on my system.

When I created a test account, I selected "other-guests" under user groups. Should I have selected "restricted user" instead since they'll only be reading/writing, via FTP ?

 

I'm re-installing IIS to see if it installs the help file this time.The box I meant is one of those on the same view from FTP site/properties,where "allow only anonymous connections" & "allow anonymous.." are - it's directly below them.

 

Thanx.

 

* Just re-installed IIS - the Help files are all there now; the box I meant was "Allow IIS to control password".

[clutch 1]

"Allow IIS to control password" merely means that IIS sets the password for the default anonymous account. Remember when I stated that any resource HAD to have a valid account for access? Well, the "SERVERNAME-IISuser" account is an account in the workgroup/domain that IIS uses for anonymous connections. On a side note, all services will require credentials as well, whether it be the local "service" account or a seperate account that may require upgraded permissions.

 

Now, as far as group membership, I would suggest that you create another group dedicated to FTP (I use FTP Losers for mine ) to make it easier to narrow their permissions down to just the FTP directories.

 

OK, in the future I would also recommend that you put the FTP "root" directory somewhere other than the default one for various reasons (some exploits rely on the location being default).

 

BTW, what types of files are the databases anyway? Could you use ASP Pages to drive them?

[ofelas 0]

Thanx; looks like my safest bet is to leave the Default FTP site/settings alone, and create another FTP site to mess with the settings.....

 

Oh yeah, the databases are just regular Access databases with client info (billing, shipping, orders, etc.).