Solved

IIS 6.0 FTP Server Problem

Posted on 2004-10-05
3
367 Views
Last Modified: 2008-02-01
I have a client who has setup an FTP server in IIS 6.0.  All seems well except the users can upload their websites to the root of the server!!

The clients wants to be able to restrict access of users to their own folders and no further.

Are there any instructions on this or places to refer a client to?

Thanks,
Dale
0
Comment
Question by:dgore1
  • 2
3 Comments
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 250 total points
ID: 12232443
Blatantly copied from the IIS Help files in IIS 6.0:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Isolating FTP Users
FTP user isolation is a solution for Internet service providers (ISPs) and Application service providers who want to offer their customers individual FTP directories for uploading files and Web content. FTP user isolation prevents users from viewing or overwriting other users' Web content by restricting users to their own directories. Users cannot navigate higher up the directory tree because the top-level directory appears as the root of the FTP service. Within their specific site, users have the ability to create, modify, or delete files and folders.

FTP user isolation is a site property, not a server property. It can be turned on or off for each FTP site.

FTP User Isolation Modes
FTP user isolation supports three isolation modes. Each mode enables different levels of isolation and authentication.

Isolation Mode Description
Do not isolate users This mode does not enable FTP user isolation. This mode is designed to work similarly to earlier versions of IIS. Because isolation is not enforced among different users logging on to your FTP server, this mode is ideal for a site that offers only download capabilities for shared content or for sites that do not require protection of data access between users.
Isolate users This mode authenticates users against local or domain accounts before they can access the home directory that matches their user name. All user home directories are in a directory structure under a single FTP root directory where each user is placed and restricted to their home directory. Users are not permitted to navigate out of their home directory. If users need access to dedicated shared folders, you can also establish a virtual root. This mode does not authenticate against Active Directory directory service.
 Note Server performance can degrade when this mode is used to create hundreds of home directories.
 
Isolate users using Active Directory This mode authenticates user credentials against a corresponding Active Directory container, rather than searching the entire Active Directory, which requires large amounts of processing time. Specific FTP server instances can be dedicated to each customer to ensure data integrity and isolation. When a user's object is located within the Active Directory container, the FTPRoot and FTPDir properties are extracted to provide the full path to the user's home directory. If the FTP service can successfully access the path, the user is placed within the home directory, which represents the FTP root location. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the directory tree. The user is denied access if either the FTPRoot or FTPDir property do not exist, or, if these two together do not form a valid and accessible path.
 Note This mode requires an Active Directory server running on an operating system in the Windows Server 2003 family. A Windows 2000 Active Directory can also be used but requires manual extension of the User Object schema. To learn more about setting up an Active Directory server, see Windows Help.
 

Configuring FTP User Isolation with IIS Manager
When your FTP server is set to isolate users, all user home directories are located in a two-level directory structure in the FTP site directory (as configured on the FTP home directory property page). The FTP site directory can either reside on the local machine or on a network share.

 Important You must be a member of the Administrators group on the local computer to perform the following procedure (or procedures), or you must have been delegated the appropriate authority. As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. From the command prompt, type runas /user:administrative_accountname "mmc %systemroot%\system32\inetsrv\iis.msc".

To create a new FTP site that does not isolate users

In IIS Manager, expand the local computer, right-click the FTP Sites folder, point to New, and click FTP Site.
Click Next.
Provide the required information in the FTP Site Description and IP Address and Port Settings dialog boxes, and click Next.
In the FTP User Isolation dialog box, click Do not isolate users, and click Next.
Complete the remaining steps of the wizard.
To create a new FTP site that isolates users

In IIS Manager, expand the local computer, right-click the FTP Sites folder, point to New, and click FTP Site.
Provide the required information in the FTP Site Description and IP Address and Port Settings dialog boxes, and click Next.
In the FTP User Isolation dialog box, click Isolate users, and click Next.
Complete the remaining steps of the wizard.
Right-click the new FTP site you created, and click Properties.
Click the Security Accounts tab. If the Allow anonymous connections check box is selected, in the User name and Password boxes, type a user name and password to use to to authenticate anonymous users.
If anonymous access is allowed, create the subdirectories LocalUser and LocalUser\Public under the FTP site home directory.
If users of the local computer log in with their individual account user names (rather than as anonymous users), create the subdirectories LocalUser and LocalUser\username under the FTP site root directory for each user allowed to connect to this FTP site.
If users of different domains log on with their explicit domain\username credentials, create a subdirectory for each domain (by using the name of the domain) under the FTP site root directory. Under each domain directory, create a directory for each user. For example, to support access by user Sales\user1, create the Sales and Sales\user1 directories.
Configuring FTP User Isolation with Active Directory
When you set your FTP server to isolate users with Active Directory, each user's home directory can reside on an arbitrary network path. In this mode, you have the flexibility to distribute user home directories across multiple servers, volumes, and directories as is appropriate to the network configuration. You can also set the FTPRoot and FTPDir properties for a user to form a local path to the FTP server machine. This mode integrates Active Directory authentication when retrieving a user's home directory information. This integration enables you to use Active Directory Services Interfaces (ADSI) and scripting to manage the physical location of user home directories.

This mode is most appropriate for ISP deployments, where an array of front-end FTP servers all access an Active Directory to retrieve home directory information for users, and access an array of back-end file servers.

The Active Directory User object has been extended to include two properties: FTPRoot and FTPDir. These properties store the file server share and relative home directory for each user. The FTPRoot determines the Universal Naming Convention (UNC) file server share, while the FTPDir indicates the relative path on the share. Concatenating these two properties results in the full UNC path to the users' home directory, or to the FTP server.

These two properties correspond to the msIIS-FTPRoot and msIIS-FTPDir properties that were added to the Active Directory schema in the Windows Server 2003 family. They can also be set and modified using the iisftp.vbs command-line administration script. For more information on setting these properties using the iisftp.vbs command-line administration script to set these properties, search for "iisftp.vbs" in Windows Help. You can also install the Admin Pack, available with Windows Server 2003 family Resource Kit, and modify these properties using the Active Directory snap-in.

Configuring user isolation by using Active Directory involves setting up the following corresponding services:

File servers: You can use file servers to create the shares and user directories for all users permitted to connect to the FTP service, including anonymous accounts. You should plan for expected disk space usage, storage management, network traffic, and other processes related to your server infrastructure.
Active Directory: This mode of user isolation requires the availability of an Active Directory server running on an operating system in the Windows Server 2003 family. The Windows Server 2003 family Active Directory schema is the first to contain the user object properties used by the FTP service. For more information about setting up an Active Directory server, see Windows Help. You should also configure the user object in Active Directory for each user (including anonymous accounts) by setting the FTPRoot and FTPDir properties to point to the home directories. Also note that frequently used information retrieved from Active Directory is cached on the FTP server. You can limit the maximum elapsed time before flushing the cache for the Active Directory properties corresponding to the anonymous user by using the registry parameter DsCacheRefreshSecs.
 Important To use FTP user isolation in Active Directory mode with Windows 2000 domain controllers, you need to extend the base user object in the Windows 2000 Active Directory schema to include the new FTP properties, msIIS-FTPRoot and msIIS-FTPDir. For more information on how to extend the base user object in the Windows 2000 Active Directory schema, see the Active Directory Programmer's Guide.

To create a new FTP site that isolates users with Active Directory

In IIS Manager, right-click the FTP Sites folder, point to New, and click FTP Site.
Provide the required information in the FTP Site Description and IP Address and Port Settings dialog boxes, and click Next.
In the FTP User Isolation dialog box, click Isolate users using Active Directory, and click Next.
Complete the remaining steps of the wizard.
Right-click the new FTP site you created, and click Properties.
Click the Security Accounts tab. If the Allow anonymous connections check box is selected, in the User name and Password boxes, type a user name and password to use to to authenticate anonymous users. This user should not be a local computer user, but rather a domain user with appropriate home directory configuration in the Active Directory object.
Type a default logon domain name. This domain name is given to users who do not specify their user domain when they log on. In other words, a user connecting with the user name "domain1\user1" is authenticated against domain1, while a user connecting as user2 is authenticated against the default logon domain. If a default domain is not set, and a user does not specify a domain name, access is denied for all but anonymous users.
Related Topics
For information on installing the FTP service, see FTP Site Setup.

--------------------------------------------------------------------------------

© 1997-2003 Microsoft Corporation. All rights reserved.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Hope this helps.

Dave Dietz
0
 

Author Comment

by:dgore1
ID: 12254478
Dave,

Thanks!!!  This solved the problem completely!!!

Dale
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12300550
Care to award some points?  :-)

Dave Dietz
0

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
HDD is seen as 1 drive in vmware but 2 in Windows 12 109
Trust one-way issue 2 54
change home folder path 4 45
Event ID: 5719 / Source: NETLOGON 9 105
Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now