Solved

IIS 6.0 FTP Server Problem

Posted on 2004-10-05
3
366 Views
Last Modified: 2008-02-01
I have a client who has setup an FTP server in IIS 6.0.  All seems well except the users can upload their websites to the root of the server!!

The clients wants to be able to restrict access of users to their own folders and no further.

Are there any instructions on this or places to refer a client to?

Thanks,
Dale
0
Comment
Question by:dgore1
  • 2
3 Comments
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 250 total points
ID: 12232443
Blatantly copied from the IIS Help files in IIS 6.0:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Isolating FTP Users
FTP user isolation is a solution for Internet service providers (ISPs) and Application service providers who want to offer their customers individual FTP directories for uploading files and Web content. FTP user isolation prevents users from viewing or overwriting other users' Web content by restricting users to their own directories. Users cannot navigate higher up the directory tree because the top-level directory appears as the root of the FTP service. Within their specific site, users have the ability to create, modify, or delete files and folders.

FTP user isolation is a site property, not a server property. It can be turned on or off for each FTP site.

FTP User Isolation Modes
FTP user isolation supports three isolation modes. Each mode enables different levels of isolation and authentication.

Isolation Mode Description
Do not isolate users This mode does not enable FTP user isolation. This mode is designed to work similarly to earlier versions of IIS. Because isolation is not enforced among different users logging on to your FTP server, this mode is ideal for a site that offers only download capabilities for shared content or for sites that do not require protection of data access between users.
Isolate users This mode authenticates users against local or domain accounts before they can access the home directory that matches their user name. All user home directories are in a directory structure under a single FTP root directory where each user is placed and restricted to their home directory. Users are not permitted to navigate out of their home directory. If users need access to dedicated shared folders, you can also establish a virtual root. This mode does not authenticate against Active Directory directory service.
 Note Server performance can degrade when this mode is used to create hundreds of home directories.
 
Isolate users using Active Directory This mode authenticates user credentials against a corresponding Active Directory container, rather than searching the entire Active Directory, which requires large amounts of processing time. Specific FTP server instances can be dedicated to each customer to ensure data integrity and isolation. When a user's object is located within the Active Directory container, the FTPRoot and FTPDir properties are extracted to provide the full path to the user's home directory. If the FTP service can successfully access the path, the user is placed within the home directory, which represents the FTP root location. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the directory tree. The user is denied access if either the FTPRoot or FTPDir property do not exist, or, if these two together do not form a valid and accessible path.
 Note This mode requires an Active Directory server running on an operating system in the Windows Server 2003 family. A Windows 2000 Active Directory can also be used but requires manual extension of the User Object schema. To learn more about setting up an Active Directory server, see Windows Help.
 

Configuring FTP User Isolation with IIS Manager
When your FTP server is set to isolate users, all user home directories are located in a two-level directory structure in the FTP site directory (as configured on the FTP home directory property page). The FTP site directory can either reside on the local machine or on a network share.

 Important You must be a member of the Administrators group on the local computer to perform the following procedure (or procedures), or you must have been delegated the appropriate authority. As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. From the command prompt, type runas /user:administrative_accountname "mmc %systemroot%\system32\inetsrv\iis.msc".

To create a new FTP site that does not isolate users

In IIS Manager, expand the local computer, right-click the FTP Sites folder, point to New, and click FTP Site.
Click Next.
Provide the required information in the FTP Site Description and IP Address and Port Settings dialog boxes, and click Next.
In the FTP User Isolation dialog box, click Do not isolate users, and click Next.
Complete the remaining steps of the wizard.
To create a new FTP site that isolates users

In IIS Manager, expand the local computer, right-click the FTP Sites folder, point to New, and click FTP Site.
Provide the required information in the FTP Site Description and IP Address and Port Settings dialog boxes, and click Next.
In the FTP User Isolation dialog box, click Isolate users, and click Next.
Complete the remaining steps of the wizard.
Right-click the new FTP site you created, and click Properties.
Click the Security Accounts tab. If the Allow anonymous connections check box is selected, in the User name and Password boxes, type a user name and password to use to to authenticate anonymous users.
If anonymous access is allowed, create the subdirectories LocalUser and LocalUser\Public under the FTP site home directory.
If users of the local computer log in with their individual account user names (rather than as anonymous users), create the subdirectories LocalUser and LocalUser\username under the FTP site root directory for each user allowed to connect to this FTP site.
If users of different domains log on with their explicit domain\username credentials, create a subdirectory for each domain (by using the name of the domain) under the FTP site root directory. Under each domain directory, create a directory for each user. For example, to support access by user Sales\user1, create the Sales and Sales\user1 directories.
Configuring FTP User Isolation with Active Directory
When you set your FTP server to isolate users with Active Directory, each user's home directory can reside on an arbitrary network path. In this mode, you have the flexibility to distribute user home directories across multiple servers, volumes, and directories as is appropriate to the network configuration. You can also set the FTPRoot and FTPDir properties for a user to form a local path to the FTP server machine. This mode integrates Active Directory authentication when retrieving a user's home directory information. This integration enables you to use Active Directory Services Interfaces (ADSI) and scripting to manage the physical location of user home directories.

This mode is most appropriate for ISP deployments, where an array of front-end FTP servers all access an Active Directory to retrieve home directory information for users, and access an array of back-end file servers.

The Active Directory User object has been extended to include two properties: FTPRoot and FTPDir. These properties store the file server share and relative home directory for each user. The FTPRoot determines the Universal Naming Convention (UNC) file server share, while the FTPDir indicates the relative path on the share. Concatenating these two properties results in the full UNC path to the users' home directory, or to the FTP server.

These two properties correspond to the msIIS-FTPRoot and msIIS-FTPDir properties that were added to the Active Directory schema in the Windows Server 2003 family. They can also be set and modified using the iisftp.vbs command-line administration script. For more information on setting these properties using the iisftp.vbs command-line administration script to set these properties, search for "iisftp.vbs" in Windows Help. You can also install the Admin Pack, available with Windows Server 2003 family Resource Kit, and modify these properties using the Active Directory snap-in.

Configuring user isolation by using Active Directory involves setting up the following corresponding services:

File servers: You can use file servers to create the shares and user directories for all users permitted to connect to the FTP service, including anonymous accounts. You should plan for expected disk space usage, storage management, network traffic, and other processes related to your server infrastructure.
Active Directory: This mode of user isolation requires the availability of an Active Directory server running on an operating system in the Windows Server 2003 family. The Windows Server 2003 family Active Directory schema is the first to contain the user object properties used by the FTP service. For more information about setting up an Active Directory server, see Windows Help. You should also configure the user object in Active Directory for each user (including anonymous accounts) by setting the FTPRoot and FTPDir properties to point to the home directories. Also note that frequently used information retrieved from Active Directory is cached on the FTP server. You can limit the maximum elapsed time before flushing the cache for the Active Directory properties corresponding to the anonymous user by using the registry parameter DsCacheRefreshSecs.
 Important To use FTP user isolation in Active Directory mode with Windows 2000 domain controllers, you need to extend the base user object in the Windows 2000 Active Directory schema to include the new FTP properties, msIIS-FTPRoot and msIIS-FTPDir. For more information on how to extend the base user object in the Windows 2000 Active Directory schema, see the Active Directory Programmer's Guide.

To create a new FTP site that isolates users with Active Directory

In IIS Manager, right-click the FTP Sites folder, point to New, and click FTP Site.
Provide the required information in the FTP Site Description and IP Address and Port Settings dialog boxes, and click Next.
In the FTP User Isolation dialog box, click Isolate users using Active Directory, and click Next.
Complete the remaining steps of the wizard.
Right-click the new FTP site you created, and click Properties.
Click the Security Accounts tab. If the Allow anonymous connections check box is selected, in the User name and Password boxes, type a user name and password to use to to authenticate anonymous users. This user should not be a local computer user, but rather a domain user with appropriate home directory configuration in the Active Directory object.
Type a default logon domain name. This domain name is given to users who do not specify their user domain when they log on. In other words, a user connecting with the user name "domain1\user1" is authenticated against domain1, while a user connecting as user2 is authenticated against the default logon domain. If a default domain is not set, and a user does not specify a domain name, access is denied for all but anonymous users.
Related Topics
For information on installing the FTP service, see FTP Site Setup.

--------------------------------------------------------------------------------

© 1997-2003 Microsoft Corporation. All rights reserved.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Hope this helps.

Dave Dietz
0
 

Author Comment

by:dgore1
ID: 12254478
Dave,

Thanks!!!  This solved the problem completely!!!

Dale
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12300550
Care to award some points?  :-)

Dave Dietz
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now