Shroder
asked on
IIS: FTP Setup - Isolated (no AD) Users
I'm trying to get the isolated user (no AD) configuration for FTP to work, but I keep running into directory inaccessible.
Now I setup the home for the ftp site as: c:\inetpub\ftproot\ and then created localuser under that and the user under localuser.
That fixed the error, but I need to be able to have the user access their web folder, which is m:\web\users\website. I've tried adding a virtual directory, but the virtual directory is ignored when the user folder is under localuser and gets the inaccessible error when the user folder doesn't exist (so it appears that the virtual directory is being ignored completely).
I've tried multiple setups, but haven't had any luck. I'm wondering what the proper way to set this up is so that the root directory is the web directory (m:\web\users\website).
Now I setup the home for the ftp site as: c:\inetpub\ftproot\ and then created localuser under that and the user under localuser.
That fixed the error, but I need to be able to have the user access their web folder, which is m:\web\users\website. I've tried adding a virtual directory, but the virtual directory is ignored when the user folder is under localuser and gets the inaccessible error when the user folder doesn't exist (so it appears that the virtual directory is being ignored completely).
I've tried multiple setups, but haven't had any luck. I'm wondering what the proper way to set this up is so that the root directory is the web directory (m:\web\users\website).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There can be security issues if your web site is hosted on the C: drive, but the same also applies to hosting your FTP folders on the C: drive. When I inspect the IIS log files on my servers, I generally see more attempts to hack my FTP server than my web server.
Furthermore, relocating your root folders away from the default C:\inetpub folder is not enough on its own to make IIS secure. There are more important settings concerning user permissions and login authentication settings. Even when all of those are right, IIS security is still not 100% (but the same is true for other similar products).
You do not have to use C:\inetpub\ftproot as the root for all FTP folders. You could move it to another drive provided you also change the properties of your FTP site in IIS Manager to point to the right location. This is very similar to what you have already done for your web site to point to m:\web. Both FTP and Web can be told to use any folder as the home directory. Both will also support virtual directories, but it doesn't sound like virtual directories will be the magic solution to all your problems - in fact I think they will complicate your solution.
Can you clarify - do you have one server running both Web and FTP or have you got a server for each?
Furthermore, relocating your root folders away from the default C:\inetpub folder is not enough on its own to make IIS secure. There are more important settings concerning user permissions and login authentication settings. Even when all of those are right, IIS security is still not 100% (but the same is true for other similar products).
You do not have to use C:\inetpub\ftproot as the root for all FTP folders. You could move it to another drive provided you also change the properties of your FTP site in IIS Manager to point to the right location. This is very similar to what you have already done for your web site to point to m:\web. Both FTP and Web can be told to use any folder as the home directory. Both will also support virtual directories, but it doesn't sound like virtual directories will be the magic solution to all your problems - in fact I think they will complicate your solution.
Can you clarify - do you have one server running both Web and FTP or have you got a server for each?
ASKER
This is just one server running both ftp and the web server.
I need to get this setup asap, so I'm going to give a little information and my thoughts. Basically I'm looking for an ideal solution for what I've stated earlier.
I'll need to focus on cracking down on the other security issues later. For now I just need to find the best way to setup the ftp service. :) Thank you for the heads up on that.
The m:\web directory setup was by default with the dedicated server company I got the server from.
Now, backing up a step, I setup a new site (on the same server) that didn't use isolated users. I ran into some security problems though. I could access other users folders. The only way I could deny access is if I set the permissions to deny read & execute, and read. The problem I had with this was that I couldn't view the folders as admin.
So even though non-isolated users gives me the functionality I want, it doesn't give me the security. So I assume that isolated users is the way I want to go.
Would the ideal setup be changing m:\web\users to m:\web\localuser and set m:\web as the ftp root? I didn't want to do that because I figured they (the dedicated server company) setup that directory structure for a reason.
If there is a better way please let me know.
I need to get this setup asap, so I'm going to give a little information and my thoughts. Basically I'm looking for an ideal solution for what I've stated earlier.
I'll need to focus on cracking down on the other security issues later. For now I just need to find the best way to setup the ftp service. :) Thank you for the heads up on that.
The m:\web directory setup was by default with the dedicated server company I got the server from.
Now, backing up a step, I setup a new site (on the same server) that didn't use isolated users. I ran into some security problems though. I could access other users folders. The only way I could deny access is if I set the permissions to deny read & execute, and read. The problem I had with this was that I couldn't view the folders as admin.
So even though non-isolated users gives me the functionality I want, it doesn't give me the security. So I assume that isolated users is the way I want to go.
Would the ideal setup be changing m:\web\users to m:\web\localuser and set m:\web as the ftp root? I didn't want to do that because I figured they (the dedicated server company) setup that directory structure for a reason.
If there is a better way please let me know.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Some of that stuff I already have in place from other articles I've read. :) And I agree a full set of instructions is out of scope. All I'm really looking for is the norm in setting up a ftp service that allows users to access web user folders.
Thank you for pointing out adding the site folders under the user folder.
So I will try that out today, but I'm pretty sure that will work considering what I've already done. Now that I know how to do it I'm wondering if it is really that wise to give web users ftp access due to possible security problems with scripts.
So one last question, do you recommend not allowing users ftp access or is it not that big of a danger? The websites would need to be granted enough permissions to run asp scripts, but that is it.
Thank you for pointing out adding the site folders under the user folder.
So I will try that out today, but I'm pretty sure that will work considering what I've already done. Now that I know how to do it I'm wondering if it is really that wise to give web users ftp access due to possible security problems with scripts.
So one last question, do you recommend not allowing users ftp access or is it not that big of a danger? The websites would need to be granted enough permissions to run asp scripts, but that is it.
I would say there are two different security issues:
1. Can you trust the "owners" of the web sites to not abuse the access that you can give them through FTP? Normally it is in their own interests to not break the web server because that would bring down their own web site. Also you can fairly easily identify who messed it up because they all log in under a different name and they should only be able to access their own sub-folders.
2. What are the risks of running public web sites hosted on your own server? To be honest I get the impression that you lack the experience to be very confident on this one and it would be painful to find that you left a huge security hole only when the hordes have already got through and trampled on everything. ...and be sure they will try.
A lot of web sites allow scripts to run, but that doesn't mean there is a security problem. The problem would only come if unauthorised people were able to load scripts onto your server or if some of the scripts that were loaded were flawed. Hosting your own web sites doesn't save you a fortune compared to using a hosted service and you don't have to worry about security when it's hosted on someone elses server. However, if you want to be able to run fancy ASP scripts with database access and all that stuff, then the hosted services get more expensive. You can also learn a lot from hosting your own - just be prepared for some painful mistakes, keep good backups and monitor the IIS logs.
You'll have to weigh up all the factors and draw your own conclusions.
Good luck.
1. Can you trust the "owners" of the web sites to not abuse the access that you can give them through FTP? Normally it is in their own interests to not break the web server because that would bring down their own web site. Also you can fairly easily identify who messed it up because they all log in under a different name and they should only be able to access their own sub-folders.
2. What are the risks of running public web sites hosted on your own server? To be honest I get the impression that you lack the experience to be very confident on this one and it would be painful to find that you left a huge security hole only when the hordes have already got through and trampled on everything. ...and be sure they will try.
A lot of web sites allow scripts to run, but that doesn't mean there is a security problem. The problem would only come if unauthorised people were able to load scripts onto your server or if some of the scripts that were loaded were flawed. Hosting your own web sites doesn't save you a fortune compared to using a hosted service and you don't have to worry about security when it's hosted on someone elses server. However, if you want to be able to run fancy ASP scripts with database access and all that stuff, then the hosted services get more expensive. You can also learn a lot from hosting your own - just be prepared for some painful mistakes, keep good backups and monitor the IIS logs.
You'll have to weigh up all the factors and draw your own conclusions.
Good luck.
ASKER
There is a bit of a story behind why I need my own dedicated server. With my questions I'm trying to be open minded, which probably comes across and not being confident. I'm not going to try hosting hundreds of sites though this is for something a little lower scale.
A majority of my experience lies in the linux side of web services, so I'm just trying to find out what the norm is with IIS web services instead of trying to do it my own way.
Either way, thank you for your time.
A majority of my experience lies in the linux side of web services, so I'm just trying to find out what the norm is with IIS web services instead of trying to do it my own way.
Either way, thank you for your time.
ASKER
I think this is more of a case dealing with virtual directories being hidden. I haven't tried accessing the virtual directory yet though.
I keep thinking there must be a generic way to set this up for a server that is suppose to host both sites and allow the user to upload files to that website folder.
If there is not a generica way then hopefully I can work something out with my current setup.
So with my current setup my web directory (structure) is: m:\web\users\domain. While my ftp is c:\inetpub\ftproot\localus
Now I'm thinking... what if I put them in c:\inetpub\ftproot\localus
I didn't want to move the web directory over to be in the same directory as the ftp (c drive) because I thought there was a security issue with serving the websites on the c drive.