[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

IIS: FTP Setup - Isolated (no AD) Users

Posted on 2006-05-27
8
Medium Priority
?
1,432 Views
Last Modified: 2010-08-05
I'm trying to get the isolated user (no AD) configuration for FTP to work, but I keep running into directory inaccessible.

Now I setup the home for the ftp site as: c:\inetpub\ftproot\ and then created localuser under that and the user under localuser.

That fixed the error, but I need to be able to have the user access their web folder, which is m:\web\users\website. I've tried adding a virtual directory, but the virtual directory is ignored when the user folder is under localuser and gets the inaccessible error when the user folder doesn't exist (so it appears that the virtual directory is being ignored completely).

I've tried multiple setups, but haven't had any luck. I'm wondering what the proper way to set this up is so that the root directory is the web directory (m:\web\users\website).
0
Comment
Question by:Shroder
  • 4
  • 4
8 Comments
 
LVL 19

Assisted Solution

by:feptias
feptias earned 2000 total points
ID: 16779421
Assuming you are using IIS 6, virtual directories can be used with user isolation mode (non-AD). There are two possible issues:
1. FTP virtual directories in IIS 6 are hidden
2. You must have the correct access rights set on the real folder

To explain (1) a bit more:
Virtual directories do not appear in the list of files/folders below the user's root. You have to use the CD (change directory) command from your FTP client or specify the virtual directory's name as part of the FTP login. The name that you use is the one that is given as the "Alias" when you create the virtual directory. Your FTP users must know this name in advance - they cannot view a list of virtual directories using their FTP client.

Regarding access rights to the folder, I suggest that you start by testing a virtual directory that is hosted on the same server as the IIS service is running. Make sure the local user account has access permissions to that folder (the same local user that is used to login to the FTP site). Access to folders on other servers might be more complicated because, by definition, you are using local user accounts for your local user isolation mode.

There are two other options you could consider for linking your web directory to your FTP directory:
a) Change the home directory of the web site to point to the actual FTP folder of the user. For example, move all the web files to a folder below C:\intepub\ftproot\localuser\username\website. This will require a network share on the FTP server to allow the web server to gain access.
b) Use some kind of file/folder replication software to synchronise changes between the FTP folder and the web site home directory folder. For example, you can use the file replication feature in Windows server 2003 Distributed File System for this purpose. This method has the disadvantage that changes made via FTP may be delayed before they are seen on the web site.
0
 

Author Comment

by:Shroder
ID: 16794199
Sorry for the delay.

I think this is more of a case dealing with virtual directories being hidden. I haven't tried accessing the virtual directory yet though.

I keep thinking there must be a generic way to set this up for a server that is suppose to host both sites and allow the user to upload files to that website folder.

If there is not a generica way then hopefully I can work something out with my current setup.

So with my current setup my web directory (structure) is: m:\web\users\domain. While my ftp is c:\inetpub\ftproot\localuser\domain (from testing I found that would work).

Now I'm thinking... what if I put them in c:\inetpub\ftproot\localuser\domain (which works) if I could make the html folder a virtual directory that may work. But I'm not sure how I could link the html directory (still residing on the m drive) to the ftp directory.

I didn't want to move the web directory over to be in the same directory as the ftp (c drive) because I thought there was a security issue with serving the websites on the c drive.
0
 
LVL 19

Expert Comment

by:feptias
ID: 16796988
There can be security issues if your web site is hosted on the C: drive, but the same also applies to hosting your FTP folders on the C: drive. When I inspect the IIS log files on my servers, I generally see more attempts to hack my FTP server than my web server.

Furthermore, relocating your root folders away from the default C:\inetpub folder is not enough on its own to make IIS secure. There are more important settings concerning user permissions and login authentication settings. Even when all of those are right, IIS security is still not 100% (but the same is true for other similar products).

You do not have to use C:\inetpub\ftproot as the root for all FTP folders. You could move it to another drive provided you also change the properties of your FTP site in IIS Manager to point to the right location. This is very similar to what you have already done for your web site to point to m:\web. Both FTP and Web can be told to use any folder as the home directory. Both will also support virtual directories, but it doesn't sound like virtual directories will be the magic solution to all your problems - in fact I think they will complicate your solution.

Can you clarify - do you have one server running both Web and FTP or have you got a server for each?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:Shroder
ID: 16798341
This is just one server running both ftp and the web server.

I need to get this setup asap, so I'm going to give a little information and my thoughts. Basically I'm looking for an ideal solution for what I've stated earlier.

I'll need to focus on cracking down on the other security issues later. For now I just need to find the best way to setup the ftp service. :) Thank you for the heads up on that.

The m:\web directory setup was by default with the dedicated server company I got the server from.

Now, backing up a step, I setup a new site (on the same server) that didn't use isolated users. I ran into some security problems though. I could access other users folders. The only way I could deny access is if I set the permissions to deny read & execute, and read. The problem I had with this was that I couldn't view the folders as admin.

So even though non-isolated users gives me the functionality I want, it doesn't give me the security. So I assume that isolated users is the way I want to go.

Would the ideal setup be changing m:\web\users to m:\web\localuser and set m:\web as the ftp root? I didn't want to do that because I figured they (the dedicated server company) setup that directory structure for a reason.

If there is a better way please let me know.
0
 
LVL 19

Accepted Solution

by:
feptias earned 2000 total points
ID: 16798645
If each user only has one web site, then the m:\web\localuser solution would be rather neat. Each user would have their own FTP folder immediately below m:\web\localuser and each web site could be pointed at the corresponding user's folder:
m:\web\localuser\user1
m:\web\localuser\user2
etc

 However, if each user may have several web sites then it would be better to use:
m:\web\localuser\user1\website1
m:\web\localuser\user1\website2
m:\web\localuser\user2\website1
etc

In both cases I believe you would have to set the ftp root to m:\web (as you stated).
If two different users both need to access the same web site folder then neither of the above will work.

Regarding security on the web sites:
1. Check the tick boxes on the "Home Directory" tab of the web site properties in IIS Manager. There are 4 boxes together: Script source access, Read, Write and Directory browsing. It is usually sufficient on public web sites to just have the Read box ticked and none of the other three.
2. For the FTP site you have to allow read and write access (otherwise legitimate users would not be able to make changes to their web files). However, you can and should disable anonymous access if there is no need for it.
3. Further restrictions should be done using the folder permissions on the individual or parent folders. This is the best way to make your system secure, but a full set of instructions is way beyond the scope of this question.
4. Enable logging in both the Web and the FTP service and regularly check the log files to see if people are getting though your security.
5. Use a good firewall between your server and the Internet. Only allow the minimum access necessary for people to be able to use your services. If possible, restrict access to the FTP service based on the remote user's IP address (not always possible of course).
0
 

Author Comment

by:Shroder
ID: 16799003
Some of that stuff I already have in place from other articles I've read. :) And I agree a full set of instructions is out of scope. All I'm really looking for is the norm in setting up a ftp service that allows users to access web user folders.

Thank you for pointing out adding the site folders under the user folder.

So I will try that out today, but I'm pretty sure that will work considering what I've already done. Now that I know how to do it I'm wondering if it is really that wise to give web users ftp access due to possible security problems with scripts.

So one last question, do you recommend not allowing users ftp access or is it not that big of a danger? The websites would need to be granted enough permissions to run asp scripts, but that is it.
0
 
LVL 19

Expert Comment

by:feptias
ID: 16799241
I would say there are two different security issues:
1. Can you trust the "owners" of the web sites to not abuse the access that you can give them through FTP? Normally it is in their own interests to not break the web server because that would bring down their own web site. Also you can fairly easily identify who messed it up because they all log in under a different name and they should only be able to access their own sub-folders.
2. What are the risks of running public web sites hosted on your own server? To be honest I get the impression that you lack the experience to be very confident on this one and it would be painful to find that you left a huge security hole only when the hordes have already got through and trampled on everything. ...and be sure they will try.

A lot of web sites allow scripts to run, but that doesn't mean there is a security problem. The problem would only come if unauthorised people were able to load scripts onto your server or if some of the scripts that were loaded were flawed. Hosting your own web sites doesn't save you a fortune compared to using a hosted service and you don't have to worry about security when it's hosted on someone elses server. However, if you want to be able to run fancy ASP scripts with database access and all that stuff, then the hosted services get more expensive. You can also learn a lot from hosting your own - just be prepared for some painful mistakes, keep good backups and monitor the IIS logs.

You'll have to weigh up all the factors and draw your own conclusions.

Good luck.
0
 

Author Comment

by:Shroder
ID: 16799347
There is a bit of a story behind why I need my own dedicated server. With my questions I'm trying to be open minded, which probably comes across and not being confident. I'm not going to try hosting hundreds of sites though this is for something a little lower scale.
A majority of my experience lies in the linux side of web services, so I'm just trying to find out what the norm is with IIS web services instead of trying to do it my own way.

Either way, thank you for your time.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question