Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 564
  • Last Modified:

IIS/FTP 7.5 User Isolation

Weirdness.

We have IIS/FTP 7.5, Windows 2008 R2 SP1, current patches.  Site config: Actual FTP root unused.  All Virtual Directories are on other disk volumes, one for each customer.  They log in by appending the VD thus: ftp://ftp.redacted.com/VD.  This is a standalone server with no AD membership.  All FTP users are local Windows users.

Now one customer has a script that they can't modify and that can't traverse folders or append the VD.  So we tried to do one instance of User Isolation.  We only want this one user to be configured this way because we do not want to change the larger structure and disrupt all the other customers and their present login procedures for just this one customer.

We created a new disk volume like the others (this is a VM server) for the new customer as usual, and set the permissions.  We created the root folder with the user-named folder underneath and set the VDat the user folder (NOTE: we have also named the root folder after the user, and also "LocalUser" with and without a VD set there, and a LocalUser folder UNDER the root with its own VD entry and without, and with the user ID folder under that, with and without its own VD).  We already had Basic Authentication enabled for the whole FTP site and each VD.  We set Authorization specifically for admins and the user in all cases for the abovementioned VDs.

Now for the User Isolation settings: because we only want this one user affected, we can't choose User Name Physical Dir with disable global.  We have tried both User Name Physical with globals enabled and Do Not Isolate/Start in User Name directory.  We can get both to work (the former required that we move the target folder to the root where we do not want it).  The user ID in question can log on, and is directed to the folder we want. But something weird happens: when we test it and upload a file successfully (or copy a file into the folder manually on the server), the file sits for a bit and then disappears.  
We can't trace what is deleting the file or why.  Help!
0
AnonofIbid
Asked:
AnonofIbid
  • 4
  • 3
1 Solution
 
Paul MacDonaldDirector, Information SystemsCommented:
File system auditing should tell you what is causing the file to be deleted.  That or FTP logs.

As to isolating this user, why not set up a dedicated FTP server/site for that user.  Can't get much more isolated than a dedicated IP address...
0
 
AnonofIbidAuthor Commented:
Thanks Paulmacd.  We are trying to avoid that, it's on a restrictive DMZ subnet where IPs are at a premium.  

We discovered that the user itself is performing the deletes, but without any user intervention.  Other users similarly configured do not do this.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
That user's process is scripted, right?  It seems at least possible it's the script doing the damage.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
AnonofIbidAuthor Commented:
Hi,

We haven't yet turned this over to the user because of the issue.  So far all of our testing is manual, using IE, Windows Explorer, command-line ftp, and FileZilla.  I can certainly see in the logs that a DELE command is issued when the user sits connected to the FTP server.  But I do not know why this happens.  We have configured a couple of other users this way and it does not happen, whether it's on the same or different volumes.  I will have to ask my partner in this testing whether he has tried deleting and recreating the user; I know I haven't.
0
 
AnonofIbidAuthor Commented:
We solved the issue - it was a script from another user whose delete parameters were too broad and ended up including this directory.  Sorry for the braincramp.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Great!
0
 
AnonofIbidAuthor Commented:
Although it was not the specific user's script, another user (an admin of the specific area on the FTP site) had a script whose wildcard search ended up including this new folder, and was deleting.  This answer made us look into these possibilities.  Sometimes it's the simpler answer. :-)
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now