Ftp Creation

8/8/2019 Ftp Creation

1/15

In a previous article we saw that Internet Information Services 6 (IIS 6) is a powerful platform for building and hosting web sites for both the Internet and corporate intranets.IIS 6 is also equally useful for setting up FTP sites for either public or corporate use, andin this article we''ll walk through the process of creating and configuring FTP sites using

both the GUI (IIS Manager) and scripts included in Windows Server 2003. The specifictasks we''ll walk through in this article are:

Creating an FTP Site Controlling Access to an FTP Site

Configuring FTP Site Logging Stopping and Starting FTP Sites Implementing FTP User Isolation

For sake of interest, we''ll again explain these tasks in the context of a fictitious companycalled TestCorp as it deploys FTP sites for both its corporate intranet and for anonymoususers on the Internet.

Preliminary Steps

As mentioned in the previous article, IIS is not installed by default during a standardinstallation of Windows Server 2003, and if you installed IIS using Manage Your Server as described in the previous article this installs the WWW service but not the FTPservice. So before we can create FTP sites we first have to install the FTP service on our IIS machine. To do this, we need to add an additional component to the ApplicationServer role we assigned our machine when we used Manage Your Server to install IIS.Begin by opening Add or Remove Programs in Control Panel and selecting Add/RemoveWindows Components. Then select the checkbox for Application Server:
http://www.windowsnetworking.com/articles_tutorials/Web-Sites-Windows-2003.htmlhttp://www.windowsnetworking.com/articles_tutorials/Web-Sites-Windows-2003.html


2/15

Click Details and select the checkbox for Internet Information Services (IIS):

Click Details and select the checkbox for File Transfer Protocol (FTP) Services.

Click OK twice and then Next to install the FTP service. During installation you''ll needto insert your Windows Server 2003 product CD or browse to a network distribution

point where the Windows Server 2003 setup files are located. Click Finish when thewizard is done.

Creating an FTP Site


3/15

As with web sites, the simplest approach to identifying each FTP site on your machine isto assign each of them a separate IP address, so let''s say that our server has three IPaddresses (172.16.11.210, 172.16.11.211 and 172.16.11.212) assigned to it. Our first task will be to create a new FTP site for the Human Resources department, but before we dothat let''s first examine the Default FTP Site that was created when we installed the FTPservice on our machine. Open IIS Manager in Administrative Tools, select FTP Sites inthe console tree, and right-click on Default FTP Site and select Properties:

Just like the Default Web Site, the IP address for the Default FTP Site is set to AllUnassigned. This means any IP address not specifically assigned to another FTP site onthe machine opens the Default FTP Site instead, so right now opening either ftp://172.16.11.210, ftp://172.16.11.211 or ftp://172.16.11.212 in Internet Explorer willdisplay the contents of the Default FTP Site.

Let''s assign the IP address 172.16.11.210 for the Human Resources FTP site and makeD:\HR the folder where its content is located. To create the new FTP site, right-click onthe FTP Sites node and select New --> FTP Site. This starts the FTP Site CreationWizard. Click Next and type a description for the site:


4/15

Click Next and specify 172.16.11.210 as the IP address for the new site:

Click Next and select Do not isolate users, since this will be a site that anyone (includingguest users) will be free to access:


5/15

Click Next and specify C:\HR as the location of the root directory for the site:

Click Next and leave the access permissions set at Read only as this site will only be usedfor downloading forms for present and prospective employees:


6/15

Click Next and then Finish to complete the wizard. The new Human Resources FTP sitecan now be seen in IIS Manager under the FTP Sites node:

To view the contents of this site, go to a Windows XP desktop on the same network andopen the URL ftp://172.16.11.210 using Internet Explorer:


7/15

Note in the status bar at the bottom of the IE window that you are connected as ananonymous user. To view all users currently connected to the Human Resources FTP site,right-click on the site in Internet Service Manager and select Properties, then on the FTPSite tab click the Current Sessions button to open the FTP User Sessions dialog:

Note that anonymous users using IE are displayed as IEUser@ under Connected Users.

Now let''s create another FTP site using a script instead of the GUI. We''ll create a sitecalled Help and Support with root directory C:\Support and IP address 172.16.11.211:


8/15

Here's the result of running the script:

The script we used here is Iisftp.vbs , which like Iisweb.vbs and Iisvdir.vbs which we

discussed in the previous article is one of several IIS administration scripts availablewhen you install IIS on Windows Server 2003. A full syntax for this script can be foundhere . Once you create a new FTP site using this script you can further configure the siteusing IIS Manager in the usual way.

Note : At this point you could add structure to your FTP site by creating virtualdirectories, and this is done in the same way as was described in the previous article for working with web sites.

Controlling Access to an FTP Site

Just like for web sites, there are four ways you can control access to FTP sites on IIS: NTFS Permissions, IIS permissions, IP address restrictions, and authentication method. NTFS permissions are always your first line of defense but we can't cover them in detailhere. IIS permissions are specified on the Home Directory tab of your FTP site's

properties sheet:
http://www.windowsnetworking.com/articles_tutorials/Web-Sites-Windows-2003.htmlhttp://www.windowsnetworking.com/articles_tutorials/Web-Sites-Windows-2003.htmlhttp://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/iisftp.asphttp://www.windowsnetworking.com/articles_tutorials/Web-Sites-Windows-2003.htmlhttp://www.windowsnetworking.com/articles_tutorials/Web-Sites-Windows-2003.htmlhttp://www.windowsnetworking.com/articles_tutorials/Web-Sites-Windows-2003.htmlhttp://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/iisftp.asphttp://www.windowsnetworking.com/articles_tutorials/Web-Sites-Windows-2003.html


9/15

Note that access permissions for FTP sites are much simpler (Read and Write only) thanthey are for web sites, and by default only Read permission is enabled, which allowsusers to download files from your FTP site. If you allow Write access, users will be ableto upload files to the site as well. And of course access permissions and NTFS

permissions combine the same way they do for web sites.

Like web sites, IP address restrictions can be used to allow or deny access to your site byclients that have a specific IP address, an IP address in a range of addresses, or a specificDNS name. These restrictions are configured on the Directory Security tab just as theyare for web sites, and this was covered in the previous article so we won't discuss themfurther here.

FTP sites also have fewer authentication options than web sites, as can be seen byselecting the Security Accounts tab:
http://www.windowsnetworking.com/articles_tutorials/Web-Sites-Windows-2003.htmlhttp://www.windowsnetworking.com/articles_tutorials/Web-Sites-Windows-2003.html


10/15

By default Allow anonymous connections is selected, and this is fine for public FTP siteson the Internet but for private FTP sites on a corporate intranet you may want to clear thischeckbox to prevent anonymous access to your site. Clearing this box has the result thatyour FTP site uses Basic Authentication instead, and users who try to access the site are

presented with an authentication dialog box:


11/15

Note that Basic Authentication passes user credentials over the network in clear text sothis means FTP sites are inherently insecure (they don't support Windows integratedauthentication). So if you're going to deploy a private FTP site on your internal network make sure you close ports 20 and 21 on your firewall to block incoming FTP traffic fromexternal users on the Internet.

Configuring FTP Site Logging

As with web sites, the default logging format for FTP sites is the W3C Extended Log FileFormat, and FTP site logs are stored in folders named

%SystemRoot%\system32\LogFiles\MSFTPSVCnnnnnnnnnn

where nnnnnnnnnn is the ID number of the FTP site. And just as with web sites, you canuse the Microsoft Log Parser, part of the IIS 6.0 Resource Kit Tools , to analyze theseFTP site logs.

Stopping and Starting FTP Sites

If an FTP site becomes unavailable you may need to restart it to get it working again,which you can do using IIS Manager by right-clicking on the FTP site and selecting Stopand then Start. From the command-line you can type net stop msftpsvc followed by netstart msftpsvc or use iisreset to restart all IIS services. Remember that restarting an FTPsite is a last resort as any users currently connected to the site will be disconnected.

Implementing FTP User Isolation

Finally, let's conclude by looking at how to implement the new FTP User Isolationfeature of IIS in Windows Server 2003. When an FTP site uses this feature, each user accessing the site has an FTP home directory that is a subdirectory under the rootdirectory for the FTP site, and from the perspective of the user their FTP home directoryappears to be the top-level folder of the site. This means users are prevented fromviewing the files in other users' FTP home directories, which has the advantage of

providing security for each user's files.

Let's create a new FTP site called Staff that makes use of this new feature, using C:\Staff Folders as the root directory for the site and 172.16.11.212 for the site's IP address. Startthe FTP Site Creation Wizard as we did previously and step through it until you reach theFTP User Isolation page and select the Isolate users option on this page:
http://www.microsoft.com/downloads/details.aspx?familyid=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?familyid=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?familyid=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=en


12/15

Continue with the wizard and be sure to give users both Read and Write permission sothey can upload and download files.

Now let's say you have two users, Bob Smith (bsmith) and Mary Jones (mjones) whohave accounts in a domain whose pre-Windows 2000 name is TESTTWO. To give theseusers FTP home directories on your server, first create a subfolder named \TESTTWO

beneath \Staff Folders (your FTP root directory). Then create subfolders \bsmith and\mjones beneath the \Accounts folder. Your folder structure should now look like this:

C:\Staff Folders

\TESTTWO\bsmith

\mjones

To test FTP User Isolation let's put a file name Bob's Document.doc in the \bsmithsubfolder and Mary's Document.doc in the \mjones subfolder. Now go to a Windows XPdesktop and open Internet Explorer and try to open ftp://172.16.11.212, which is the URLfor the Staff FTP site we just created. When you do this an authentication dialog boxappears, and if you're Bob then you can enter your username (using theDOMAIN\username form) and password like this:


13/15

When Bob clicks the Log On button the contents of his FTP home directory are

displayed:

Note that when you create a new FTP site using FTP User Isolation, you can't convert itto an ordinary FTP site (one that doesn't have FTP User Isolation enabled). Similarly, anordinary FTP site can't be converted to one using FTP User Isolation.

We still need to explore one more option and that's the third option on the FTP User Isolation page of the FTP Site Creation Wizard, namely Isolate users using Active


14/15

Directory. Since we've run out of IP addresses let's first delete the Help and Support FTPsite to free up 172.16.11.211. One way we can do this is by opening a command promptand typing iisftp /delete "Help and Support" using the iisftp.vbs command script. Thenstart the FTP Site Creation Wizard again and select the third option mentioned above(we'll name this new site Management):

Click Next and enter an administrator account in the domain, the password for thisaccount, and the full name of the domain:


15/15

Click Next and confirm the password and complete the wizard in the usual way. You'llnotice that you weren't prompted to specify a root directory for the new FTP site. This is

because when you use this approach each user's FTP home directory is defined by twoenvironment variables: %ftproot% which defines the root directory and can be anywhereincluding a UNC path to a network share on another machine such as \\test220\docs, and%ftpdir% which can be set to %username% so that for example Bob Smith's FTP homedirectory would be \\test220\docs\bsmith and this folder would have to be created

beforehand for him. You could set these environment variables using a logon script andassign the script using Group Policy, but that's beyond the scope of this present article.

Summary

In this article I've explained how to create and configure FTP sites in various ways on IIS6. With the

Ftp Creation

Documents

Transcript of Ftp Creation