MS Windows IIS FTP-Part 1- Managing Users

Introduction

To be specific FTP is File Transfer Protocol and is around for over 30 years. FTP is the simplest and most secure way to exchange files over the Internet. Whether you know it or not, you most likely use FTP all the time. When downloading a file from the Internet you're actually transferring the file to your computer from another computer over the Internet. This is why the T (transfer) is in FTP. You may not know where the computer is that the file is coming from but you most likely know it's URL or Internet address.

An FTP address looks a lot like an HTTP, or Website, address except it uses the prefix ftp:// instead of http://.

Example Website address : http://www.ftpplanet.com/ Example FTP site address : ftp://ftp.ftpplanet.com/

Part 1: Managing multiple users with one IP Address

Assuming that we are somewhat familiar with using Microsoft IIS / FTP, a quick description for those coming in brand new is worth : For those running a version of Windows that includes IIS (Internet Information Services), you already have Microsoft FTP available to you. This is included in Windows NT/2000/2003/XP. Except for Windows NT, use the IIS snap-in found in Start -> Administrative Tools -> Internet Information Services. If you don't have that installed, it can be installed from Add/Remove Programs in the control panel. For some people using Windows XP you won't see Administrative Tools off your Start Menu. You can still find them in your control panel.

Let's start :

First Rule: If virtual directory has name as user then this is home directory

Simply this means that if user logs in as ‘user’ and there is a virtual directory named ‘user’ then this user will be placed in this virtual directory. Microsoft FTP, doesn't have an interface like many other full fledged servers, where you can add a user and point to a particular folder. Instead, it has a strange way of handling this. If the Virtual Directory name is exactly the John as a Windows Users, then the Virtual Directory will "catch" the user rather than the root FTP account.

Of course, if you have lots of IP addresses, you can assign one IP address per user and setup multiple sites and then rely on the NTFS permissions to grant or deny access to particular sites. (Note: Windows XP only allows 1 FTP site.) But, even if you do this, there may come a time when you want to use the same IP address for multiple users who will be destined for different locations. For those trying to run a web server with multiple sites and one IP address, you'll benefit the most from this rule. Let me start with an example:

Let's say you have this directory structure:

D:\myftp\site1.com D:\myftp\site2.com D:\myftp\site2.com\graphics

And you have 3 users.

  • Sam needs access to the root of site1.com
  • John needs access to the root of site2.com
  • Jack needs access to the graphics folder of site2.com

Let’s repeat it, because this is important. The trick with MS FTP is that if the Virtual Directory name is the John as a Windows Username, the user will be "caught" by the Virtual Directory and directed to the folder specified in the Virtual Directory.


Behind the scenes, the "Sam” Virtual Directory is pointing to D:\myftp\site1.com, John is pointing to D:\myftp\site2.com and Jack is pointing to D:\myftp\site2.com\graphics.

  • If you logged in as Sam, then the Sam virtualDir would "catch" it and you would be dropped into the D:\myftp\site1.com folder.
  • Same with Jack or John. They would be caught by their corresponding Virtual Directories.

Now, let's say you had another user called Jane. If you logged in as Jane then the settings on the "Default FTP Site" will handle her because there isn't a Virtual Directory to "catch" her and direct her elsewhere.

Second Rule: The ‘user’ needs List permissions to the root FTP site folder

Even if the Virtual Directory is pointing to a different location, the user that is logging in always needs List permissions to the folder specified in "Default FTP Site". It might seem strange, but even in IIS6, this is still the case.

So, each user must have read/write permissions, D:\myftp\site1.com needs read/write for Sam. D:\myftp\site2.com needs read/write for John. D:\myftp\site2.com\graphics needs read\write for Jack. This is the obvious part.

The none obvious consideration is if the path of "Default FTP Site" was D:\myftp then that folder needs "List" permissions for all 3 users. Otherwise they won't be able to log in at all.

Tip 1: Set the root FTP account to a dummy location if assigning multiple users

If the path of the "Default FTP Site" is D:\myftp then you have a fairly large security issue with this setup. If you log in as Sam for example, you'll have the option to move up a folder (..) (well, most FTP programs will give you that option). If you do, you'll be dropped into the folder of the "Default FTP Site” root. (d:\myftp). As I just mentioned, you are forced to give List permissions for all users which means that every user can view the names of all the sites. If you ever slip up and give too many permissions at the NTFS level your users can potentially access other people's sites.

Fortunately there is an easy solution. Just consider your Master FTP Site root a dummy location that isn't meant to be used for anything practical. Point it to d:\ftproot\dummyfolder or something like that. (I call mine 'endpoint'). Give List permissions to the Everyone group on that folder and make sure it's completely empty. Now, you've solved the security issue. If Sam connects with their FTP program and moves up a folder or does a chgdir to '\' he will dropped into d:\ftproot\dummyfolder which is completely empty. You'll never have to worry about users gaining access to d:\myftp which is a folder that you want to keep your users out of.

And, in all this, don't forget that every user that will be logging into your FTP account needs to have a Virtual Directory assigned or else they will immediately be placed into the dummyfolder location.

We've covered managing multiple users with a single IP address, required permissions for setting up FTP and given a tip on keeping users out of your confidential folders.

Did this tutorial help a little? How about buy me a cup of coffee?

Buy me a coffee at ko-fi.com

Please feel free to use the comments form below if you have any questions or need more explanation on anything. I recommend thoroughy testing on a production-like test system first before moving to production.