Mastering IIS FTP - Part 3 - The Doorway Folder Trick
In the previous two parts (Part
1 and Part 2) we learned how to leverage virtual
directories and physical folders to offer a lot of control from IIS FTP. Now, what about when we want to have one site administrator
have access to more than one, but not all, of the directories in a site?
How is this accomplished from within IIS FTP?
Objective: To create a customized login with access to some of the folders in a site.
Note: For the purpose of Part 3 and Part 4, I've decided to standardize on the word
"Folder" when referring to something at the disk level, and "Directory" when referring to something within IIS.
Let's view this visually so that it's easier to see where we are heading. Below is a picture of a fresh server build on Windows Server 2003 with the Default FTP Site.
I've changed the FTP root path to d:\domains which points to 7 sites that we'll pretend that I manage. You can see the site names below.
Now, in this illustration we have two different site administrators, Scott and Matt. Scott needs access to all 7 sites but Matt should only have access to microsoft.com and msn.com.
It is possible to do this using NTFS permissions at the disk level. We simply give the Scott user read and write to all the folders and Matt read and write to microsoft.com and msn.com. But, there are some disadvantages and security concerns using NTFS permissions alone.
What if an administrator on the server changes the permissions on one of the directories by mistake, not realizing that they have given Matt access to a site he isn't supposed to have access to?
Or, even more subtle, what if we create an 8th site that Matt isn't supposed to have permissions for? When the 8th site is created, it will inherit its permissions from d:\domains which needs to at least have "List" permissions for Matt so that he can log in. Now Matt has, at the very least, the ability to view all files and directories in the new directory, unless the administrator remembers to tighten the permissions every time. (Yes, for those brave souls out there willing to work with and maintain more unique settings, you can set NTFS permissions so newly created sub-folders don't inherit all permissions, but if you have more than one administrator on that server, it's too easy to mess up at some point in the future.) Maybe you trust yourself enough to always remember but I certainly don't want to leave this up to me and the other administrators on this server to always do this correctly.
Another disadvantage to doing it that way is that we might not want Matt to see all the folder names in the site, or maybe we just want things to be easy for Matt so he doesn't have to worry about a large list of sites or folders that he doesn't have access to anyway.
So, with that in mind, let's create an FTP account for Matt. We want one that only displays microsoft.com and msn.com in his FTP program.
It's actually quite simple really. The trick is to create what I'll call a
doorway folder. (Note: If you haven't read Part 1 and Part 2,
I encourage you to do that now because we'll utilize many rules and tips from there).
A doorway folder is simply a folder that will serve as the first step or the doorway for
a particular user. The trick is to create a set of "physical" folders and "virtual" directories
that will work together to display to Matt what we want him to see.
Create the users
Depending on your situation, you may have existing Windows users set up for Scott and Matt already.
But, in case this is a new account for a new user, be sure to create a user called Matt and
another called Scott. These can be Local users from within Local Users and Groups or Active
Directory users, depending on your environment.
Create the "physical" folders
Next we'll create a folder that holds the "physical", but blank, sub-directory to match the real
ones we want the user to have access to. This is simply so that the FTP client program displays the
two folders. Let's call the root folder FTProot and the subfolder Matt, although either of these folders
could be named anything.
Now create two empty folders named microsoft.com and msn.com. (See Part 2 if
you're not sure why) The security permissions on the folders need to give Matt at least List permissions.
Don't forget that Matt will need read and write permissions to d:\domains\microsoft.com and d:\domains\msn.com and he will need list permissions to d:\ftproot\dummyfolder and list permissions to d:\ftproot\matt.
Create the "virtual" directories
Now we need to create the virtual directories that handle the redirecting.
First, before we forget, if you remember from Part 1, I recommend pointing the
root FTP directory to a dummy folder. So, let's create a folder in d:\ftproot
called dummyfolder. Point the FTP root folder to this.
Next, to handle the
Scott user, create a virtual directory called Scott that point to d:\domains.
Now, if Matt moves up a folder to the root folder, he won't have access to d:\domains.
Instead he will be placed in d:\ftproot\dummyfolder which is a dead end. See Part 1 for more on this.
Back to the virtual directories . . .
In IIS, create a virtual directory called Matt.
This should point to d:\ftproot\matt.
Off the Matt virtual directory, create 2 more virtual directories
microsoft.com should point to d:\domains\microsoft.com
msn.com should point to d:\domains\microsoft.com
Spelling on these virtual directory names needs to be identical to the folders created in the second step above.
Don't forget to check read and write when creating the virtual directories if you want Matt to be able to read and write to the FTP account.
That's it!! I told you it was easy. Let's test it now.
I'll use WS_FTP to log in as the Matt user. Here is what I see in the left column:
Likewise, when logging in as Scott, we see what he is supposed to see:
In this part we didn't bring anything new to the table but we've shown that yet again MS FTP has the ability to do more than what first meets the eye.