Mastering IIS FTP - Part 1 - Redirecting Users
Introduction
In choosing which software to use for managing the server-side of FTP, often
time people don't use Microsoft's FTP program because they think that it's
too simple or they think that it doesn't do what they want. I'm going to
attempt to reveal some of the hidden but powerful features that exist with
Microsoft's FTP program. Understanding just a couple basic concepts and
putting those concepts to good use will open up a new world of possibility.
I'm not trying to convert the many people that are using another FTP program or try to
say that Microsoft's is better. I don't work for Microsoft and I'm not being paid to
endorse their product. But for those that aren't happy with their current solution,
want to utilize Microsoft FTP better or are diving into this fresh, read on.
I'm assuming that you are somewhat familiar with using Microsoft IIS / FTP. The 10
second description for those coming in brand new is: For those running a version of
Windows that includes IIS (Internet Information Services), you already have Microsoft
FTP available to you. This is included in Windows NT/2000/2003/XP. Except for Windows
NT, use the IIS snap-in found in Start -> Administrative Tools -> Internet Information
Services. If you don't have that installed, it can be installed from Add/Remove Programs
in the control panel. For some people using Windows XP you won't see Administrative Tools
off your Start Menu. You can still find them in your control panel. For those wondering
what FTP means, you've probably stumbled across the wrong article.
Let's get started
Rule #1: If (virdir name = user name) Then (path of virdir takes affect)
Now, what does that mean? Microsoft FTP, which I'll call MS FTP after this, doesn't have an
interface like most of us would expect, where you can add a user and point to a particular
folder. Instead, it has a strange way of handling this. If the Virtual Directory name is
exactly the same as a Windows Users, then the Virtual Directory will "catch" the user rather
than the root FTP account. Of course, if you have lots of IP addresses, you can assign one IP address per user and setup
multiple sites and then rely on the NTFS permissions to grant or deny access to particular sites.
(Note: Windows XP only allows 1 FTP site.) But, even if you do this, there may come a time when
you want to use the same IP address for multiple users who will be destined for different locations.
For those trying to run a web server with multiple sites and one IP address, you'll benefit the most
from this rule.
Let me start with an example:
Let's say you have this directory structure:
D:\domains\site1.com
D:\domains\site2.com
D:\domains\site2.com\graphics
And you have 3 users.
- Mike needs access to the root of site1.com
- Sue needs access to the root of site2.com
- Joe needs access to the graphics folder of site2.com
I'll repeat myself because I feel this is important. The trick with MS FTP is that if the Virtual
Directory name is the same as a Windows Username, the user will be "caught" by the Virtual Directory
and directed to the folder specified in the Virtual Directory.
Example in MS-FTP
Behind the scenes, the "Mike" Virtual Directory is pointing to D:\domains\site1.com, Sue is pointing
to D:\domains\site2.com and Joe is pointing to D:\domains\site2.com\graphics.
- If you logged in as Mike, then the Mike virdir would "catch" it and you would be dropped into the D:\domains\site1.com folder.
- Same with Joe or Sue. They would be caught by their corresponding Virtual Directories.
Now, let's say you had another user called Jane. If you logged in as Jane then the settings on the
"Default FTP Site" will handle her because there isn't a Virtual Directory to "catch" her and direct
her elsewhere.
Rule #2: The username used to log in needs List permissions to the root FTP site folder
Even if the Virtual Directory is pointing to a different location, the user that is logging in always
needs List permissions to the folder specified in "Default FTP Site". Yes, it seems strange, but
even in IIS6, this is still the case. So, each user must have read/write permissions, D:\domains\site1.com needs read/write for Matt.
D:\domains\site2.com needs read/write for Sue. D:\domains\site2.com\graphics needs read\write for Joe.
This is the obvious part.
The none obvious consideration is if the path of "Default FTP Site" was D:\domains than that folder needs
"List" permissions for all 3 users. Otherwise they won't be able to log in at all.
If the path of the "Default FTP Site" is D:\domains then you have a fairly large security issue with this
setup. If you log in as Mike for example, you'll have the option to move up a folder (..) (well, most FTP
programs will give you that option). If you do, you'll be dropped into the folder of the
"Default FTP Site"
root. (d:\domains). As I just mentioned, you are forced to give List permissions for all users which means
that every user can view the names of all the sites. If you ever slip up and give too many permissions at the NTFS level your users can potentially access other people's sites.
Fortunately there is an easy solution. Just consider your Master FTP Site root a dummy location that
isn't meant to be used for anything practical. Point it to d:\ftproot\dummyfolder or something like
that. (I call mine 'deadend'). Give List permissions to the Everyone group on that folder and make
sure it's completely empty. Now, you've solved the security issue. If Mike connects with their FTP
program and moves up a folder or does a chgdir to '\' he will dropped into d:\ftproot\dummyfolder
which is completely empty. You'll never have to worry about users gaining access to d:\domains
which is a folder that you want to keep your users out of. And, in all this, don't forget that every user that will be logging into your FTP account needs
to have a Virtual Directory assigned or else they will immediately be placed into the dummyfolder location.
Summary
I've covered managing multiple users with a single IP address, required permissions for setting up
FTP and given a tip on keeping users out of your confidential folders. There is more to come.
In the following 3 weeks I plan to cover: IIS6 User Isolation; Managing Virtual Directories
(why can't I see the virtual directory that I created in my FTP program); and how to have a
logged in user only see and access some, but not all, of the subfolders in a folder.