Re: IIS Server w/FTP

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/09/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Mon, 9 Dec 2002 17:25:52 -0500

This should absolutely be possible, using a separate Windows account for
each user / server, NTFS file permissions set on each home directory [e.g.
set by using Windows explorer or the CACLS or XCACLS command], and the home
directory setting for each user in the IIS MMC.

See the following URLs for more information on this and just about any other
IIS question you may have:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q201771 and
http://www.iisfaq.com/default.asp?View=A127&P=14d
www.iisfaq.com

Note that according to this article, "When anonymous users view the FTP
site, they can only view the contents of the root folder. Although they will
see the names of the users' subfolders, however, they cannot examine their
contents." However, AFAIK it is possible to restrict access to view the
root folder by setting the default home directory to the user's subdirectory
and using Advanced button in the NTFS permissions on the root folder to
remove or deny all permissions for the user to the root except for Traverse
Folder. Be sure to remove the checkmark so that the permissions set at the
root do not filter down to subdirectories, and be sure to leave enough
permissions so that the FTP server administrators are still able to access
the files. As you may know, the Deny permissions take precedence over Allow
permissions, so do not Deny the Everyone group or any group that contains
the server Administrators, or else the administrators will be denied access.

Do note that passwords for each user accessing the FTP server will be passed
in plain text under this method, and can be sniffed by someone running a
sniffer, whether or not there are switches on the network, thus possibly
permitting access to other folders. There are a few ways to get around
this, such as switch from IIS FTP to a third party FTP server AND CLIENT
that supports SSL / TLS on every FTP client workstation, or purchase a third
party add-on, or use free OpenSSH or a commercial SSH client and server
solution instead of FTP for encrypted file copies. You can also restrict
FTP server access by IP address. Your security department can probably
recommend their preferred solution. More information on a few such
encryption options is available at:

http://securityadmin.info/faq.htm#11.22 or
http://www.networksimplicity.com or
http://www.wftpd.com

I agree with the security team that this is probably much better for
everyone involved.

Any offer of employment from the VA DIT is appreciated. 

--
kind regards,
Karl Levinson, MCSE, CISSP, CCSA, CCNA (MVP)
Burke, VA, USA
"Richard" <rolsen@dit.state.va.us> wrote in message
news:080a01c29fc1$9eace270$8df82ecf@TK2MSFTNGXA02...
> We have a W2k server with FrontPage2002 extensions
> supporting approximately 80 IIS-5 web sites. Each site has
> a corresponding FTP site. Can we reduce the 80 FTP sites
> to 1 using virtual directories such that an authorized
> user (there is no anonymous FTP) can log in to the single
> FTP site and be taken directly to the file directory that
> supports their web site? And, importantly, the authorized
> user should not be able to see any directories other than
> their own. The need to reduce the 80 ports to 1 is a firm
> requirement from the security team. Any assistance is
> appreciated. Richard  rolsen@dit.state.va.us.
>
>