Re: FTP control

From: Stephen Souza (
Date: 09/13/02

From: Stephen Souza <>
Date: 13 Sep 2002 15:26:24 -0500

"Dave Pechter" <> wrote in

> I would like to use NTFS security settings to control who
> has write access via FTP. The goal is that anonymous acess
> would be read-only, and a "superuser" would retain full
> rights.

I would suggest getting a third party FTP server, there are several
freeware and shareware ones that work very well. I use Bulltproof
FTP server and I am very happy with it. If you want to use MS FTP
server try this:

From: "chriske911" <>
Subject: Re: Win2k FTP service
Date: Tue, 27 Aug 2002 20:54:26 +0200
this is the article I used myself to create a group ("clients" for
example) with all the accounts who have to ftp over the internet,
if you set quota and these permissions for that group you can
create users who are only a member off this group,doing so they can
not log on locally or access anything else but their home directory
use simple passwords who are not used in the rest of your network

This article lists the proper Microsoft Windows NT File System
(NTFS) access permissions that are needed for an Internet
Information Server (IIS) Web site, an Internet Information Services
(IIS) Web site, or a File Transfer Protocol (FTP) site to work.

To properly access and manage IIS, the local System account and
local Administrators group need FULL CONTROL permissions to all
drives on the computer. These permissions can be added from a
command prompt. Type the following commands on each NTFS drive:
cd \ cacls * /T /E /C /P System:F Administrators:F
NOTE: Modifying permissions may take several minutes per drive,
depending on the amount of data on that drive. If the drive has no
files, you receive the following error message:

The System cannot find the file specified.
To configure the minimum required NTFS permissions for users who
access IIS, grant the following directory permissions to the
anonymous Internet user account (by default, this is the
IUSR_computer_name account) and any other
accounts or groups that need access to the Web server:

   Directory Permissions
   Content READ (RX)

   Winnt READ (RX)

   Winnt\System32 READ (RX)

   Winnt\System32\Inetsrv READ (RX)

   Program Files\Common Files READ (RX)
   (and all subdirectories)

NOTE: In IIS 3.0, Active Server Pages is an add-on product and is
located in its own folder. For this reason, IIS 3.0 installations
that are running ASP require READ (RX) permissions set on the Winnt
\System32\Inetsrv\Asp folder.

Content is defined as anything (such as Web pages, images, and
files) that someone can use the Web browser to access. By default,
the content folder for the World Wide Web Publishing Service is
\InetPub\Wwwroot, and the content folder for the FTP Service is

IIS requires both appropriate NTFS permissions and the appropriate
user rights to access the Web server. The following table lists the
authentication type and the corresponding user right that is
required to use the specified authentication type:

    Authentication Type Required User Right
    ------------------- -------------------
    Anonymous Log on locally (Password
    Anonymous Access this computer from the
(Password Synchronization enabled)
    Basic (Clear Text) Log on locally
    NT Challenge Response Access this computer from the
    Digest (IIS 5.0 only) Access this computer from the
    Integrated (IIS 5.0 only) Access this computer from the

For additional information about how to determine which
authentication types can be used by which browser and in which
environments, click the article number below to view the article in
the Microsoft Knowledge Base:

  Q229694 How to Use the IIS Security 'What If' Tool
For more information, see the "Security" topic in the Windows NT
4.0 Option Pack documentation. To view this topic, locate Microsoft
Internet Information Server, locate Server Administration, and then
locate Security.

For more information, see the "Security" topic in the Internet
Information Services 5.0 documentation. To view this topic, locate
Administration, locate Server Administration, and then locate

For additional information about troubleshooting permission issues
with IIS, click the article numbers below to view the articles in
the Microsoft Knowledge Base:

  Q271071 Minimum NTFS Permissions Required for IIS 5.0 to Work
  Q313075 How to Configure Web Server Permissions for Web Content
in IIS
  Q120929 How the System Account is Used in Windows
  Q148437 Default NTFS Permissions in Windows NT
  Q155253 Improper NTFS Permissions May Result in IIS Failure
  Q265161 FP: Errors Appear When You Attempt to Connect to Database
Results Page

For additional information about how to connect to a Microsoft
Access .mdb file from Active Server Pages (ASP), click the article
number below to view the article in the Microsoft Knowledge Base:
  Q251254 PRB: 'Disk or Network Error' or 'Unspecified Error'
Returned When Using Jet

Stephen Souza
remove #Niner from e-mail address

Relevant Pages

  • Re: Another type of access needed to save as and .htm in IIS 6?
    ... save a word doc AS a web page and updated the page. ... I had to reinstate their NTFS permissions. ... Didn't used to in IIS 5.0, ...
  • Re: IIS 5 looses authenticated user
    ... We are using NTFS Permissions. ... > are you using IIS authentication? ... > then authentication if any, then web permission, and finally ntfs ...
  • Re: Limit some users?
    ... authentication (they do not like running arbitrary binaries on their servers ... I suggest you only allow IIS to serve content from a NTFS partition. ... One way to do this would be to apply NTFS permissions on the web content. ...
  • Re: Limit some users?
    ... First step would be to use NTFS instead of FAT32. ... Here is more information on how to secure your IIS server: ... >:: course you would have to remove permissions such as Authenticated Users ...
  • Re: canNOT write to FTP (IIS 6)
    ... you guys are saying that this is now set up as an FTP ... else is controlled via NTFS permissions, ... permissions to the folders yet can write a file to them. ...