Recipe12.26.Configuring FTP User Isolation

Previous page
Table of content
Next page

Recipe 12.26. Configuring FTP User Isolation

Problem

You want to create an FTP site that gives each user her own virtual root directory.

Solution

Using a graphical user interface

First, you need to create the appropriate folder structure using Windows Explorer:

  1. Create or choose a folder as the home directory for your new FTP site (e.g., C:\FtpHome).

  2. Create a subfolder beneath this home folder and give the subfolder a name identical to the NetBIOS name of your domain (e.g., MTIT for mtit.com).

  3. Now create sub-subfolders for each domain user and give each sub-subfolder a name identical to the Pre-Windows 2000 logon name of each user (e.g., bsmith for bsmith@mtit.com).

  4. Your folder tree should look something like this:

    \FtpHome
    \FtpHome\MTIT
    \FtpHome\MTIT\bsmith
    \FtpHome\MTIT\mjones

Now create a new FTP site that uses FTP User Isolation to map each user's account to their own FTP virtual root:

  1. Open Internet Information Services (IIS) Manager.

  2. In the left pane, expand the server node in the console tree.

  3. Right-click on the FTP Sites node and select New Next.

  4. Type a descriptive name for your site and click Next.

  5. Assign an IP address to your site and click Next.

  6. Select the option Isolate users and click Next.

  7. Specify the path to the home directory for your site and click Next.

  8. Give users both Read and Write access permissions, click Next, then Finish.

Using a command-line interface

First, create a folder structure as described above. Then use the following command to create a new FTP site named My FTP Site with root directory C:\FtpHome and IP address 172.16.12.50, and implement FTP user isolation:

> iisftp /create C:\FtpHome "My FTP Site" /i 172.16.12.50 /isolation Local

Using VBScript
' This code creates a ftp site. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ServerName>"   ' computer to connect to strSiteName = "<SiteName>"     ' web site description strRootDir = "<RootDirectory>" ' root directory for the ftp site strPort = "21"                 ' port for the web site ' The following parameters are optional ' strIP = "<IPAddress>"        ' IP address used for the site ' strHostHeader = "<HostName>" ' host header name for the site strSiteID = "<SiteID>"         ' site ID (default is to auto-generate) ' ------ END CONFIGURATION --------- set objIIS = GetObject("IIS://" & strComputer & "/msftpsvc" ) set objNewFtpServer = objIIS.Create("IIsFtpServer",strSiteID) objNewFtpServer.ServerComment = strSiteName objServerBindings = Array(0) objServerBindings(0) = strIP & ":" & strPort & ":" & strHostHeader objNewFtpServer.ServerBindings = objServerBindings     objNewFtpServer.UserIsolationMode = 1  ' 0 = No isolation                                        ' 1 = Isolation                                        ' 2 = AD isolation objNewFtpServer.SetInfo     set objNewDir = objNewFTPServer.Create("IIsFtpVirtualDir", "ROOT") objNewDir.Path = strRootDir objNewDir.AccessRead = True objNewDir.SetInfo     WScript.Echo "Successfully created ftp site " & objNewFtpServer.ServerComment

Discussion

IIS 6 supports three different isolation methods:


Do not isolate users

All users share the same FTP home directory (this is the default with earlier versions of IIS).


Isolate users

Each user has his own private FTP directory that appears to him to be the root directory of the FTP site. Users are authenticated either against Active Directory (in a Windows 2000 or Windows Server 2003 domain environment) or against a local SAM database (in a workgroup).


Isolate users using Active Directory

Each user has her own private FTP directory that appears to her to be the root directory of the FTP site. Users are authenticated against a specified container within Active Directory (requires either a Windows Server 2003 domain or extending of the Windows 2000 AD schema).

The solution described in this recipe is for the Isolate users approach. For information on how to programmatically use the Isolate users using Active Directory approach, see MS KB 555205 (FTP User Isolation Using Active Directory Using Visual C#).

The isolation level of an FTP site must be chosen when you create the site. You can't convert an ordinary FTP site into an isolated one or vice versa, at least according to Microsoft. However, if you create the necessary folder structure described in the first three steps above, you can then convert an ordinary FTP site into an isolated one by changing the UserIsolationMode metabase property for the site from 0 to 1.


See Also

MS KB 555018 (How To Set Up Isolated Ftp Site)


Previous page
Table of content
Next page
Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
The CISSP and CAP Prep Guide: Platinum Edition
Snort Cookbook
MySQL Clustering
Programming Microsoft ASP.NET 3.5
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy