Using FTP User Isolation
|
|
I explained the new FTP User Isolation feature of IIS 6 earlier in this chapter, so let’s try it out here and see how it works. Create another new FTP site on your server. This time, when you get to the FTP User Isolation screen of the wizard, pause and examine the options presented (see Figure 9-9):
Figure 9-9: Enabling FTP User Isolation for a new FTP site
-
Do Not Isolate Users If you choose this option, you will create a traditional FTP site where all users have the same level of access to the root directory and all subdirectories under it. If you create individual subdirectories for each user under root (/), then users will be able to snoop around and examine the contents of each other’s directories. This option is fine if the site is a public one that is mainly used for downloading files, but it certainly won’t work in an ISP environment when users are uploading content to their websites using FTP!
-
Isolate Users This option means that users are first authenticated against local or domain accounts (depending on whether your FTP server is part of a workgroup or a domain) and then granted access to their home directories once successfully authenticated. Home directories for users must be directly beneath a folder called LocalUser that itself is directly beneath the root directory for the FTP site, and the name of each user’s home directory must match their associated username. Once this directory structure is in place, IIS enforces FTP user isolation, and each user will see their subdirectory as the root directory of the FTP server, with the result that they won’t be able to access each other’s home directories.
-
Isolate Users Using Active Directory This is essentially the same as the previous option except that domain accounts are authenticated against a container in Active Directory rather than Active Directory as a whole. This improves the performance of FTP User Isolation considerably when large numbers of home directories have been created for your FTP site.
Tip If you enable FTP User Isolation for an FTP site, you can allow all users to access a public directory in the site by creating a virtual directory for this purpose.
Let’s test this feature in a simple workgroup setting. First, create the following local user accounts on a stand-alone IIS machine using Local Users And Groups in Computer Management:
-
Bob Smith (username bsmith)
-
Ted Jones (username tjones)
-
Alice B. Toklas (username atoklas)
Now create the directory structure on your IIS machine as shown in Table 9-2.
| Directory | Description |
|---|---|
| C:\ftpstuff | Home directory for FTP site on which FTP User Isolation is enabled. |
| C:\ftpstuff\LocalUser | This directory must be created to contain user directories. |
| C:\ftpstuff\LocalUser\bsmith | Home directory for user Bob Smith, contains the file bob.txt. |
| C:\ftpstuff\LocalUser\tjones | Home directory for user Ted Jones, contains the file ted.txt. |
| C:\ftpstuff\LocalUser\atoklas | Home directory for user Alice B. Toklas, contains the file alice.txt. |
| C:\ftpstuff\LocalUser\Public | Home directory for anonymous users, contains the file pub.txt. |
In addition to the physical directories outlined in Table 9-2, create a virtual directory for your FTP site, giving it the alias /shared and mapping it to the folder C:\shared on the server (the folder contains a file named shared.txt).
If FTP User Isolation works, then
-
Bob should be able to access his home directory and /shared.
-
Ted should be able to access his home directory and /shared.
-
Alice should be able to access his home directory and /shared.
-
Anonymous users should be able to access the Public directory and /shared.
I tested this in the following FTP session:
C:\>ftp 172.16.11.210 Connected to 172.16.11.210. 220 Microsoft FTP Service User (172.16.11.210:(none)): bsmith 331 Password required for bsmith. Password: 230 User bsmith logged in. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for file list. bob.txt 226 Transfer complete. ftp: 9 bytes received in 0.00Seconds 9000.00Kbytes/sec.
Bob is obviously in his own home directory, so let’s see if he can move upward to the LocalUser directory to view the contents of other users’ home directories:
ftp> cd .. 250 CWD command successful. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for file list. bob.txt 226 Transfer complete. ftp: 9 bytes received in 0.00Seconds 9000.00Kbytes/sec.
It didn’t work. Bob is still in his home directory. Clearly, users’ home directories are isolated from each other on this FTP site. Bob should be able to change to the /shared virtual directory. Let’s see if he can do so:
ftp> cd shared 250 CWD command successful. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for file list. shared.txt 226 Transfer complete. ftp: 12 bytes received in 0.00Seconds 12000.00Kbytes/sec.
That worked. Let’s break out of Bob’s FTP session and start another session, this time for an anonymous user:
ftp> ! Microsoft Windows [Version 5.2.3678] (C) Copyright 1985-2002 Microsoft Corp. C:\>ftp 172.16.11.210 Connected to 172.16.11.210. 220 Microsoft FTP Service User (172.16.11.210:(none)): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 Anonymous user logged in. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for file list. pub.txt 226 Transfer complete. ftp: 9 bytes received in 0.00Seconds 9000.00Kbytes/sec.
As expected, anonymous users find themselves in the Public directory as their home directory. Further testing shows that anonymous users are restricted to this Public directory, except they can also access the /shared virtual directory.
Pretty cool!
|
|
