Managing FTP Sites | Microsoft Windows 2000 Server Administrators Companion

The four levels of IIS administration that apply to the WWW Publishing Service also apply to the second core service of IIS, the FTP Publishing Service. Because administering servers, sites, directories, and files is similar between the two services, this section is condensed to avoid repetition.

FTP Service Master Properties

In addition to the general server-level tasks of connecting to an IIS server to administer its services, backing up and restoring a server configuration, and throttling total bandwidth used by all IIS operations on the machine, IIS also lets you globally configure the master properties for all existing FTP sites on your server and for all new ones you might create in the future.

To configure the FTP service master properties for a particular server, simply select the node in the IIS console tree that represents the server, click the Action button on the toolbar, and choose Properties from the drop-down menu to open the Properties dialog box for that server. (See Figure 29-3 in the Server-Level Administration section earlier in this chapter. We'll continue to use server ws1 as an example.) From this dialog box, select FTP Service from the Master Properties section and click Edit to open the FTP Service Master Properties dialog box for server ws1 (Figure 29-17).

Figure 29-17. The FTP Service Master Properties dialog box for server ws1.

This Properties dialog box has six tabs used for configuring the default global settings for existing FTP sites. All new FTP sites you create on the machine inherit these settings. Note that some of the settings at this level are unavailable because they can't be applied to all FTP sites but only to specific FTP sites. For example, the IP Address field in the FTP Site tab can't be globally configured, as it is specific to each FTP site.

Of the six tabs in this dialog box, only the Service tab is unique to the server-level FTP properties. This Service tab performs a function similar to the Service tab of the WWW Service Master Properties dialog box: it allows you to specify a single FTP site on your IIS 5 machine that can be managed using the ISM included in IIS 3 on Windows NT. The other five tabs are common to site-level FTP properties and are discussed next.

Configuring FTP Site Properties

The site-level properties for a particular FTP site are almost identical to those at the server level (Figure 29-17) except that the Service tab is absent. This section covers the various settings that you can configure using the Properties dialog box for a particular FTP site. Remember that site-level settings for a newly created FTP site are inherited from the server-level master properties previously specified, whereas modifying settings at the site level overrides similar settings configured at the server level. We'll use the properties of the Default FTP Site for this discussion.

The FTP Site Tab

Like the Web site properties used in site-level administration, the FTP site properties allow you to specify FTP site identities, configure connections, and enable logging. The connections and logging settings work the same way as those for Web site properties, so we won't say anything more about them here. However, we'll look at identification and current sessions.

Identification Like Web sites, each FTP site hosted on an IIS machine must have a unique identity so FTP clients can connect to it to upload or download files. Unlike Web sites, however, FTP uses two (not three) parameters to define an FTP site: IP address and TCP port number.

The identity for an FTP site is specified in the FTP Site tab of the Properties dialog box for the particular FTP site under consideration. For FTP sites on the same machine to have unique identities, they must differ from each other in at least one of the two parameters. In other words, to host several different FTP sites on the same server, you could use one of the following methods:

Configure multiple IP addresses on the server's network card and select a different IP address for each FTP site, leaving each site's TCP port set to 21 (the default TCP port for FTP). Clients can then connect to a specific site by using either the site's IP address or its associated fully qualified DNS name (if either a DNS server is available on the network or a local hosts file is configured on the client). This method is preferred for public FTP sites because it is the easiest way for users to connect.
Configure only one IP address for the server's network card and use this IP address for every FTP site while assigning a different TCP port (above 1023) to each FTP site hosted on the machine. In this case, the user must know the TCP port of each site to connect to it. This method is sometimes used to hide private FTP sites from view (although FTP is inherently nonsecure anyway, as you shall soon see).

Current Sessions The Current Sessions button in the FTP Site tab opens the FTP User Sessions dialog box for that site, which displays all users who are currently connected to the site, the IP addresses of their clients (or of your proxy server if they're behind your firewall), and the time elapsed since they connected (Figure 29-18). You can select any user to disconnect him or her from your site, or you can click Disconnect All to terminate all sessions on your site.

Figure 29-18. Displaying the current connections to the Default FTP Site on server ws1.

Figure 29-18 displays two anonymous users who are connected to the Default FTP Site, which is configured to allow anonymous access. The user IEUser@ accessed the site by opening the URL ftp://ftp.scribes.com in Internet Explorer 5, whereas the user mtulloch@scribes.com used the Windows command-line FTP utility and logged on with user name anonymous together with the voluntary (but optional) password equal to the user's e-mail address mtulloch@scribes.com. On the other hand, if users log on using basic authentication (described next), the FTP User Sessions dialog box shows their user names in the Connected Users column. (If they connect using Internet Explorer, this user name appears twice for some strange reason.)

The Security Accounts Tab

The Security Accounts tab of an FTP site's Properties dialog box functions similarly to the Directory Security tab of a Web site's Properties dialog box. FTP site operators have limited administration rights on the site, similar to those granted to Web site operators discussed previously. However, authentication control is much simpler for the FTP service (Figure 29-19). Whereas the WWW service supports four levels of authentication (anonymous, basic, digest, and integrated) plus the option of enabling SSL for encrypted transmission, FTP supports only the anonymous access and the basic authentication methods.

Figure 29-19. The Security Accounts tab for the Default FTP Site on server ws1.

Because you already know about anonymous access and basic authentication, you just need to learn how to configure FTP authentication settings using the Security Accounts tab, which at first glance appears a bit confusing. Two check boxes account for this confusion:

Allow Anonymous Connections
Allow Only Anonymous Connections

Table 29-1 shows how combinations of selecting and clearing these two check boxes produce different combinations of anonymous access and basic authentication. If you enable anonymous access, IIS needs a user account to make this work. By default, the IUSR_servername account is specified, but you can select another one if you like. (Make sure it has the right to log on locally to the server console, because this is necessary for basic authentication to work.) You can then either specify the password manually or allow IIS to synchronize the password with those set in Windows.

Table 29-1. Combinations of anonymous and basic authentication for FTP

Allow Anonymous Connections	Allow Only Anonymous Connections	Result
Yes	Yes	Only anonymous access is enabled.
Yes	No	Both anonymous access and basic authentication are enabled, with anonymous access being attempted first.
No	N/A	Only basic authentication is enabled.

If you must enable basic authentication on your FTP site, only users who have the right to log on locally to the IIS server hosting the FTP site will be able to be authenticated and connect to the site. Make sure you physically secure the server from misuse by these users if they are working in your organization.

Real World

FTP Security

FTP is viewed as less secure than HTTP because FTP supports only anonymous access and basic authentication (that is, unencrypted passwords). For instance, if you're running an internal FTP site within a company and are using basic authentication, any person with a network sniffer could potentially obtain a trace of an FTP session and determine a user's password. Furthermore, if you connect to an FTP site using Internet Explorer and are authenticated using basic authentication (after entering your credentials into the Login As box), your user name appears in the URL as something like ftp://mtulloch@ftp.scribes.com. So if you leave your machine, lock your console or people will know who logged on to the FTP site.

The Messages Tab

FTP sites typically have a welcome, exit, and maximum connections message that the server provides for users as appropriate. Specify the text of these messages in the Messages tab of an FTP site's Properties dialog box.

The Home Directory Tab

FTP has two possible choices for the location of the home directory mapped to the virtual root of the site. One is a local directory on one of the server's disks; the other is a UNC path to a network share located on a file server somewhere else on the network. (Credentials must be supplied to access this share.) Specify either of these in the Home Directory tab shown in Figure 29-20. Note that FTP sites can't be redirected to a URL like Web sites can (as shown previously in Figure 29-10).

Figure 29-20. The Home Directory tab for the Default FTP Site on server ws1.

Access Permissions FTP permissions are simpler than WWW permissions:

Read Selecting this check box allows users to read or download files stored in the home directory and allows users to list the contents of the directory.
Write Selecting this check box allows users to upload files to the home directory.
Log Visits Selecting this check box causes an entry to be added to the IIS log files whenever any file is downloaded from or uploaded to the home directory by a client. Note that Enable Logging must first be selected in the FTP Site tab before this feature works. Logging of the home directory is enabled by default.

Directory Listing Style When a Web browser like Microsoft Internet Explorer accesses an FTP site, provided that Read access is enabled for the home directory, the user is presented with a directory listing showing the contents of the directory. This directory listing can be presented in either the original FTP style (UNIX style) or in standard Windows style (MS-DOS style). The same information is presented either way; it's just displayed differently.

If you're hosting a public FTP site on the Internet, select UNIX style for maximum compatibility with users running older FTP client software. Some clients might be unable to interpret MS-DOS style correctly.

The Directory Security Tab

Like Web sites, you can also control access to FTP sites according to the IP address or DNS domain name to which the remote user belongs (discussed for Web sites earlier in the chapter).

Configuring FTP Directory Properties

In FTP directory-level administration (that is, in the administration of FTP virtual directories), Properties dialog boxes of virtual directories created within FTP sites have only the following two tabs:

Virtual Directory You can configure the location of the content for the virtual directory and specify the access permissions.
Directory Security You can specify IP address and domain name restrictions for the virtual directory.

Note that unlike Web sites, physical directories within an FTP site aren't displayed within the IIS console window. The FTP service in IIS requires no file-level administration because individual files within an FTP site aren't displayed in the console window either.