Programmatically Administering the Security Accounts Property Sheet

---

Programmatically Administering the Security Accounts Property Sheet

The Security Accounts tab, shown in Figure 10.2, allows you to configure the site for anonymous access, and defines the operators allowed to modify the site configuration.

Figure 10.2. Default FTP Site Properties dialog box ”Security Accounts tab.

Configuring Anonymous Connection

The ability to log on anonymously to a public FTP site allows external users access to resources on the FTP server without having a previously established set of credentials. If anonymous access is enabled for the site, a user can gain access to the site with the username "anonymous." In such a configuration, the calling user is given access to all files for which the defined anonymous account's access token will allow.

If you choose not to use anonymous access, the user must present a valid Windows NT username and password to gain access to the site. Access within the file system is controlled by NTFS permissions, which integrates the Windows NT security model right into the FTP server and eliminates duplication of administrative efforts.

Despite the advantages of such a configuration, Microsoft does not recommend using any account other than the anonymous user because the credentials will be passed across the network in clear text for anyone monitoring the network traffic to view.

In the Allow Anonymous Connections frame, you can enable or disable anonymous access to the site, specify the account to be used for such access, deny all non-anonymous access, and enable anonymous user account password synchronization.

Allowing Anonymous Access for an FTP Site

To enable or disable the ability to use anonymous connections to an FTP site, set the appropriate Boolean value for the AllowAnonymous property. When set to True, the AllowAnonymous property enables users to access the site using the "anonymous" username. When set to False, only users with a valid Windows NT username and password (as well as the proper permissions for the resource) are allowed access.

Querying AllowAnonymous Using Visual Basic

To find out if an FTP site will allow anonymous connections to be established, use the following Visual Basic code:

 Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Debug.Print Site.AllowAnonymous 

Setting AllowAnonymous Using Visual Basic

To enable or disable the ability for users to establish anonymous connections to an FTP site, use the following Visual Basic code:

 Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value  Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Site.AllowAnonymous = False Site.SetInfo 

Specifying Anonymous User Credential

If you enable anonymous access for the site, you must assign an account to be used to access the site. Although IIS creates an IUSR account, you can use any account you wish as long as the account has the proper NTFS permissions to traverse the file structure and to access files. In security- conscious environments, an account other than the well-known IUSR account should be used.

After you have decided upon an account to use for anonymous access, set the appropriate ACLs on each resource in the file system that will be accessed from the FTP site or virtual directory. You can then assign the account credentials to the AnonymousUsername and AnonymousUserPass properties. If you want to enable automatic password synchronization between the Metabase and the NT SAM, you can also set the AnonymousPasswordSync property to True.

Querying Anonymous User Credentials Using Visual Basic

To find the username and password for the account used to access the file system through an anonymous connection, use the following Visual Basic code:

 Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value  Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Debug.Print Site.AnonymousUsername Debug.Print Site.AnonymousUserPass Debug.Print Site.AnonymousPasswordSync 

Setting Anonymous User Credentials Using Visual Basic

To set a new set of credentials for use by anonymous connections, use the following Visual Basic code:

 Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long Dim AnonymousUserName as String Dim AnonymousUserPassword as String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value  AnonymousUserName = "Username_for_Anonymous_FTP_Access" AnonymousUserPassword = "Password_for_Anonymous_User_Account" Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Site.AnonymousUsername = AnonymousUserName Site.AnonymousUserPass = AnonymousUserPassword Site.AnonymousPasswordSync = True Site.SetInfo 

Configuring Anonymous Only Access

If you have anonymous access enabled, but also happen to have the proper NTFS permissions to perform an action using your own credentials, you could use your own account to access the site. This would, however, expose your password to anyone monitoring the network.

To prevent this exposure, Microsoft implemented the AnonymousOnly property to force FTP site users to only use the "anonymous" user account even if they have access via alternative means. In this configuration, the threat of an account compromise is limited to just the anonymous user account; a privileged account cannot be compromised using a network sniffer.

To enable this setting for a site, you simply set the AnonymousOnly property value to True.

Querying AnonymousOnly Using Visual Basic

To query whether the site will allow non-anonymous connections, use the following Visual Basic code:

 Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value  Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Debug.Print Site.AnonymousOnly 

Setting AnonymousOnly Using Visual Basic

To enable only anonymous connections to a site, use the following Visual Basic code:

 Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value  Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Site.AnonymousOnly = True Site.SetInfo 

FTP Site Operators

By default, all local administrators can manage all properties in the IIS Metabase. You can define additional site operators by creating a new ACE in the ACL used to secure a site in the Metabase hierarchy.

Querying Operators Using Visual Basic

Use the following Visual Basic code to query the currently defined site operators:

 Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Set SecurityDescriptor = Site.AdminAcl Set DiscretionaryAcl = SecurityDescriptor.DiscretionaryAcl For Each Item In DiscretionaryAcl     If Item.AccessMask = 11 Or Item.AccessMask = 262315 Then         Debug.Print Item.Trustee     End If Next 

Creating a New Operator ACE Using Visual Basic

Use the following Visual Basic code to create a new operator ACE in the ACL:

 Dim Site As IADs Dim ACE As Variant Dim DiscretionaryACL As Variant Dim ServerName As String Dim SiteIndex As Long Dim NewOperator As String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value NewOperator = "New_Operator_in_Format_Domain\Username" Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Set SecurityDescriptor = Site.AdminACL Set DiscretionaryACL = SecurityDescriptor.DiscretionaryACL Set ACE = CreateObject("AccessControlEntry") ACE.Trustee = NewOperator ACE.AccessMask = 11 DiscretionaryACL.AddAce ACE SecurityDescriptor.DiscretionaryACL = DiscretionaryACL Site.AdminACL = SecurityDescriptor Site.SetInfo 

---

Top