The Security Accounts tab, shown in Figure 10.2, allows you to configure the site for anonymous access, and defines the operators allowed to modify the site configuration.
The ability to log on anonymously to a public FTP site allows external users access to resources on the FTP server without having a previously established set of credentials. If anonymous access is enabled for the site, a user can gain access to the site with the username "anonymous." In such a configuration, the calling user is given access to all files for which the defined anonymous account's access token will allow.
If you choose not to use anonymous access, the user must present a valid Windows NT username and password to gain access to the site. Access within the file system is controlled by NTFS permissions, which integrates the Windows NT security model right into the FTP server and eliminates duplication of administrative efforts.
Despite the advantages of such a configuration, Microsoft does not recommend using any account other than the anonymous user because the credentials will be passed across the network in clear text for anyone monitoring the network traffic to view.
Warning
Despite Microsoft's warnings against using non-anonymous account credentials for users, the anonymous user account username and password can be viewed in clear text through an ADSI query. In most cases, this poses a greater risk to internal security than the threat of sniffer-based attacks, therefore, the anonymous user account should always maintain extremely limited permissions in the file system .
In the Allow Anonymous Connections frame, you can enable or disable anonymous access to the site, specify the account to be used for such access, deny all non-anonymous access, and enable anonymous user account password synchronization.
To enable or disable the ability to use anonymous connections to an FTP site, set the appropriate Boolean value for the AllowAnonymous property. When set to True, the AllowAnonymous property enables users to access the site using the "anonymous" username. When set to False, only users with a valid Windows NT username and password (as well as the proper permissions for the resource) are allowed access.
To find out if an FTP site will allow anonymous connections to be established, use the following Visual Basic code:
Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Debug.Print Site.AllowAnonymous
To enable or disable the ability for users to establish anonymous connections to an FTP site, use the following Visual Basic code:
Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Site.AllowAnonymous = False Site.SetInfo
If you enable anonymous access for the site, you must assign an account to be used to access the site. Although IIS creates an IUSR account, you can use any account you wish as long as the account has the proper NTFS permissions to traverse the file structure and to access files. In security- conscious environments, an account other than the well-known IUSR account should be used.
After you have decided upon an account to use for anonymous access, set the appropriate ACLs on each resource in the file system that will be accessed from the FTP site or virtual directory. You can then assign the account credentials to the AnonymousUsername and AnonymousUserPass properties. If you want to enable automatic password synchronization between the Metabase and the NT SAM, you can also set the AnonymousPasswordSync property to True.
To find the username and password for the account used to access the file system through an anonymous connection, use the following Visual Basic code:
Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Debug.Print Site.AnonymousUsername Debug.Print Site.AnonymousUserPass Debug.Print Site.AnonymousPasswordSync
Tip
Using the AnonymousPasswordSync property, you can determine whether the password will be synchronized between the Windows NT SAM and IIS .
To set a new set of credentials for use by anonymous connections, use the following Visual Basic code:
Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long Dim AnonymousUserName as String Dim AnonymousUserPassword as String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value AnonymousUserName = "Username_for_Anonymous_FTP_Access" AnonymousUserPassword = "Password_for_Anonymous_User_Account" Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Site.AnonymousUsername = AnonymousUserName Site.AnonymousUserPass = AnonymousUserPassword Site.AnonymousPasswordSync = True Site.SetInfo
If you have anonymous access enabled, but also happen to have the proper NTFS permissions to perform an action using your own credentials, you could use your own account to access the site. This would, however, expose your password to anyone monitoring the network.
To prevent this exposure, Microsoft implemented the AnonymousOnly property to force FTP site users to only use the "anonymous" user account even if they have access via alternative means. In this configuration, the threat of an account compromise is limited to just the anonymous user account; a privileged account cannot be compromised using a network sniffer.
To enable this setting for a site, you simply set the AnonymousOnly property value to True.
To query whether the site will allow non-anonymous connections, use the following Visual Basic code:
Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Debug.Print Site.AnonymousOnly
To enable only anonymous connections to a site, use the following Visual Basic code:
Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Site.AnonymousOnly = True Site.SetInfo
By default, all local administrators can manage all properties in the IIS Metabase. You can define additional site operators by creating a new ACE in the ACL used to secure a site in the Metabase hierarchy.
Use the following Visual Basic code to query the currently defined site operators:
Dim Site As IADs Dim ServerName As String Dim SiteIndex As Long ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Set SecurityDescriptor = Site.AdminAcl Set DiscretionaryAcl = SecurityDescriptor.DiscretionaryAcl For Each Item In DiscretionaryAcl If Item.AccessMask = 11 Or Item.AccessMask = 262315 Then Debug.Print Item.Trustee End If Next
Use the following Visual Basic code to create a new operator ACE in the ACL:
Dim Site As IADs Dim ACE As Variant Dim DiscretionaryACL As Variant Dim ServerName As String Dim SiteIndex As Long Dim NewOperator As String ServerName = "IIS_Server_Name" SiteIndex = Site_Index_Value NewOperator = "New_Operator_in_Format_Domain\Username" Set Site = GetObject("IIS://"&ServerName&"/MSFTPSVC/"&SiteIndex) Set SecurityDescriptor = Site.AdminACL Set DiscretionaryACL = SecurityDescriptor.DiscretionaryACL Set ACE = CreateObject("AccessControlEntry") ACE.Trustee = NewOperator ACE.AccessMask = 11 DiscretionaryACL.AddAce ACE SecurityDescriptor.DiscretionaryACL = DiscretionaryACL Site.AdminACL = SecurityDescriptor Site.SetInfo
Top |