The following sections examine how FTP is used. You’ll learn how FTP file transfers work, how FTP servers are accessed, and how FTP sessions are established.
FTP is a client/server protocol used for transferring files. Using FTP, you can log on to an FTP server, browse a directory structure to locate a file, and download the file. FTP also enables you to upload files to an FTP server. The difference between a file upload and a file download is important. When you upload a file, you transfer a file from a client to a server. When you download a file, you transfer a file from a server to a client.
With the increasing popularity of Hypertext Transfer Protocol (HTTP), the use of FTP is decreasing. Although it’s true that HTTP has taken over some of the functions of FTP, FTP continues to have a place when you need a dedicated resource for transferring files that’s easy to use and to maintain. Like HTTP, FTP uses Transmission Control Protocol (TCP) as its transport protocol. Unlike HTTP, FTP is session-oriented. This means that FTP connections are persistent. When you connect to an FTP server, the connection remains open after you transfer files.
The maintenance of persistent connections requires system resources. A server with too many open connections quickly gets bogged down. Consequently, many FTP servers are configured to limit the number of open connections and to time out connections after a certain period of time. By default, Internet Information Services (IIS) FTP servers limit the number of connections to 100,000 and use a connection time-out of 120 seconds.
Because FTP is a client/server protocol, the successful transfer of files depends on several factors. A computer acting as a server must run FTP server software, such as IIS. A computer acting as a client must run FTP client software, such as Microsoft Internet Explorer or the command-line FTP utility built into Microsoft Windows Server 2003.
File transfers can be either American Standard Code of Information Interchange (ASCII) or binary. You can use ASCII file transfers when you’re working with text documents and want to preserve the end-of-line designators. You must use binary file transfers when you’re working with executables. You can use binary file transfers with other file types as well.
Most FTP clients and servers are configured to allow anonymous file transfers. In an anonymous file transfer, the server allows users to connect to the server and transfer files anonymously. As the name implies, anonymous file transfers are designed to allow anyone to connect to the server and transfer files. When you use Internet Explorer or another FTP client, anonymous transfers can be started automatically in most cases. For example, you could connect to the Microsoft FTP server by typing this Uniform Resource Locator (URL) into your browser’s Address field: ftp://ftp.microsoft.com/public/.
In this example, ftp:// designates the protocol as FTP, ftp.microsoft.com identifies the server to which you want to connect, and public is the name of a directory on the server. Behind the scenes, the FTP client fills in the necessary user name and password information. With an anonymous FTP connection, this means setting the user name to anonymous and the password to your e-mail address or an empty string. If the client is unable to fill in the necessary information automatically, you’ll be prompted for a user name and password. Enter anonymous as the user name and set the password to your e-mail address.
You can also configure FTP servers for restricted access. When you restrict access to a server, only authenticated users can gain access to the server. When users try to connect to the server, they’re prompted to authenticate themselves by typing a user name and password. The user name and password must be for an account that exists on the local computer or in the domain the computer is a member of. User name and password information can also be specified in the URL used to access the server. To do this, use this URL format: ftp://username:password@hostname:port/path_to_resource.
Here, ftp:// designates the protocol as FTP, username sets the account name, and password sets the account password. In this example, the user name is set to wrstanek and the password is set to mydingo123: ftp://wrstanek: firstname.lastname@example.org/public/.
|Security Alert|| |
Don’t allow FTP passwords to become a back door into your server. FTP passwords encoded in URLs are passed to the server as plain text. The URL containing the password might also be saved in the history cache of the user’s browser. Anyone monitoring the network and anyone with access to the user’s computer might be able to gain unauthorized access to the FTP server. Help to safeguard the server and data by changing passwords periodically and by setting NTFS file system (NTFS) permissions that restrict user access to files and folders on the server. The FTP user isolation feature could also be useful to prevent security issues. See the section in this chapter entitled “FTP User Isolation for Busy Upload Sites” for more information.
Being granted access to a server, either anonymously or through authentication, doesn’t mean a user can upload or download files. The specific actions available to the user depend on the security settings. As discussed in Chapter 7, “Enhancing Web Server Security,” security settings are set at two levels: Windows and IIS. Windows security settings are configured through user and group accounts, file and folder permissions, and group policy. IIS security settings are set through FTP server permissions, authentication, and Transmission Control Protocol/Internet Protocol (TCP/IP) access restrictions.
Once a user is granted access to a server, either anonymously or through authentication, a TCP connection is established, and this connection remains open until the user session is terminated or the server issues a time-out. The FTP client and the server establish this connection using a three-way handshake. This handshake involves two dedicated TCP ports on the FTP server and two dynamically assigned TCP ports on the client that are mapped to the dedicated server ports.
TCP/IP connections are also established using a three-way handshake. TCP/IP connections are established at the Network Layer (Layer 3) of the Open Systems Interconnection (OSI) model. FTP connections are established at the Application Layer (Layer 7).
The two ports used by FTP servers are ports 20 and 21, by default. Port 20 is used for sending and receiving FTP data and is open only when data is being transferred. Port 21 is used for sending and receiving FTP control information. Port 21 listens for clients that are trying to establish a connection. Once an FTP session is established with a client, the connection on port 21 remains open for the entire session.
If clients connecting through a firewall or proxy can connect to an FTP server but can’t retrieve data, it’s likely that the control port, port 21, was opened for FTP access, but not the data port. To resolve this, have your network administrator check the firewall or proxy settings, ensuring that clients are granted access on both the FTP control port and the FTP data port.
The two ports used by FTP clients are dynamically assigned and range from 1024 to 5000. When an FTP session is started, the client opens a control port that connects to port 21 on the server. This connection is used to manage the FTP session. The client doesn’t automatically connect to the data port on the server. This port connection is established only when data needs to be transferred between the client and server. When data needs to be transferred, the client opens a new data port and then connects to the server’s data port (port 20 by default). Once the file transfer is complete, the client releases the data port. The next time data needs to be transferred, the client opens a new data port, which typically isn’t the same as the last port number used for data transfers.
|More Info|| |
The dynamically assigned port numbers are outside the ranges that are normally reserved for other TCP and User Datagram Protocol (UDP) services. Thus, because ports 0 to 1023 (well-known ports) are reserved for other TCP and UDP services, FTP uses ports ranging from 1024 to 5000 (limited by a Windows Registry setting with a theoretical limit of 65,535). You can find a complete list of current TCP and UDP ports used for well-known services in \%SystemRoot%\System32\Drivers\Etc\Services.
Now that you know how FTP servers and clients use ports, let’s look at how FTP sessions are established and then used in actual data transfers. The process of establishing and using an FTP session can be summarized as follows:
The FTP server listens for client requests on a dedicated control port. By default, the control port is 21.
When a user makes a request for resources on the FTP server, the client dynamically assigns a control port and then maps this control port to the server’s control port. For example, the client might assign port 1025 and map this to server port 21.
Once a connection has been established with the server, the client and server can communicate over the control port.
Before the client initiates a data transfer, the client must dynamically assign a data port and map this to the server’s data port, port 20. Each time a file is transferred, a new data port is opened by the client and then released. For example, port 1057 might be used for the first data transfer, port 1058 for the next data transfer, and so on.
The FTP session remains open until the session is terminated or the connection times out. The user or the server can terminate the session.
A useful tool for monitoring FTP sessions on clients and servers is Netstat. Netstat is a command-line utility that displays the status of network connections. When you call Netstat, you should specify that you want to see connections that TCP is using and that you want to redisplay the statistics at a specific interval. In this example you tell Netstat to display connection statistics every 15 seconds:
netstat -p tcp 15
You can run Netstat on a client to monitor FTP activity. When the client establishes an FTP connection to the server, you’ll see output similar to the following:
Active Connections Proto Local Address Foreign Address State TCP engsvr01:ftp engsvr01:1043 ESTABLISHED TCP engsvr01:1043 engsvr01:ftp ESTABLISHED
Here, the FTP connection is established on port 1043 and this port is mapped to the FTP control port. Whenever the client retrieves data from the server, a data port is mapped as well. After the data has been transferred, the data port enters the TIME_WAIT state. The port remains in the TIME_WAIT state until it times out and is closed. The control port continues to reflect the ESTABLISHED state as long as the connection is open. These port states are reflected in the following statements:
Active Connections Proto Local Address Foreign Address State TCP engsvr01:ftp-data engsvr01:1045 TIME_WAIT TCP engsvr01:ftp engsvr01:1043 ESTABLISHED TCP engsvr01:1043 engsvr01:ftp ESTABLISHED
When the client closes the connection to the FTP server, the only TCP entry that remains is the client-to-server control port mapping. As shown in this example, the client-to-server control port mapping enters the TIME_WAIT state and remains in this state until the session times out:
Active Connections Proto Local Address Foreign Address State TCP engsvr01:1043 engsvr01:ftp TIME_WAIT
Keep in mind that clients can establish multiple connections to a server. If this is the case for the client you’re monitoring, you’ll see multiple control and data ports in various states. To see the complete list of available Netstat command line options, type netstat -?.
Each FTP site deployed in your organization has a unique identity that it uses to receive and respond to requests. The identity includes the following:
A computer or Domain Name System (DNS) name
A port number
An IP address
The way these identifiers are combined to identify an FTP site depends on whether the host server is on a private or public network. On a private network, a computer called CorpFTP could have an IP address of 10.0.10.25. If so, you could access the FTP site on the server in one of these ways:
Using the Universal Naming Convention (UNC) path name: \\CorpFTP or \\10.0.10.25
Using a URL: ftp://CorpFTP/ or ftp://10.0.10.25/
Using a URL and port number: ftp://CorpFTP:21/ or ftp://10.0.10.25:21/
On a public network, a computer called MoonShot could be registered to use the DNS name ftp.microsoft.com and the IP address 22.214.171.124. If so, you could access the FTP site on the server in one of these ways:
Using a URL: ftp://ftp.microsoft.com/ or ftp://126.96.36.199/
Using a URL and port number: ftp://ftp.microsoft.com:21/ or http://207. 46.230.210:21/
Using different combinations of IP addresses and port numbers, you can host multiple sites on a single computer. Hosting multiple sites on a single server has definite advantages. For example, rather than installing three different FTP servers, you could host ftp.microsoft.com, ftp.msn.com, and ftp.adatum.com on the same FTP server.
In some environments where FTP is used extensively for uploading files, you might want more control over where and how users can upload files. Instead of allowing users to upload files to a common directory, such as Upload, you might want users to have separate home directories where they can safely upload files without fear of overwriting each others’ files and without being able to see files uploaded by other users. In this case you’d install the FTP site in FTP user isolation.
Keep in mind that you can’t change the user isolation mode after the FTP site is installed.
IIS 6.0 supports two isolation modes for FTP users:
Standard Isolates users by local and domain user account names. Here, users log on to the server root directory using their Windows account. When the logon is authenticated, they’re mapped transparently to their isolated user directory.
Active Directory–integrated Authenticates user credentials using Active Directory service. Here, users log on to the server root directory and their Windows credentials are authenticated in Active Directory. If authenticated, the user’s FTPRoot and FTPDir environment variables are used to determine which isolated user directory is used.
The FTPRoot and FTPDir environment variables are important in determining how the isolated user directories are mapped. FTPRoot sets the base directory of the server file share to use, such as \\ZETA\FTP. FTPDir sets the actual home directory to use, such as WRSTANEK. Together, these two variables specify the full UNC path to the user's isolated directory, such as \\ZETA\FTP\WRSTANEK. These variables can be set through individual user environment variable settings or through the Active Directory User object. that by setting FTPDir to %UserName%, the home directory value is set automatically on a user-by-user basis. Also, keep in mind that only User objects in Windows Server 2003 environments have the FTPRoot and FTPDir attributes included by default.
When user isolation is used, users see only the FTP root directory and don’t know they’re in a separate directory. With Active Directory–integrated mode, users are mapped through an arbitrary root directory to the directory specified by concatenating the values of FTPRoot and FTPDir. These values must be set for users to log on to the FTP site.
With the standard mode, you’ll need to create a directory structure for all users who will access the server. Two directories are at the base of this directory structure:
LocalUser A top-level directory for all local user accounts configured on the server. If you enable user isolation and also want to permit anonymous access, you’ll need to create a directory named LocalUser and then create a directory named Public below it. Anonymous users will be transparently mapped to the LocalUser\Public directory.
Domain A top-level directory for all domain users who access the server, where Domain is the pre–Windows 2000 domain name. For example, if the domain name is Adatum.com, you would create a directory called ADATUM under the FTP root directory.
After you create the LocalUser and Domain directories, you’ll need to create subdirectories for each user that will access the FTP site. Following this, if you were the administrator of Adatum.com and wanted to take advantage of the standard FTP user isolation feature and also allow anonymous access to the FTP server, your directory structure might look like this:
Here, the LocalUser\Public virtual directory enables anonymous access on the user-isolated FTP server and four users have been configured for isolated access to the server: JohnE, MikeJ, TomW, and WilliamS.
When working with FTP user isolation modes, it’s important to note that you can’t change the mode after you’ve created an FTP site. So if you create a site in one mode and later discover you should have used another mode, you’ll need to create a new site to use this mode.
In previous versions of IIS, you could designate FTP site operators for each FTP site on your server. FTP site operators were a special group of users who had limited administrative privileges. IIS 6 eliminates the notion of both FTP and Web site operators. FTP and Web site operator accounts were rarely used and presented more of a security risk than was desired. Don’t worry; you can designate administrators with limited privileges in IIS 6 and Windows Server 2003. To do this, you delegate authority to a user who needs specific permissions or privileges.