|
You handle FTP server security much like Web server security. You manage security at two levels: Windows and IIS. At the operating system level, you create user accounts, configure access permissions for files and directories, and set policies. At the IIS level, you set content permissions, authentication controls, and user privileges.
Note | Most FTP server security tasks are identical to those for Web server security. This section focuses only on what’s different. For a complete discussion of IIS security, see Chapter 7. |
You manage anonymous access to FTP sites using a named account that has the appropriate permissions for the directories and files you make available for uploading and downloading files. By default, the anonymous access account is the Internet guest account (IUSR_ComputerName) discussed in Chapter 7.
When anonymous access is enabled, users don’t have to log on using a user name and password. IIS automatically logs the user on using the anonymous account information provided for the resource. If anonymous access isn’t allowed, the site is configured for named account access only. Unlike Web sites, you can manage anonymous access only at the global or site level. You can’t manage anonymous access at the directory or file level.
When the FTP site is configured to use the non-isolated or standard isolated modes, you can manage anonymous access for all FTP sites on a server by completing the following steps:
After accessing the computer node you want to work with in the IIS snap-in, right-click FTP Sites and then select Properties. This displays the FTP Sites Properties dialog box.
Select the Security Accounts tab in the Properties dialog box, as shown in Figure 9-6.
Figure 9-6: Use the Security Accounts tab to configure anonymous access.
To enable anonymous access, select Allow Anonymous Connections and complete the remaining steps in this procedure.
To disable anonymous access, clear Allow Anonymous Connections and skip the remaining steps in this procedure. With anonymous connections disabled, only authenticated users can access the server. You must configure local or domain accounts that can be used to access the sites on this server.
The User Name field specifies the account used for anonymous access to the resource. If you desire, type the account name you want to use instead of the existing account, or click Browse to display the Select User dialog box. As necessary, enter the password for the account in the Password field.
Allow Only Anonymous Connections prevents users from logging on to the server with user names and passwords. Select this option if you want only the anonymous user account to be available. If you want to allow users to log on to the server with named accounts, clear this option.
Click OK, and then, if you browsed for a user account, click OK again to save your settings. All FTP sites on the server inherit the changes automatically.
You can manage anonymous access for a specific FTP site by completing these steps:
In the IIS snap-in, right-click the FTP site you want to work with and then select Properties.
Select the Security Accounts tab.
To enable anonymous access, select Allow Anonymous Connections and complete the remaining steps in this procedure.
To disable anonymous access, clear Allow Anonymous Connections and skip the remaining steps in this procedure. With anonymous connections disabled, only authenticated users can access the site. You must configure local or domain accounts that can be used to access the site.
The User Name field specifies the account used for anonymous access to the resource. If you desire, type the account name you want to use instead of the existing account or click Browse to display the Select User dialog box. As necessary, enter the password for the account in the Password field.
Allow Only Anonymous Connections prevents users from logging on to the site with user names and passwords. Select this option if you want only the anonymous user account to be available. If you want to allow users to log on to the site with named accounts, clear this option.
Click OK.
Every folder and file used by IIS can have different access permissions. You set these access permissions at the Windows security level. Anytime you work with file and folder permissions on an FTP server, you should keep the following in mind:
Only administrators should have full control over folders and files. If users have full control, they’ll be able to create, rename, and delete resources.
Authenticated users should be assigned specific permissions based on the types of tasks they need to perform. Users who can download files should have Read permission on the appropriate folders and files. Users who can upload files should have Write permission on the appropriate folders (and Read permission if you want them to view folder contents).
The Users group should have limited permissions. Set Read permission on folders and files used with downloads. Set Write permission on folders used with uploads (and Read permission if you want users to view folder contents).
If the server is part of an Active Directory domain, the Internet Guest account is a member of the Domain Users group. Otherwise, the Internet Guest account is a member of the Guests group. This ensures that anonymous users can access the FTP site’s directories. To prevent anonymous users from gaining permissions they shouldn’t have, you can specifically deny permissions, such as Write. You could also deny advanced permissions, such as Delete and Delete Subfolders And Files.
Tip | If you modify the properties of the base directory for the Default FTP Site, you’ll need to clear the Allow Inheritable Permissions From Parent check box before you can set specific permissions on the directory. You can access this check box by clicking Advanced in the Security tab. |
FTP sites and directories have permissions in IIS in addition to the Windows security settings. These permissions are set the same for all users. This means you can’t set different permissions for different users at the IIS level. You can, however, create specific areas of your FTP site that are designed for these specific functions:
Download only
Upload only
Download and upload
You can set FTP permissions globally through the master properties or locally at the site or directory level. When you set FTP permissions in the master properties, you must also specify how these properties are inherited. If a site or directory has settings that conflict with permission changes you’ve made, you’re given the opportunity to override the site or directory permissions with the global permissions. Similarly, if you make site-level permission changes that conflict with existing permissions on a subdirectory, you’re given the opportunity to override the site or directory permissions with the local permissions. In both cases the changes are applied when you choose to override the existing permissions.
To set FTP permissions globally, complete the following steps:
After accessing the computer node you want to work with in the IIS snap-in, right-click FTP Sites and then select Properties. This displays the FTP Site Properties dialog box.
As shown in Figure 9-7, select the Home Directory tab and then use the fields in the FTP Site Directory frame to set the permissions that you want sites and directories on this computer to inherit. The available options are the following:
Read Allows users to read or download files stored in the directory
Write Allows users to upload files to the directory
Log Visits Used with server logging to log requests related for resource files
Figure 9-7: Use the FTP Sites Properties dialog box to configure FTP permissions.
Click Apply. Before applying permission changes, IIS checks the existing permissions in use for all FTP sites and directories within FTP sites. If a site or directory node uses a different value for a permission, the Inheritance Overrides dialog box is displayed. Use this dialog box to select the site and directory nodes, which should use the new permission value, and then click OK.
To set FTP permissions for a site or directory, complete the following steps:
In the IIS snap-in, right-click the site or directory.
Select the Home Directory, Directory, or Virtual Directory tab as appropriate. This displays the dialog box shown in Figure 9-8. Then use the following fields to set the permissions for the selected resource:
Read Allows users to read or download files stored in the directory
Write Allows users to upload files to the directory
Log Visits Used with server logging to log requests related for resource files
Figure 9-8: Use the site’s Properties dialog box to configure FTP permissions.
Click Apply. Before applying FTP permission changes, IIS checks the existing permissions in use for all subdirectories. If a subdirectory uses a different value for a permission, the Inheritance Overrides dialog box is displayed. Use this dialog box to select the site and directory nodes, which should use the new permission value, and then click OK.
By default, FTP resources are accessible to all IP addresses, computers, and domains, which presents a security risk that might allow your server to be misused. To control use of resources, you might want to grant or deny access by IP address, network identification, or domain. As with other FTP server settings, you can apply restrictions through the master FTP server properties or through the properties for individual sites, directories, and files.
Granting access allows a computer to make requests for resources but doesn’t necessarily allow users to work with resources. If you require authentication, users still need to authenticate themselves.
Denying access to resources prevents a computer from accessing those resources. Consequently, users of the computer can’t access the resources—even if they could have authenticated themselves with a username and password.
You can establish or remove restrictions globally through the master FTP Site Properties dialog box by completing the following steps:
After accessing the computer node you want to work with in the IIS snap-in, right-click FTP Sites and then select Properties. This displays the FTP Sites Properties dialog box.
Select the Directory Security tab, as shown in Figure 9-9.
Figure 9-9: You can grant or deny access by IP address, network identification, and domain.
Click Granted Access to grant access to specific computers and deny access to all others.
Click Denied Access to deny access to specific computers and grant access to all others.
Create the Access list. Click Add, and then, in the Grant Access Or Deny Access dialog box, specify Single Computer or Group Of Computers as follows:
For a Single Computer, type the IP address for the computer, such as 192.168.5.50.
For Groups Of Computers, type the Network ID, such as 192.168.6.0, and the Subnet Mask, such as 255.255.255.0.
If you want to remove an entry from the Access list, select the related entry and then click Remove.
Click Apply. Before applying changes, IIS checks the existing restrictions for all FTP sites and directories within FTP sites. If a site or directory node uses a different value, the Inheritance Overrides dialog box is displayed. Use this dialog box to select the site and directory nodes that should use the new setting and then click OK.
You can establish or remove restrictions at the site or directory level by completing these steps:
In the IIS snap-in, right-click the site or directory that you want to work with. This displays a Properties dialog box.
Select the Directory Security tab.
Click Granted Access to grant access to specific computers and deny access to all others.
Click Denied Access to deny access to specific computers and grant access to all others.
Create the Access list. Click Add and then, in the Grant Access Or Deny Access dialog box, specify Single Computer or Group Of Computers as follows:
For a Single Computer, type the IP address for the computer, such as 192.168.5.50.
For Groups Of Computers, type the Network ID, such as 192.168.6.0, and the Subnet Mask, such as 255.255.255.0.
If you want to remove an entry from the Access list, select the related entry and then click Remove.
Click Apply. Before applying changes, IIS checks the existing restrictions for all child nodes of the selected resource (if any). If a child node uses a different value, the Inheritance Overrides dialog box is displayed. Use this dialog box to select the site and directory nodes that should use the new setting and then click OK.
|