Managing the FTP Service on a Windows Server 2003

To manage the basic FTP server on a Windows 2000/2003 server, follow these steps:

1. Click Start, All Programs (Programs for Windows 2000) Administrative Tools, Internet Services (IIS) Manager.

2. The MMC console starts with the IIS snap-in. Click on the IIS server you want to manage (in this example, FTP sites).

3. Right-click on the FTP site you want to manage (the Default FTP site in our example) and select Properties.

4. The properties pages for the FTP server can then be used to configure the server (see Figure 61.8).

   Figure 61.8. You can configure the FTP server using these properties sheets.

   

The Default FTP Site Properties page appears in this figure with the first tab (FTP Site) selected. You can use the Description field to change this from default to a more meaningful name . This can be useful if you're using the MMC to manage multiple FTP sites on the same server or on other servers. The IP Address field can be used to select an IP address that the FTP service will use when listening for incoming requests , and the TCP Port field can be used to set which TCP port will be used for the service. In this example, the standard TCP port number of 21 is shown.

Other fields on this tab are fairly self-explanatory, enabling you to set the maximum number of users that can be connected to the server simultaneously and the number of seconds after which an idle session will be automatically disconnected from the server. At the bottom of this first property page, you can also enable logging for the service. The Active Log Format drop-down menu enables you to choose from

• Microsoft IIS Log File Format This is a standard ASCII text file format. If you use this format, the information that's stored in the log file is fixed.

• W3C Extended Log File Format This also is an ASCII text file, but one that you can customize to select what events to log. This is the default format for the IIS FTP server.

• ODBC Logging This can be used to direct logging data to an ODBC-compliant database.

The Properties button to the right of this drop-down menu enables you to further configure properties for the log file. For the Microsoft IIS log file format, there's not much you can configure. The data that is written to the log file is a standard set of data. You can use the Properties button to configure when a new log file is createdthis can range from hourly, daily, weekly, or monthly. Or you can set a maximum size to which the file can grow before a new file is created. Additionally, you can set the location of the log file. The default is %WinDir%\System32\LogFiles , where %WinDir% is a variable that resolves to the Windows system directory.

For the W3C extended log file format, you have many more options. In addition to being able to configure the same options about how or when a new log file is created and the location of the log file, this format has an additional tab labeled Advanced.

There are far too many data items to discuss in this chapter, but you need to be aware that you can create a customized log file that stores just the information you need. You might find that on an anonymous FTP server, you don't care much about what data is stored in the log file, whereas on a server that provides for a secure logon, you might want to collect extensive data about the users of your system. To find out the meaning of each of these logging options, click the Help button and a brief description of each item will be displayed.

Other tabs on the FTP Site Properties page include

• Security Accounts Use this tab to allow or disallow anonymous access to the FTP server. If you allow anonymous FTP connections, you also can configure the user account that will be used for these connections.

• Messages This tab enables you to input text that's presented to the user when logging in to and upon exiting the service. You also can enter a message that will be displayed to users who try to log on to the server when the maximum number of user sessions has already been reached.

• Home Directory This tab enables you to configure the home directory for this FTP service. You can select a directory that's local to the server or a directory that's offered as a file share from another computer. If you choose the file share option, you'll be prompted to enter authentication information needed to connect to the file share. The default directory is c:\inetpub\ftproot . Here you can select whether the directory can be read, written to, or both. You also can select to allow logging for this directory. Finally, this tab can be used to specify how directory listings are displayed to users. You can choose between the standard MS-DOS format and the standard Unix format.

• Directory Security This tab is important because it enables you to decide which computers (or IP addresses) will be allowed to connect to the service. You can choose to allow all computers access and then specify a number of specific computers to exclude from access, or you can choose to deny access to all computers and then add in only those specific addresses you want to allow to use the service.

As you can see, the FTP service enables you to control who can access your server and to log each visit in detail. You can create additional FTP sites on the same computer. For example, if you have multiple network adapters or if you assign multiple IP addresses to the same adapter, you can create additional FTP sites on the same server. To add additional FTP sites on this server:

1. Highlight the computer server's name in the left pane of the MMC console.

2. Click on Action, select New, and then FTP Site.

3. A wizard appears and prompts you through creating the site, enabling you to enter the necessary information, such as a description of the site, the IP address to use, and so on.

Of course, after you've created an additional site, you can further refine how it operates by using the properties pages for that site.

The Dynamic Host Configuration Protocol and BOOTP

Most Unix environments, which use TCP/IP for networking, use DHCP servers to provide network configuration information to clients on the network. DHCP is not a proprietary solution, but is based on standards that are defined in RFCs 2131 and 2132. Microsoft clients using TCP/IP can also use DHCP servers. Additionally, Windows 2000/2003 have a highly configurable DHCP server that supports options provided for in the RFCs as well as a few that are specific for Microsoft clients .

If you're bringing Windows-based client systems into an existing Unix environment, configuring each Windows client with the address of a DHCP server will be simple. In an existing Windows network, you might want to stick with the Microsoft DHCP server. Because DHCP is based on Internet standards, most of the implementations you find will be compatible with both operating systems.

Bringing Unix clients into a network that uses Microsoft DHCP servers can cause even some seasoned Unix administrators to worry. DHCP servers have been around for quite a while on Unix networks, running on Unix servers, and Microsoft's DHCP server is a relatively new creature on the market. However, because Microsoft's DHCP server is built using the standards set forth in the relevant RFC documents, you should have no reason to worry. The graphical interface Microsoft's version offers makes it even easier to manage the server and should be considered an advantage over some other products.

The DHCP server that you can install on Windows NT 4.0 through Windows 2003 is a full-featured implementation that can be used to support clients no matter what their operating system. The configuration information that a DHCP server sends to clients is itself configurable through the use of DHCP options. Each option describes a parameter that can be configured for the client from information the DHCP server can provide.

Microsoft's DHCP server provides support for the options defined in RFC 1533, "DHCP Options and BOOTP Vendor Extensions." In addition, it enables the administrator to define custom options when needed. This ability to create customized options makes the server flexible in a networking environment that consists of different client types. Additionally, it's possible to set up the Microsoft DHCP service to run on a Windows 2000/2003 cluster, and thus provide redundancy for the network without having to divide the address space into separate scopes and place each scope on a separate server.

Before there was DHCP, there was BOOTP, which functions in a manner similar to DHCP. The BOOTP protocol is mainly used by diskless workstations, usually in a Unix network, to request addressing configuration information and to download an operating system. Microsoft's DHCP server enables the administrator to create records in a BOOTP table that can be used to satisfy requests from this kind of client. When the DHCP server receives a BOOTP request from a client, it looks up the client in the table. If a record for that client is found, the server returns three pieces of information to the client:

• Boot Image A generic filename for the boot file

• File Name The path to the boot image on a TFTP (Trivial File Transfer Protocol) server

• TFTP Server The server from which the client can download the boot file

The Microsoft DHCP server responds to BOOTP clients with the information they need to download a boot file from another server. Unlike the standard DHCP lease, the BOOTP client does not have to renew the IP address periodically as regular DHCP clients do. Instead, a BOOTP client is managed like clients who use reserved DHCP addresses. Additionally, Windows 2000/2003 DHCP server allows for many other options that can be used by BOOTP clients, as provided for in the RFCs.

DNS

DNS is the standard method used on the Internet to resolve host IP addresses to friendly names that humans find easier to remember. Microsoft NT 4.0/2000/2003 provide a DNS server that is based on RFC 1053 and can be used by both Microsoft clients and other clients that have been created based on this standard. This includes, of course, most Unix and Linux clients. Additionally, with Windows 2000/2003, Microsoft's DNS server supports dynamic DNS, which is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)." This enables clients to use DHCP to obtain an address, and then have that address automatically registered with the DNS server. This feature can be very useful if you have many mobile clients that move among different subnets. Manually updating a DNS server for every move could be a daunting task in a large network.

If you already have a DNS server running on your network, you might wonder why you would want to use Microsoft's DNS server when you add clients that are not running Unix or Linux. The answer is simple: In addition to providing support for dynamic DNS, Microsoft's DNS server provides a WINS (Windows Internet Name Service) lookup feature that can further simplify network administration chores. It provides a service similar to what DNS does, but with an interesting twist. Microsoft's DNS server has the capability to query a WINS server when it cannot resolve a name or address based on the information contained in its database.

Although DNS is basically used to perform IP address/name translations, WINS was developed to provide name resolution services for NetBIOS names. When a WINS client computer boots, it registers its NetBIOS name(s) with the WINS server along with its current network address. Sounds a lot like dynamic DNS, doesn't it? If you incorporate DHCP into the network, you'll be relieved of having to keep track of IP addresses for Microsoft clients as well as maintaining an address space when clients move or new clients are added to the network. Enabling Microsoft clients to use the WINS service eliminates the manual task of administering a name server to keep track of additions or changes to the network.

If you plan to move your network toward using only Windows 2000/2003 and Windows XP, you probably won't need WINS any more. It's provided with Windows 2000/2003 only for backward compatibility with earlier Microsoft operating systems. It's possible to use both WINS and DNS in the same network with Windows 2000/2003 and earlier systems. However, in a network that includes Unix, Linux, and Windows clients, you really don't need WINS any more if the Windows clients are all Windows 2000 or above (such as Windows Me/XP as well as Windows Server 2003).