Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


February 02, 2001

IIS 101: Creating an FTP Server for Your Users

A Web Exclusive from Windows Web Solutions
Chris Lehr
IIS 101
InstantDoc #19835
Windows Web Solutions
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows Web Solutions | See More FTP Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

IIS 101

File servers are extremely handy when you want a central location in which your users can store all their important work. If all your users rely on a file server, the risk of people losing files on their desktops greatly diminishes. As your company grows and your users become more mobile, they will move to laptops and dial in to work. When users make this move, server access won’t be as easy as it was when the users were on your LAN. To give your users the remote access they need, you can use the FTP server built into IIS.

With IIS’s FTP server, users can log on to the FTP server, which then transfers them to their Personal folder. (This setup is similar to the home folder you set up in User Manager.) For my example, I use the RPG Consulting Company, a fictitious e-consulting startup company. The company has 45 employees and just opened a new remote office on the West Coast. To save money, the company opted for a Digital Subscriber Line (DSL) for the new office rather than a more costly private line or WAN connection. The existing Windows 2000 file server in the East Coast office has a hidden shared folder for every user. The users automatically map this folder during their network logon, so each network share appears as \\fileserver\username$ (the dollar sign—$—makes the share hidden on the network). All these shared folders are on the D drive beneath the Users folder. The folder names for each user must be the same as the users’ usernames. The D drive is formatted as an NTFS drive, and each user’s folder lets only that particular user access its contents.

Setting Up the FTP Server
When you installed Win2K on the file server, you automatically installed IIS 5.0. I recommend that you use the minimum number of required services. If you don’t need the SMTP, Network News Transfer Protocol (NNTP), or Indexing services, uninstall them. To begin configuring the FTP server, choose Start, Administrative Tools, Internet Services Manager. Right-click the FTP server, then select Properties. On the Default FTP Site Properties dialog box, which Figure 1 shows, click the FTP Site tab. Because RPG has only 45 employees, I recommend changing the maximum number of connections to 100. (If you set this number to 45, you might have to change it every time you add an employee; therefore, don’t set the limit too close to the employee count.)

I also recommend that you leave Logging on; if you have any breaches, you can use the log files to trace it. To add logging for the User Name (cs-username) and Host (cs-host), click Properties on the FTP Site tab, then click the Extended Properties tab, which Figure 2 shows. These options are available only when you’re using W3C Extended logging, which is the default for IIS.

On the Default FTP Site Properties dialog box, click the Security Accounts tab. Clear the Allow Anonymous Connections check box, which Figure 3 shows. Note that when you remove an Anonymous account, your FTP site isn’t necessarily completely safe. The system sends FTP usernames and passwords in clear-text format, and malicious intruders can easily sniff them. Seriously consider this vulnerability if the information stored in users’ personal directories is important.

The Messages tab has three simple input boxes—a welcome message, an exit message, and the error message users receive if the server has exceeded its maximum number of users. The message on the FTP welcome page can be information about RPG or perhaps a legal statement about unauthorized users.

On the Home Directory tab, you set your home directory, which is the location from which users access their folders. In RPG’s case, the home directory is the D drive. The Directory Listing Style on this tab defines file-date format. The default style is MS-DOS, which lists dates with a two-digit year format. The UNIX style displays the date in a four-digit year style, and no year is returned if the file date is the same as the current year.

The Directory Security tab lets you allow connections to the server only from certain individual computers or groups of computers. RPG could use these settings to provide IP addresses for computers in the West Coast office. However, because many employees aren’t in the office, the company will continue to allow connections from any host, relying on authentication as the only means of security.

Two important tasks remain. The first task is to ensure that you’re using your domain accounts rather than the local machine to authenticate users. If your file server is also a domain controller (DC), you can skip this step because the local users are the domain accounts. If your file server is only a member server, you need to configure IIS to use your Windows NT domain to authenticate. The "Resolution 4" section of the Microsoft article "Err Msg: 530 User <Username> Cannot Log In. Login Failed." (http://support.microsoft.com/support/kb/articles/q200/4/75.asp) provides information about configuring IIS.

The final and perhaps most complex task is correctly setting your NTFS permissions so that users will be able to access only their data and nothing they shouldn’t. The home directory (in my example, the root of the D drive) has the following NTFS settings:

  • Set the local System account and the Domain and Local Administrators accounts to Full Control permission.
  • Set the Users group to Read & Execute permission.

When you create new users, they automatically go into the Users group, which is a good way to generalize your user base without having to add all the users to a permissions page individually.

You can give the Users group extremely limited permissions to the root of the D drive. To set these permissions, click Advanced on the Security tab of the folder’s Properties dialog box. On the Access Control Settings for Folder dialog box, select the Users group, and click View/Edit, as Figure 4 shows. On the Permission Entry for Folder dialog box, which Figure 5 shows, select This folder only from the Apply onto drop-down list, then clear all check boxes except those allowing the following permissions:

  • List Folder/Read Data
  • Read Attributes
  • Read Extended Attributes
  • Read Permissions

Rolling Out the FTP Server
Testing is the most important part of this whole process. Create a few new accounts, and test this setup thoroughly. Ensure that users can access only their folders and no one else’s. Make sure they can’t write to folders they shouldn’t be able to. If everything works, roll the FTP server out to your users, and let them know that they can now access all their files on the road with ease.

End of Article

Reader Comments
How do you compensate for multiple users trying to ftp to a default ftp site, many at the same time. Is there some setting that will allow several users to log in simultaneously?

Julie McGrath October 19, 2001

How do you setup CGI access on your FTP server?

Robert November 15, 2001

How do I link to my ftp server from my web page? right now when someone clicks the link "ftp://server/folder" it gives them a file not found error, but once they hit enter in the addess bar, it takes them to the site. Its almost like IE doesn't know its an ftp site until then

Mark November 23, 2002

/me stabs Robert in the face...like a fox.

Anonymous User October 25, 2004

hi,

i successfully made a ftp server in my pc. how am i going to create accounts for testing? im using winXP prof.
thanks

dimes18 January 23, 2005

I have Windows 2000 Advance server and thats system is not on Domain, there is Workgroup system in whole network, i make full FTP server and its working fine, now i want that when user login through FTP they can access only their folders not see others folder( as i have one folder for each user wih name). can u help me in this regards? i also set permissions of that folder only administrator and User itself can access the foldr and Everyone option is denied but its not working, plz CC ur reply at ch_shahid@hotmail.com

Anonymous User April 04, 2005 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
IIS and Web Administration Whitepapers Best Practices for SharePoint Backup & Recovery

Meeting Compliance Objectives in SharePoint

Improve SharePoint Performance for Remote Workers
Related Events Managing IT Across Multiple Locations

Check out our list of Free Email Newsletters!
IIS and Web Administration eBooks Web Filtering: An Assessment

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security
Related IIS and Web Administration Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement