Configuring your FTP site on IIS 5.0 is a snap

Editor's Note: Each month, this column discusses various aspects of the advanced administration of e-business sites. This month's column examines configuring FTP servers on IIS 5.0 and how you can easily leverage the power of Microsoft FTP Server on Win2K.

When you install Windows 2000 Server, Win2K Advanced Server, or Win2K Datacenter Server, IIS creates a default FTP site. As it can with Web servers, IIS can host several FTP servers on one Win2K server. One computer running Win2K Server and hosting multiple FTP sites simultaneously gives the appearance of being several computers. In addition, each FTP site can host more than one domain name. Because an FTP site mimics the appearance of an individual computer, the sites are sometimes called virtual FTP servers.

In this issue, I show you how to set up and configure an IIS FTP server and publish information to your FTP site. To execute the tools, tips, and tricks that I show you in this article, you need access to Win2K Server, Win2K AS, or Datacenter with IIS 5.0 installed.

Configuring the FTP Server
FTP is the protocol used to copy files to and from remote computer systems that use TCP/IP; it's also the transport mechanism that many (if not most) of the content-management solutions on the Internet use. This protocol lets you use FTP commands (or programs) to work with files (e.g., listing files) and directories on the remote system.

The default FTP server that IIS 5.0 installs is preconfigured and ready to go with Anonymous access immediately after installation. Just as Web servers use TCP port 80 by default, FTP servers use TCP port 21 to respond to requests. If your network has a name-resolution system (typically DNS), then visitors can type ftp:// followed by your site's DNS name in the address bar of their browsers or FTP clients to reach your site (e.g., If your network doesn't have a name-resolution system, visitors must type ftp:// and your server's numerical IP address. Command-line users can use standalone command-line FTP programs that are available on many platforms and OSs, including Windows.

Anonymous FTP access is an authentication mechanism identical to that of Anonymous authentication for the IIS 5.0 Web server. Because IIS 5.0 uses the IUSR_computername account to provide anonymous access, users can connect to your FTP server without having to provide usernames and passwords (with the exception of a username of Anonymous and an email address as a password). You can always specify a different account for anonymous access and restrict access to resources that use NTFS permissions. Note that even when you enable Basic authentication, Anonymous authentication always takes precedence, and the IIS 5.0 FTP server will use it first.

Let's sift through some common configuration items that you'll most likely establish on your FTP server. These items include setting informational messages that give users details about the site when they connect to it, limiting FTP site access, and designating write privileges.

Setting informational messages. Informational messages can take the form of a greeting message that welcomes users to the FTP site when they first log on and an exit message that users see when they log off. To set such messages, open the Microsoft Management Console (MMC) Internet Information Services snap-in, right-click Default FTP Site, then select Properties. Click the Messages tab, which Figure 1 shows, and type a Welcome message and an Exit message. You can also enter a Maximum Connections number to limit the number of connections to your FTP server. Now when users connect to your FTP site, they receive a welcome message, and when they log off, they see a good-bye message.

Limiting FTP site access. When you click the Security Accounts tab on the Default FTP Site Properties dialog box, you see that the Allow Anonymous check box is selected. Enabling this option lets users anonymously authenticate on your site. If you want to extend FTP access to domain users only, clear this check box and make sure user accounts exist for each person you want to authenticate.

Designating write privileges. On the Home Directory tab of the Default FTP Site Properties dialog box, which Figure 2 shows, you can see that by default, IIS doesn't extend write privileges to users of your FTP site. If you want to let users on your FTP site copy files to your site, you need to select the Write check box. Write privileges on multiple FTP sites on one server, combined with removing Anonymous authentication, are the heart and soul of many Web site content-management solutions for application service providers (ASPs) and ISPs.

One of the main drawbacks of using FTP as a content-management solution in secured sites is that you lose file permissions (e.g., ACLs) and attributes in the transfer. For example, if you secure a Web page by applying ACLs to it while the page is on your development or staging server, then use FTP to copy that file to a production server, you lose the file permissions in the process. Content Replication System (CRS), which shipped with Microsoft Site Server 3.0 and now ships in Microsoft Application Center 2000, overcomes the problem by retaining file permissions and attributes when you copy files. CRS employs a file-transfer mechanism similar to FTP, but because CRS has superior capabilities, Microsoft uses it extensively internally for content management.

FTP Tips and Tricks
You can make your FTP site more feature-rich than most FTP sites on the Internet. To do so, try these three tips when you configure your site. (I found the last two tips in the Microsoft Developer Network—MSDN—Library.)

Tip 1: Add Custom Messages
The FTP service supports annotating a directory with custom messages when a user navigates to that folder. This annotation text resides in a special text file called ~ftpsvc~.ckm, which you create in the directory you want to annotate. If this file exists in the target directory when an FTP user navigates to it (a Change Directory Certified Web Developer—CWD—FTP operation), the FTP service responds by displaying the contents of this file. By default, the FTP service is configured not to send annotation text. If you choose to add a custom message, you need to also create the annotation file. I recommend that you make the annotation file a hidden file so that it doesn't appear on a directory listing.

The FTP service maintains many of its parameters in the Win2K registry. To turn on annotation text on your FTP server, use regedit to add the AnnotateDirectories parameter with a value of 1. Drill down to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters registry subkey. Right-click Parameters, select New, then select DWORD Value to add a REG_DWORD value for AnnotateDirectories. Name the REG_DWORD value AnnotateDirectories, then double-click it to show its properties. Change the Value Data field from 0 to 1. After you complete these steps, your registry subkeys for FTP parameters will look like the example that Figure 3 shows.

Next, create a folder on your FTP site (the default folder is \inetpub\ftproot—I called my folder \timh). Use Notepad to create the ~ftpsvc~.ckm file in that folder. On my Win2K server, the absolute path to this file is C:\inetpub\ftproot\timh\~ftpsvc~.ckm. Type a message for the contents of the file, and save it. I entered the text Hello and welcome to this special folder on my FTP site! as the contents of my file.

Now, use any FTP client to connect to your site. To use the command-line-based FTP client, follow these steps:

  1. Open a command prompt, and type
  2. FTP localhost
  3. Log on as Anonymous, then type your email address as a password.

  4. Type
  5. CD for change directory to the folder you created that contains the annotation text file. (In my case, I typed CD timh.)

The custom annotation text appears in a format similar to that in Figure 4.

Tip 2: Create User Directories
If you want to automatically place authenticated users in their own FTP directories when they log on, you can create a virtual FTP directory with the same name as the user. To create this directory, right-click your FTP server within the Internet Information Services snap-in, then select New, Virtual Directory. Click Next to start the Virtual Directory Creation Wizard. Enter the virtual directory alias, then click Next. (When I created user directories, I chose timh as the virtual directory alias.) Create a folder for your users. (I used the folder C:\inetpub\ftproot\timh that I created in the first tip.) Browse to the folder that you created, and click Next. Select read and write permissions, then click Next. Click Finish.

Now, connect to your FTP server with an FTP client as I described in Tip 1, but this time log on as a domain user instead of as Anonymous. I have a user named timh on my domain, and I used that name to authenticate. In the example that Figure 5 shows, the system automatically placed me in the \timh directory upon authentication, and I received the annotated directory message that I configured in Tip 1.

Tip 3: Limit Access
You can lock anonymous users into an FTP directory so that they can't browse outside it and still enable an authenticated user (who isn't using Microsoft FrontPage) to upload files to the same directory. To limit access, follow these steps:

  1. In Windows Explorer, place the FTP directory under the \wwwroot directory.
  2. In the Internet Information Services snap-in, point the FTP server to the FTP directory.
  3. From the Internet Information Services snap-in, create a second FTP server under the first one and give it the same name as the username of the client who wants to upload files.
  4. Point the second FTP server to the FTP directory (the same one as in Step 2).
  5. In Windows Explorer, set the NTFS permissions on the FTP directory to give Anonymous FTP User Full Control on the FTP directory and deny all permissions on the root directory.

After logon, the system places the authenticated user in the virtual FTP site that has the same name. The user has full control over directory content and can upload files. Anonymous users who log on will be able to read the files, but they'll have no control over the files and can't browse outside the virtual FTP directory.

Hosting Multiple FTP Sites on Your Server
Each FTP site has a unique, three-part identity that it uses to receive and respond to requests. That identity consists of

  • A TCP port number
  • An IP address
  • A host header name

When you add a new permutation of any of these three identifiers, you can host multiple FTP sites on one Win2K server. This process is identical to the process by which you set up multiple Web sites on IIS. (For more information about multiple sites on IIS, see Brett Hill, "Multiple Web Sites with IIS 5.0 and IIS 4.0,", InstantDoc ID 9163; and Marnie Hutcheson, "Using Host Headers to Set Up a Multihomed Server," October 1999.)

Administering FTP Sites
Performing administrative tasks on the computer that's running IIS is sometimes inconvenient, so IIS has two remote-administration options. If you connect to your server over the Internet or through a proxy server, you can use the browser-based Internet Services Manager (HTML) to change properties on your site. If you're on an intranet, you can use ISM (HTML) or the Internet Information Services snap-in.

FTP on IIS Is Easy
Configuring an IIS FTP server is a breeze. You don't even have to install and set up an FTP server because IIS installation completes that step for you. With the configuration tips and tricks I've shown you, you can make your FTP site more feature-rich than many FTP sites on the Internet.

Next month, I switch gears to Application Center. I take an in-depth look at Application Center's content-deployment system, which automatically deploys new content to every Web server in the Application Center cluster. Application Center uses CRS, which is a faster, more efficient file-transfer mechanism than FTP and retains permissions when transferring files.