Creating and Configuring FTP Sites in

Windows Server 2003

Begin by opening Add or Remove Programs in Control Panel and selecting
Add/Remove Windows Components. Then select the checkbox for Application Server:

Click Details and select the checkbox for Internet Information Services (IIS):

ERMIYAS W.
1
Click Details and select the checkbox for File Transfer Protocol (FTP) Services.

Click OK twice and then Next to install the FTP service.

Creating an FTP Site

As with web sites, the simplest approach to identifying each FTP site on your machine is
to assign each of them a separate IP address, so let's say that our server has three IP
addresses (172.16.11.210, 172.16.11.211 and
172.16.11.212) assigned to it. Our first task will be to create a new FTP site for the
Human Resources department, but before we do that let's first
examine the Default FTP Site that was created when we installed the FTP service on our
machine. Open IIS Manager in Administrative Tools, select FTP Sites in the console
tree, and right-click on Default FTP Site and select
Properties:

ERMIYAS W.
2
Just like the Default Web Site, the IP address for the Default FTP Site is set to All
Unassigned. This means any IP address not specifically assigned to another FTP site on
the machine opens the Default FTP Site instead, so right now opening either
ftp://172.16.11.210, ftp://172.16.11.211 or ftp://172.16.11.212 in Internet Explorer will
display the contents of the Default FTP Site.

Let's assign the IP address 172.16.11.210 for the Human Resources FTP site and make
D:\HR the folder where its content is located. To create the new FTP site, right-click on
the FTP Sites node and select New then FTP Site. This starts the FTP Site Creation
Wizard. Click next and type a description for the site:

Click Next and specify 172.16.11.210 as the IP address for the new site:

ERMIYAS W.
3
Click Next and select Do not isolate users, since this will be a site that anyone
(including guest users) will be free to access:

Click next and specify C:\HR as the location of the root directory for the site:

Click Next and leave the access permissions set at Read only as this site will only be
used for downloading forms for present and prospective employees:

ERMIYAS W.
4
Click Next and then Finish to complete the wizard. The new Human Resources FTP
site can now be seen in IIS Manager under the FTP Sites node:

To view the contents of this site, go to a Windows XP desktop on the same network
and open the URL ftp://172.16.11.210 using Internet Explorer:

Note in the status bar at the bottom of the IE window that you are connected as an
anonymous user. To view all users currently connected to the Human Resources FTP
site, right-click on the site in Internet Service Manager and select Properties, then on the
FTP Site tab click the Current Sessions button to open the FTP User Sessions dialog:

ERMIYAS W.
5
Note that anonymous users using IE are displayed as IEUser@ under
Connected Users.

Now let''s create another FTP site using a script instead of the GUI. We''ll create a site
called Help and Support with root directory C:\Support and IP address 172.16.11.211:

Here's the result of running the script:

Controlling Access to an FTP Site

Just like for web sites, there are four ways you can control access to FTP sites on IIS:
NTFS Permissions, IIS permissions, IP address restrictions, and authentication
method. NTFS permissions are always your first line of

ERMIYAS W.
6
defense but we can't cover them in detail here. IIS permissions are specified on the
Home Directory tab of your FTP site's properties sheet:

Note that access permissions for FTP sites are much simpler (Read and Write only) than
they are for web sites, and by default only Read permission is enabled, which allows
users to download files from your FTP site. If you allow Write access, users will be able
to upload files to the site as well.

Like web sites, IP address restrictions can be used to allow or deny access to your site
by clients that have a specific IP address, an IP address in a range
of addresses, or a specific DNS name. These restrictions are configured on the
Directory Security tab just as they are for web sites, FTP sites also have fewer
authentication options than web sites, as can be seen by selecting the Security
Accounts tab:

ERMIYAS W.
7
By default Allow anonymous connections is selected, and this is fine for public FTP sites
on the Internet but for private FTP sites on a corporate intranet you may want to clear
this checkbox to prevent anonymous access to your site. Clearing this box has the result
that your FTP site uses Basic Authentication instead, and users who try to access the site
are presented with an authentication dialog box:

Note that Basic Authentication passes user credentials over the network in clear text so
this means FTP sites are inherently insecure (they don't support Windows integrated
authentication).

So if you're going to deploy a private FTP site on your internal network make sure you
close ports 20 and 21 on your firewall to block incoming FTP traffic from external users
on the Internet.

Stopping and Starting FTP Sites

If an FTP site becomes unavailable you may need to restart it to get it working
again, which you can do using IIS Manager by right-clicking on the FTP site and
selecting Stop and then Start. From the command-line you can type net stop msftpsvc
followed by net start msftpsvc or use iisreset to restart all IIS services. Remember that
restarting an FTP site is a last resort as any users currently connected to the site will be
disconnected.

Implementing FTP User Isolation

Finally, let's conclude by looking at how to implement the new FTP User Isolation
feature of IIS in Windows Server 2003. When an FTP site uses this feature, each user
accessing the site has an FTP home directory that is a subdirectory under the root
directory for the FTP site, and from the

ERMIYAS W.
8
perspective of the user their FTP home directory appears to be the top-level folder of the
site. This means users are prevented from viewing the files in other users' FTP home
directories, which has the advantage of providing security for each user's files.

Let's create a new FTP site called Staff that makes use of this new feature, using C:\Staff
Folders as the root directory for the site and 172.16.11.212 for the site's IP address.
Start the FTP Site Creation Wizard as we did previously and step through it until
you reach the FTP User Isolation page and select the Isolate users option on this page:

Continue with the wizard and be sure to give users both Read and Write permission
so they can upload and download files.

Now let's say you have two users, Bob Smith (bsmith) and Mary Jones (mjones) who
have accounts in a domain whose pre-Windows 2000 name is TESTTWO. To give these
users FTP home directories on your server, first create a subfolder named \TESTTWO
beneath \Staff Folders (your FTP root directory). Then create subfolders \bsmith and
\mjones beneath the
\Accounts folder. Your folder structure should now look like this:

C:\Staff Folders
\TESTTWO
\bsmith
\mjones

To test FTP User Isolation let's put a file name Bob's Document.doc in the
\bsmith subfolder and Mary's Document.doc in the \mjones subfolder. Now go to a
Windows XP desktop and open Internet Explorer and try to open ftp://172.16.11.212,
which is the URL for the Staff FTP site we just created.

ERMIYAS W.
9
When you do this an authentication dialog box appears, and if you're Bob then you can
enter your username (using the DOMAIN\username form) and password like this:

When Bob clicks the Log On button the contents of his FTP home directory are
displayed:

Note that when you create a new FTP site using FTP User Isolation, you can't
convert it to an ordinary FTP site (one that doesn't have FTP User Isolation enabled).
Similarly, an ordinary FTP site can't be converted to one using FTP User Isolation.

We still need to explore one more option and that's the third option on the FTP User
Isolation page of the FTP Site Creation Wizard, namely Isolate users using Active
Directory. Since we've run out of IP addresses let's first delete the Help and Support FTP
site to free up 172.16.11.211. One way we can do this is by opening a command prompt
and typing iisftp /delete "Help and Support" using the iisftp.vbs command script. Then
start the FTP Site

Ermiyas W 10
10
Creation Wizard again and select the third option mentioned above (we'll name this new
site Management):

Click Next and enter an administrator account in the domain, the password for this
account, and the full name of the domain:

Click Next and confirm the password and complete the wizard in the usual way. You'll
notice that you weren't prompted to specify a root directory for the new FTP site.
This is because when you use this approach each user's FTP home directory is
defined by two environment variables: %ftproot% which defines the root directory
and can be anywhere including a UNC path to a network share on another machine
such as \\test220\docs, and
%ftpdir% which can be set to %username% so that for example Bob Smith's
FTP home directory would be \\test220\docs\bsmith and this folder would have to be
created beforehand for him. You could set these environment variables using a logon
script and assign the script using Group Policy, but that's beyond the scope of this present
article.

Ermiyas W 11
11