Library tutorials & articles
Mastering IIS FTP
- Managing multiple users with one IP Address
- Virtual Directories/Physical Directories
- The Doorway Folder Trick
Managing multiple users with one IP Address
In choosing which software to use for managing the server-side of FTP, often time people don't use Microsoft's FTP program because they think that it's too simple or they think that it doesn't do what they want. I'm going to attempt to reveal some of the hidden but powerful features that exist with Microsoft's FTP program. Understanding just a couple basic concepts and putting those concepts to good use will open up a new world of possibility.
I'm not trying to convert the many people that are using another FTP program or try to say that Microsoft's is better. I don't work for Microsoft and I'm not being paid to endorse their product. But for those that aren't happy with their current solution, want to utilize Microsoft FTP better or are diving into this fresh, read on.
I'm assuming that you are somewhat familiar with using Microsoft IIS / FTP. The 10 second description for those coming in brand new is: For those running a version of Windows that includes IIS (Internet Information Services), you already have Microsoft FTP available to you. This is included in Windows NT/2000/2003/XP. Except for Windows NT, use the IIS snap-in found in Start -> Administrative Tools -> Internet Information Services. If you don't have that installed, it can be installed from Add/Remove Programs in the control panel. For some people using Windows XP you won't see Administrative Tools off your Start Menu. You can still find them in your control panel. For those wondering what FTP means, you've probably stumbled across the wrong article.
Let's get started:
Rule #1: If (virdir name = user name) Then (path of virdir takes affect)
Now, what does that mean? Microsoft FTP, which I'll call MS FTP after this, doesn't have an interface like most of us would expect, where you can add a user and point to a particular folder. Instead, it has a strange way of handling this. If the Virtual Directory name is exactly the same as a Windows Users, then the Virtual Directory will “catch“ the user rather than the root FTP account.
Of course, if you have lots of IP addresses, you can assign one IP address per user and setup multiple sites and then rely on the NTFS permissions to grant or deny access to particular sites. (Note: Windows XP only allows 1 FTP site.) But, even if you do this, there may come a time when you want to use the same IP address for multiple users who will be destined for different locations. For those trying to run a web server with multiple sites and one IP address, you'll benefit the most from this rule. Let me start with an example:
Let's say you have this directory structure:
D:\domains\site1.com
D:\domains\site2.com
D:\domains\site2.com\graphics
And you have 3 users.
- Mike needs access to the root of site1.com
- Sue needs access to the root of site2.com
- Joe needs access to the graphics folder of site2.com
I'll repeat myself because I feel this is important. The trick with MS FTP is that if the Virtual Directory name is the same as a Windows Username, the user will be "caught" by the Virtual Directory and directed to the folder specified in the Virtual Directory.
Example in MS-FTP
Behind the scenes, the “Mike” Virtual Directory is pointing to D:\domains\site1.com, Sue is pointing to D:\domains\site2.com and Joe is pointing to D:\domains\site2.com\graphics.
- If you logged in as Mike, then the Mike virdir would "catch" it and you would be dropped into the D:\domains\site1.com folder.
- Same with Joe or Sue. They would be caught by their corresponding Virtual Directories.
Now, let's say you had another user called Jane. If you logged in as Jane then the settings on the “Default FTP Site“ will handle her because there isn't a Virtual Directory to “catch“ her and direct her elsewhere.
Rule #2: The username used to log in needs List permissions to the root FTP site folder
Even if the Virtual Directory is pointing to a different location, the user that is logging in always needs List permissions to the folder specified in “Default FTP Site“. Yes, it seems strange, but even in IIS6, this is still the case.
So, each user must have read/write permissions, D:\domains\site1.com needs read/write for Matt. D:\domains\site2.com needs read/write for Sue. D:\domains\site2.com\graphics needs read\write for Joe. This is the obvious part.
The none obvious consideration is if the path of “Default FTP Site“ was D:\domains than that folder needs "List" permissions for all 3 users. Otherwise they won't be able to log in at all.
Tip #1: Set the root FTP account to a dummy location if assigning multiple users
If the path of the “Default FTP Site“ is D:\domains then you have a fairly large security issue with this setup. If you log in as Mike for example, you'll have the option to move up a folder (..) (well, most FTP programs will give you that option). If you do, you'll be dropped into the folder of the “Default FTP Site” root. (d:\domains). As I just mentioned, you are forced to give List permissions for all users which means that every user can view the names of all the sites. If you ever slip up and give too many permissions at the NTFS level your users can potentially access other people's sites.
Fortunately there is an easy solution. Just consider your Master FTP Site root a dummy location that isn't meant to be used for anything practical. Point it to d:\ftproot\dummyfolder or something like that. (I call mine 'deadend'). Give List permissions to the Everyone group on that folder and make sure it's completely empty. Now, you've solved the security issue. If Mike connects with their FTP program and moves up a folder or does a chgdir to '\' he will dropped into d:\ftproot\dummyfolder which is completely empty. You'll never have to worry about users gaining access to d:\domains which is a folder that you want to keep your users out of.
And, in all this, don't forget that every user that will be logging into your FTP account needs to have a Virtual Directory assigned or else they will immediately be placed into the dummyfolder location.
I've covered managing multiple users with a single IP address, required permissions for setting up FTP and given a tip on keeping users out of your confidential folders. There is more to come. I plan to cover: IIS6 User Isolation; Managing Virtual Directories (why can't I see the virtual directory that I created in my FTP program); and how to have a logged in user only see and access some, but not all, of the subfolders in a folder.
Related articles
Related discussion
-
Not able to launch the web application
by NaseemAhmed (0 replies)
-
ASP.NET Query. TO access a webpage from a network ( LAN ) computer
by Slicksim (1 replies)
-
Deploying a Powerbuilder 115 application on the net using IIS
by ruthmuse (0 replies)
Related podcasts
-
Developer's Guide to IIS7
Steve Schofield is an IIS expert working for webhost ORCS Web. Steve and his team are responsible for such sites as Channel9, ASP.NET, weblogs.asp.net and ASP Alliance. As a member ASP Insiders and a IIS MVP - Steve knows his way around a web server. Steve sheds light on how the new features in I...
Great article. Look forward to user isolation. I actually pointed to your article from my own blog. Thanks again.
Excellent how-to, thanks!
Regards
Matt
One question though, (Please note that I am a complete newby at this), Why does my servers performance drop (signifficantly!) every time a user uploads / downloads any item? On larger downloads this actually causes some of my sites to drop completely.
Obviously this must have something to do with the priorities on the server, but how do I adjust these priorities if indeed that is where the problem lies?
Nice! Cheers for those extra tips, Eric
I've been using these techniques since NT 4.0's Option Pack. People just don't know how powerful the built-in stuff is. And now with quota management and AD, it can be very powerful in an ISP hosted environment (it's what I use).
Another tip: You can create sub-Virtual directories, but they must be from within the FTP's VDs. I often create Unix-like links for users to get into certain directories of my domains. For example, say we have a domain called "domain.com". On my server, that would be:
E:\Users\eric.duncan\domain.com\www\default.aspx
Say I want to give Jim Bob access to this domain, but not to all of the domains under my username. But there's a problem, the user already has access to their own directory:
E:\Users\jim.bob\
This user accesses their account via the IIS FTP service's virtual directory called "jim.bob":
FTP Sites
-- Public FTP
------ jim.bob (which points to the user's Home directory above)
What I do is create an empty directory (described in this article) named the domain + lnk, but this directoy is in the user's normal Home directory:
E:\Users\jim.bob\domain.com.lnk
And then create a sub-virtual directory, named the same under the user:
FTP Sites
-- Public FTP
------ jim.bob
---------- domain.com.lnk
Now when the user logs in, they will see their home directory, with a new directory named domain.com.lnk. Changing directories to this location forces the FTP's virtual directory to change it's location to my directory:
E:\Users\eric.duncan\domain.com\www\
Just remember to give jim.bob access to that directory, else he will get an Access Denied.
Oh, that was another tip: To set permissions, do it at the physical-directory level (as I've done above). Mix it all with quotas, and there isn't a reason for me to use anything else.
This thread is for discussions of Mastering IIS FTP.