Managing FTP User Security
Users
can upload and download sensitive data through FTP servers, and you can
choose from several methods to control which individuals have access to
specific content. In this section, you will learn about authentication,
authorization, and user isolation settings.
Configuring Authentication Options
You
can use Authentication settings for an FTP site to determine how users
can access the content stored on the site. There are several built-in
methods for managing authentication. To configure these settings in IIS
Manager, select the FTP site object, and then double-click FTP
Authentication in Features View. Figure 20
shows an example of authentication options. You can enable or disable
various authentication options, using the Actions pane. The Edit
command in the Actions pane enables you to specify additional details
for the selected authentication method.
Anonymous
Authentication allows all users that connect to the site to access
content regardless of the credentials they provide. Use this option
when you plan to make the content available to all visitors to the FTP
site or when you are using other security methods to restrict access to
the site. When an FTP user makes a request to read or write data,
Anonymous Authentication will use a specified user account to validate
permissions. The default setting is to use the built-in IUSR account
for this purpose. You can assign a specific Windows account by clicking
the Edit command in the Actions pane. You can then provide a specific
user identity for use by Anonymous Authentication. (See Figure 21.)
Basic
Authentication requires visitors to the Web site to provide credentials
for a valid Windows user account. The account can be a local Windows
username and password or can belong to an Active Directory domain if
the server is a member of a domain. It is important to remember that,
by default, credentials sent to the FTP server are sent in clear text.
This can present a security risk, especially for FTP connections that
are made over the Internet. You will use Basic Authentication primarily when you want to restrict FTP-based access to content based on user credentials.
You
can also choose from two other authentication methods by selecting the
Custom Providers command in the Actions pane. IIS Manager
Authentication (IISManagerAuth) configures the Web site to accept
credentials for an IIS Manager User. This method is useful when you
want to restrict access to the FTP site to specific users who do not
have Windows accounts on the local FTP server. The IIS Management role
service must be installed and enabled before you can use this
authentication method. For more information about creating and managing
IIS Manager Users. Like Basic Authentication credentials,
the username and password information is sent in clear text between the
FTP client and the FTP server.
ASP.NET
Authentication (AspNetAuth) relies on the .NET user management
framework for authentication. It is useful when you have created an
ASP.NET Web site that validates user credentials. It is common for Web
applications to use credentials data stored in a database to validate
access and permissions to the site.