Defining FTP Authorization Rules
You can use FTP
Authorization rules to determine which users have access to specific
content within the FTP site. Authorization rules can be defined at the
level of the FTP site or for specific logical or virtual folders. These
capabilities provide you with the flexibility to implement granular
authorization rules based on the type of content that should be
available to users. There are two types of authorization rules: Allow
Rules and Deny Rules. By default, a new FTP site will not have any
predefined authorization rules. You can use the commands in the Actions
pane to create new rules. Figure 22 shows the available options when creating a new rule.
Allow and Deny rules can apply to the following types of users:
After you select to which
users or groups the rule will apply, you can select whether the user
will have read, write, or read and write permissions.
Configuring FTP User Isolation Options
When you are managing
access permissions and settings for an FTP server, a common requirement
is to provide individual users with their own folders and directories.
Users should be able to upload and download files from their own folders
but should be prevented from accessing those that belong to other
users. The FTP User Isolation feature enables you to configure these
settings. To modify the settings, select an FTP site in IIS Manager, and
then open the FTP User Isolation feature. (See Figure 23.)
The default
selection for user isolation settings is FTP Root Directory. This option
configures the server to start users in the FTP root directory, as you
defined when you created the FTP site. This setting is most appropriate
when you want all users to be able to access the same content. You can
then use authorization rules to define permissions further on specific
folders.
The User Name Directory
option specifies that every user will have his or her own starting
folder based on the username that was provided. If the user-specific
folder name does not exist, the user will be placed in the root
directory of the FTP site. Remember that this default folder setting is
not designed as a security mechanism (at least when used by itself). If
your FTP site is configured to allow anonymous authentication, you can
create a folder called Default for these users.
The remaining three
options enable isolation for FTP users. You can use them to restrict
access to specific folders within the FTP site. The User Name Directory
(Disable Global Virtual Directories) option will place users within a
designated home directory based on the user account that was used for
logon. The user will be unable to navigate to the parent folder and,
therefore, will be prevented from accessing other folders. The user will
not be able to see any global virtual directories defined for the FTP
site. You can enable users to access these directories by choosing the
User Name Physical Directory (Enable Global Virtual Directories) option.
To
support FTP user isolation settings, you will need to create the
appropriate folder structure for your users. The folder location for
each user can be a physical or virtual directory on the server. The path
to the folder is based on several variables:
FTPRoot The root folder for the FTP site.
UserName The name of the authenticated user as provided by the client during the logon process.
UserDomain
The name of the Windows domain used to validate credentials. This will
be the name of the local FTP server or, if the server is a member of a
domain, the name of the Active Directory domain.
The specific folder path
you create is based on the authentication settings for the site and the
type of user who is attempting to access the content. Table 7-1 provides a list of the default locations for each type of user account.
Table 1. Default FTP Folder Locations For User Accounts
FTP User Account Type | Home Directory Folder Location |
---|
Anonymous Users | %FTPRoot%\LocalUser\Public |
Local Windows Accounts | %FTPRoot%\LocalUser\%UserName% |
Domain Windows Accounts | %FTPRoot%\%UserDomain%\%UserName% |
IIS Manager or ASP.NET User Accounts | %FTPRoot%\LocalUser \%UserName% |
The final FTP user
isolation option is FTP Home Directory Configured In Active Directory.
You can use this method to define users’ FTP folders within Active
Directory, using the FTPRoot and FTPDir variables. These properties
exist in Active Directory domains that are running Windows Server 2003
or later. (You can add the properties manually for Windows 2000
Server–based domains.) The Set button enables you to specify the
credentials that will be used to connect to Active Directory. When a
user logs on to the FTP Server, the FTP server will attempt to obtain
these properties for the user. If the properties exist and the folder
path is valid, the user will be placed in that folder. Otherwise, the
user will be prevented from accessing the server.
Note: Creating user accounts by scripting
Creating individual
folders for many user accounts at a time can seem like a time-consuming
and tedious task at first. Fortunately, this is an ideal job for
scripting. You can obtain a list of user accounts by using a variety of
methods, including VBScript and Microsoft Windows PowerShell. You can
then use this information to execute commands that create the necessary
folders. For more information about scripting, visit the Microsoft
TechNet Script Center at http://www.microsoft.com/technet/scriptcenter.
Configuring IIS Manager Permissions
In
many environments, it is common to have multiple administrators who
must be able to connect to and administer FTP sites and their contents.
For example, a Web and FTP hosting provider might have separate
administrators for each FTP site. You can allow other users to access
the site by using the IIS Manager Permissions feature. The Allow User
command enables you to add a new user who is defined within IIS Manager
or who is based on a Windows account. Authorized users can then use IIS
Manager on their computers to connect to an FTP 7 server.