Microsoft IIS 6.0Administrator's Consultant

You handle FTP server security much like Web server security. You manage security at two levels: Windows and IIS. At the operating system level, you create user accounts, configure access permissions for files and directories, and set policies. At the IIS level, you set content permissions, authentication controls, and user privileges.

Note

Most FTP server security tasks are identical to those for Web server security. This section focuses only on what’s different. For a complete discussion of IIS security, see Chapter 7.

Managing Anonymous Connections

You manage anonymous access to FTP sites using a named account that has the appropriate permissions for the directories and files you make available for uploading and downloading files. By default, the anonymous access account is the Internet guest account (IUSR_ComputerName) discussed in Chapter 7.

When anonymous access is enabled, users don’t have to log on using a user name and password. IIS automatically logs the user on using the anonymous account information provided for the resource. If anonymous access isn’t allowed, the site is configured for named account access only. Unlike Web sites, you can manage anonymous access only at the global or site level. You can’t manage anonymous access at the directory or file level.

Setting Anonymous Access Globally

When the FTP site is configured to use the non-isolated or standard isolated modes, you can manage anonymous access for all FTP sites on a server by completing the following steps:

  1. After accessing the computer node you want to work with in the IIS snap-in, right-click FTP Sites and then select Properties. This displays the FTP Sites Properties dialog box.

  2. Select the Security Accounts tab in the Properties dialog box, as shown in Figure 9-6.

    Figure 9-6: Use the Security Accounts tab to configure anonymous access.

  3. To enable anonymous access, select Allow Anonymous Connections and complete the remaining steps in this procedure.

  4. To disable anonymous access, clear Allow Anonymous Connections and skip the remaining steps in this procedure. With anonymous connections disabled, only authenticated users can access the server. You must configure local or domain accounts that can be used to access the sites on this server.

  5. The User Name field specifies the account used for anonymous access to the resource. If you desire, type the account name you want to use instead of the existing account, or click Browse to display the Select User dialog box. As necessary, enter the password for the account in the Password field.

  6. Allow Only Anonymous Connections prevents users from logging on to the server with user names and passwords. Select this option if you want only the anonymous user account to be available. If you want to allow users to log on to the server with named accounts, clear this option.

  7. Click OK, and then, if you browsed for a user account, click OK again to save your settings. All FTP sites on the server inherit the changes automatically.

Setting Anonymous Access Locally

You can manage anonymous access for a specific FTP site by completing these steps:

  1. In the IIS snap-in, right-click the FTP site you want to work with and then select Properties.

  2. Select the Security Accounts tab.

  3. To enable anonymous access, select Allow Anonymous Connections and complete the remaining steps in this procedure.

  4. To disable anonymous access, clear Allow Anonymous Connections and skip the remaining steps in this procedure. With anonymous connections disabled, only authenticated users can access the site. You must configure local or domain accounts that can be used to access the site.

  5. The User Name field specifies the account used for anonymous access to the resource. If you desire, type the account name you want to use instead of the existing account or click Browse to display the Select User dialog box. As necessary, enter the password for the account in the Password field.

  6. Allow Only Anonymous Connections prevents users from logging on to the site with user names and passwords. Select this option if you want only the anonymous user account to be available. If you want to allow users to log on to the site with named accounts, clear this option.

  7. Click OK.

Configuring Windows Permissions on FTP Servers

Every folder and file used by IIS can have different access permissions. You set these access permissions at the Windows security level. Anytime you work with file and folder permissions on an FTP server, you should keep the following in mind:

Configuring FTP Server Permissions

FTP sites and directories have permissions in IIS in addition to the Windows security settings. These permissions are set the same for all users. This means you can’t set different permissions for different users at the IIS level. You can, however, create specific areas of your FTP site that are designed for these specific functions:

You can set FTP permissions globally through the master properties or locally at the site or directory level. When you set FTP permissions in the master properties, you must also specify how these properties are inherited. If a site or directory has settings that conflict with permission changes you’ve made, you’re given the opportunity to override the site or directory permissions with the global permissions. Similarly, if you make site-level permission changes that conflict with existing permissions on a subdirectory, you’re given the opportunity to override the site or directory permissions with the local permissions. In both cases the changes are applied when you choose to override the existing permissions.

Setting FTP Permissions Globally

To set FTP permissions globally, complete the following steps:

  1. After accessing the computer node you want to work with in the IIS snap-in, right-click FTP Sites and then select Properties. This displays the FTP Site Properties dialog box.

  2. As shown in Figure 9-7, select the Home Directory tab and then use the fields in the FTP Site Directory frame to set the permissions that you want sites and directories on this computer to inherit. The available options are the following:

    • Read Allows users to read or download files stored in the directory

    • Write Allows users to upload files to the directory

    • Log Visits Used with server logging to log requests related for resource files

      Figure 9-7: Use the FTP Sites Properties dialog box to configure FTP permissions.

  3. Click Apply. Before applying permission changes, IIS checks the existing permissions in use for all FTP sites and directories within FTP sites. If a site or directory node uses a different value for a permission, the Inheritance Overrides dialog box is displayed. Use this dialog box to select the site and directory nodes, which should use the new permission value, and then click OK.

Setting FTP Permissions Locally

To set FTP permissions for a site or directory, complete the following steps:

  1. In the IIS snap-in, right-click the site or directory.

  2. Select the Home Directory, Directory, or Virtual Directory tab as appropriate. This displays the dialog box shown in Figure 9-8. Then use the following fields to set the permissions for the selected resource:

    • Read Allows users to read or download files stored in the directory

    • Write Allows users to upload files to the directory

    • Log Visits Used with server logging to log requests related for resource files

      Figure 9-8: Use the site’s Properties dialog box to configure FTP permissions.

  3. Click Apply. Before applying FTP permission changes, IIS checks the existing permissions in use for all subdirectories. If a subdirectory uses a different value for a permission, the Inheritance Overrides dialog box is displayed. Use this dialog box to select the site and directory nodes, which should use the new permission value, and then click OK.

Configuring IP Address and Domain Name Restrictions

By default, FTP resources are accessible to all IP addresses, computers, and domains, which presents a security risk that might allow your server to be misused. To control use of resources, you might want to grant or deny access by IP address, network identification, or domain. As with other FTP server settings, you can apply restrictions through the master FTP server properties or through the properties for individual sites, directories, and files.

You can establish or remove restrictions globally through the master FTP Site Properties dialog box by completing the following steps:

  1. After accessing the computer node you want to work with in the IIS snap-in, right-click FTP Sites and then select Properties. This displays the FTP Sites Properties dialog box.

  2. Select the Directory Security tab, as shown in Figure 9-9.

    Figure 9-9: You can grant or deny access by IP address, network identification, and domain.

  3. Click Granted Access to grant access to specific computers and deny access to all others.

  4. Click Denied Access to deny access to specific computers and grant access to all others.

  5. Create the Access list. Click Add, and then, in the Grant Access Or Deny Access dialog box, specify Single Computer or Group Of Computers as follows:

    • For a Single Computer, type the IP address for the computer, such as 192.168.5.50.

    • For Groups Of Computers, type the Network ID, such as 192.168.6.0, and the Subnet Mask, such as 255.255.255.0.

  6. If you want to remove an entry from the Access list, select the related entry and then click Remove.

  7. Click Apply. Before applying changes, IIS checks the existing restrictions for all FTP sites and directories within FTP sites. If a site or directory node uses a different value, the Inheritance Overrides dialog box is displayed. Use this dialog box to select the site and directory nodes that should use the new setting and then click OK.

You can establish or remove restrictions at the site or directory level by completing these steps:

  1. In the IIS snap-in, right-click the site or directory that you want to work with. This displays a Properties dialog box.

  2. Select the Directory Security tab.

  3. Click Granted Access to grant access to specific computers and deny access to all others.

  4. Click Denied Access to deny access to specific computers and grant access to all others.

  5. Create the Access list. Click Add and then, in the Grant Access Or Deny Access dialog box, specify Single Computer or Group Of Computers as follows:

    • For a Single Computer, type the IP address for the computer, such as 192.168.5.50.

    • For Groups Of Computers, type the Network ID, such as 192.168.6.0, and the Subnet Mask, such as 255.255.255.0.

  6. If you want to remove an entry from the Access list, select the related entry and then click Remove.

  7. Click Apply. Before applying changes, IIS checks the existing restrictions for all child nodes of the selected resource (if any). If a child node uses a different value, the Inheritance Overrides dialog box is displayed. Use this dialog box to select the site and directory nodes that should use the new setting and then click OK.

Категории