Creating and Configuring FTP Sites in Windows Server 2003

8/2/2019 Creating and Configuring FTP Sites in Windows Server 2003

1/26

Tweet

0 0 5

Creating and Configuring FTP Sites in Windows Server 2003

In this article we'll walk you through the steps of creating FTP sites in Windows Server 2003 using both Internet Services Manager and scripts. The tutorialwill also will explain how to perform common administration tasks involving FTP sites and also how to implement FTP User Isolation, a new feature of

Windows Server 2003 enables users to have their own separate FTP home directories.

Published: Aug 11, 2004

Updated: Aug 11, 2004

Section: Articles & Tutorials :: Windows 2003

Author: Mitch Tulloch

Rating: 4.1/5 - 1349 Votes

In a previous article we saw that Internet Information Services 6 (IIS 6) is a powerful platform for building and hosting web sites for both the Internet and corporate intranets. IIS 6 is also

equally useful for setting up FTP sites for either public or corporate use, and in this article we''ll walk through the process of creating and configuring FTP sites using both the GUI (IIS

Manager) and scripts included in Windows Server 2003. The specific tasks we''l l walk through in this article are:

Creating an FTP SiteControlling Access to an FTP Site

Configuring FTP Site LoggingStopping and Starting FTP Sites

Implementing FTP User Isolation

For sake of interest, we''ll again explain these tasks in the context of a fictitious company called TestCorp as it deploys FTP sites for both its corporate intranet and for anonymous users on the

Internet.

1Like

Creating and Configuring FTP Sites in Windows Server 2003 http://www.windowsnetworking.com/articles_tutorials/creating-configuring-ftp.html?printversion

1 of 26 3/31/2012 3:23 PM


2/26

1 of 26 3/31/2012 3:23 PM


3/26

Click Details and select the checkbox for File Transfer Protocol ( FTP) Services.


3 of 26 3/31/2012 3:23 PM


4/26

Click OK twice and then Next to install the FTP service. During installation you''ll need to insert your Windows Server 2003 product CD or browse to a network distribution point where theWindows Server 2003 setup files are l ocated. Click Finish when the wizard is done.

Creating an FTP Site

As with web sites, the simplest approach to identifying each FTP site on your machine is to assign each of them a separate IP address, so let''s say that our server has three IP addresses

(172.16.11.210, 172.16.11.211 and 172.16.11.212) assigned to it. Our first task will be to create a new FTP site for the Human Resources department, but before we do that let''s first examinethe Default FTP Site that was created when we installed the FTP service on our machine. Open IIS Manager in Administrative Tools, select FTP Sites in the console tree, and right-click on

Default FTP Site and selec t Properties:


4 of 26 3/31/2012 3:23 PMC i d C fi i FTP Si i Wi d S 2003 h // i d ki / i l i l / i fi i f h l? i i


5/26

Just like the Default Web Site, the IP address for the Default FTP Site is set to All Unassigned. This means any IP address not specifically assigned to another FTP site on the machine opens the

Default FTP Site instead, so right now opening either ftp://172.16.11.210, ftp://172.16.11.211 or ftp://172.16.11.212 in Internet Explorer w ill di splay the contents of the Default FTP Site.

Let''s assign the IP address 172.16.11.210 for the Human Resources FTP site and make D:\HR the folder where its content is located. To create the new FTP site, right-click on the FTP Sites

node and select New --> FTP Site. This starts the FTP Site Creation Wizard. Click Next and type a description for the site:


of 26 3/31/2012 3:23 PMC ti d C fi i FTP Sit i Wi d S 2003 htt // i d t ki / ti l t t i l / ti fi i ft ht l? i t i


6/26

Click Next and specify 172.16.11.210 as the IP address for the new site:


6 of 26 3/31/2012 3:23 PMC ti d C fi i FTP Sit i Wi d S 2003 htt // i d t ki / ti l t t i l / ti fi i ft ht l? i t i


7/26

Click Next and select Do not isolate users, since this wi ll be a site that anyone (including guest users) will be free to access:


7 of 26 3/31/2012 3:23 PM Creating and Configuring FTP Sites in Windows Server 2003 http://www windowsnetworking com/articles tutorials/creating configuring ftp html?printversion


8/26

Click Next and specify C:\HR as the location of the root directory for the site:




9/26

Click Next and leave the access permissions set at Read only as this site will only be used for downloading forms for present and prospective employees:




10/26

Click Next and then Finish to complete the wizard. The new Human Resources FTP site can now be seen in IIS Manager under the FTP Sites node:


10 of 26 3/31/2012 3:23 PM Creating and Configuring FTP Sites in Windows Server 2003 http://www windowsnetworking com/articles tutorials/creating-configuring-ftp html?printversion


11/26

To view the contents of this site, go to a Windows XP desktop on the same network and open the URL ftp://172.16.11.210 using Internet Explorer:


11 of 26 3/31/2012 3:23 PM Creating and Configuring FTP Sites in Windows Server 2003 http://www windowsnetworking com/articles tutorials/creating-configuring-ftp html?printversion


12/26

Note in the status bar at the bottom of the IE window that you are connected as an anonymous user. To view all users currently connected to the Human Resources FTP site, right-click on the

site in Internet Service Manager and select Properties, then on the FTP Site tab click the Current Sessions button to open the FTP User Sessions dialog:

Creating and Configuring FTP Sites in Windows Server 2003 http://www.windowsnetworking.com/articles_tutorials/creating configuring ftp.html?printversion

12 f 26 3/31/2012 3 23 PM Creating and Configuring FTP Sites in Windows Server 2003 http://www windowsnetworking com/articles tutorials/creating-configuring-ftp html?printversion


13/26

Note that anonymous users using IE are displayed as IEUser@ under Connected Users.

Now let''s create another FTP site using a script instead of the GUI. We''ll create a site called Help and Support with root directory C:\Support and IP address 172.16.11.211:

Here's the result of running the script:


13 f 26 3/31/2012 3 23 PM Creating and Configuring FTP Sites in Windows Server 2003 http://www.windowsnetworking.com/articles tutorials/creating-configuring-ftp.html?printversion


14/26

The script we used here is Iisftp.vbs, which like Iisweb.vbs and Iisvdir.vbs which we discussed in the previous article is one of several IIS administration scripts available when you installIIS on Windows Server 2003. A full syntax for this script can be foundhere. Once you create a new FTP site using this script you can further configure the site using IIS Manager in the usual

way.

Note: At this point you could add structure to your FTP site by creating virtual directories, and this is done in the same way as was described in theprevious article for working with websites.

Controlling Access to an FTP Site

Just like for web sites, there are four ways you can control access to FTP sites on IIS: NTFS Permissions, IIS permissions, IP address restrictions, and authentication method. NTFSpermissions are always your first line of defense but we can't cover them in detail here. IIS permissions are specified on the Home Directory tab of your FTP site's properties sheet:




15/26

Note that access permissions for FTP sites are much simpler (Read and Write only) than they are for web sites, and by default only Read permission is enabled, which allows users to

download files from your FTP site. If you allow Write access, users will be able to upload files to the site as well. And of course access permissions and NTFS permissions combine the sameway they do for web sites.

Like web sites, IP address restrictions can be used to allow or deny access to your site by clients that have a specific IP address, an IP address in a range of addresses, or a speci fic DNSname. These restrictions are configured on the Directory Security tab just as they are for web sites, and this was covered in theprevious article so we won't discuss them further here.

FTP sites also have fewer authentication options than web sites, as can be seen by selecting the Security Accounts tab:




16/26

By default Allow anonymous connections is selected, and this is fine for public FTP sites on the Internet but for private FTP sites on a corporate intranet you may want to clear this checkbox to

prevent anonymous access to your site. Clearing this box has the result that your FTP site uses Basic Authentication instead, and users who try to access the site are presented with anauthentication dialog box:

g g g p g _ g g g p p

16 f 26 3/31/2012 3 23 PM Creating and Configuring FTP Sites in Windows Server 2003 http://www.windowsnetworking.com/articles_tutorials/creating-configuring-ftp.html?printversion


17/26

Note that Basic Authentication passes user credentials over the network in clear text so this means FTP sites are inherently insecure (they don't support Windows integrated authentication). Soif you're going to deploy a private FTP site on your internal network make sure you close ports 20 and 21 on your firewall to block incoming FTP traffic from external users on the Internet.

Configuring FTP Site Logging

As with web sites, the default logging format for FTP sites is the W3C Extended Log File Format, and FTP site logs are stored in folders named

%SystemRoot%\system32\LogFiles\MSFTPSVCnnnnnnnnnn

where nnnnnnnnnn is the ID number of the FTP site. And just as with web sites, you can use the Microsoft Log Parser, part of theIIS 6.0 Resource Kit Tools, to analyze these FTP site logs.

Stopping and Starting FTP SitesIf an FTP site becomes unavailable you may need to restart it to get it working again, which you can do using IIS Manager by right-clicking on the FTP site and selecting Stop and then Start.

From the command-line you can type net stop msftpsvc followed by net start msftpsvc or use iisreset to restart all IIS services. Remember that restarting an FTP site is a last resort as any

users currently connected to the site will be disconnected.

Implementing FTP User Isolation

Finally, let's conclude by looking at how to implement the new FTP User Isolation feature of IIS in Windows Server 2003. When an FTP site uses this feature, each user accessing the site has

g g g p g _ g g g p p



18/26

an FTP home directory that is a subdirectory under the root directory for the FTP site, and from the perspective of the user their FTP home directory appears to be the top-level folder of the

site. This means users are prevented from viewing the files in other users' FTP home directories, which has the advantage of providing security for each user's files.

Let's create a new FTP site called Staff that makes use of this new feature, using C:\Staff Folders as the root directory for the site and 172.16.11.212 for the site's IP address. Start the FTP SiteCreation Wizard as we did previously and step through it until you reach the FTP User Isolation page and select the Isolate users option on this page:

Continue with the wizard and be sure to give users both Read and Write permission so they can upload and download files.

Now let's say you have two users, Bob Smith (bsmith) and Mary Jones (mjones) who have accounts in a domain whose pre-Windows 2000 name is TESTTWO. To give these users FTP home

directories on your server, first create a subfolder named \TESTTWO beneath \Staff Folders (your FTP root directory). Then create subfolders \bsmith and \mjones beneath the \Accounts

folder. Your folder structure should now look like this:

C:\Staff Folders

\TESTTWO

\bsmith\mjones

To test FTP User Isolation let's put a file name Bob's Document.doc in the \bsmith subfolder and Mary's Document.doc in the \mjones subfolder. Now go to a Windows XP desktop and open

Internet Explorer and try to open ftp://172.16.11.212, which is the URL for the Staff FTP site we just created. When you do this an authentication dialog box appears, and if you're Bob then youcan enter your username (using the DOMAIN\username form) and password like this:

g g g p g g g g p p



19/26

When Bob clicks the Log On button the contents of his FTP home directory are displayed:

g g g p g g g g p p



20/26

Note that when you create a new FTP site using FTP User Isolation, you can't convert it to an ordinary FTP site (one that doesn't have FTP User Isolation enabled). Similarly, an ordinary FTP

site can't be converted to one using FTP User Isolation.

We still need to explore one more option and that's the third option on the FTP User Isolation page of the FTP Site Creation Wizard, namely Isolate users using Active Directory. Since we've

run out of IP addresses let's first delete the Help and Support FTP site to free up 172.16.11.211. One way we can do this is by opening a command prompt and typingiisftp /delete "Help and

Support" using the iisftp.vbs command script. Then start the FTP Site Creation Wizard again and select the third option mentioned above (we'll name this new site Management):

0 of 26 3/31/2012 3:23 PM



21/26

Click Next and enter an administrator account in the domain, the password for this account, and the full name of the domain:

1 of 26 3/31/2012 3:23 PM



22/26

Click Next and confirm the password and complete the wizard in the usual way. You'll notice that you weren't prompted to specify a root directory for the new FTP site. This is because when

you use this approach each user's FTP home directory is defined by two environment variables: %ftproot% which defines the root directory and can be anywhere including a UNC path to a

network share on another machine such as \\test220\docs, and %ftpdir% which can be set to %username% so that for example Bob Smith's FTP home directory would be \\test220\docs\bsmithand this folder would have to be created beforehand for him. You could set these environment variables using a logon script and assign the script using Group Policy, but that's beyond the scope

of this present article.

Summary

advertisement

2 of 26 3/31/2012 3:23 PM



23/26

Tweet 0 0 5

In this article I've explained how to create and configure FTP sites in various ways on IIS 6. With the exception of FTP User Isolation, everything we've covered here also applies to IIS 5 on

Windows 2000. If you want to learn more about IIS 6 and its capabilities, see my bookIIS 6 Administration (Osborne/McGraw-Hill).

1Like

3 of 26 3/31/2012 3:23 PM



24/26

Add a comment...

Tesfaye Assefa Moj at System and Network Administrator

Good

Reply Like 19 March at 23:371

Kaleab Negash REPI

teacher you start distance learning.


Matt Fauzy Kuala Lumpur, Malaysia

great article for beginner=)


Teh O Lai SMK Darul Ehsan Selayang Baru

zamn bt final network.


Rajesh Tomer Works at Central Government of India

it is was very good and please tell me about more user to transfer many file to users


Chipie Charles Chioko

This is a great article....quite straight forward.

Reply Like 31 January at 00:001

I nnocent Patrick Mapwetekere Employee Benefits Consultant at NBC MalawiLimited

axa. tanditumizire dreamweaver. software. tifuna ti designe zimenezi.

Reply Like 2 February at 00:28

Kagiso Kubs Kubeka Mageza at Business Connexion

thanks


4 of 26 3/31/2012 3:23 PM



25/26

About Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP)

status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has written or contributed to

two dozen books and is lead author of the bestsellingWindows 7 Resource Kit from Microsoft Press.

Mitch is based in Winnipeg, Canada, and you can find more information about his books at his websitewww.mtit.comYou can also keep up with Mitchs writing and

speaking activities by friending him on Facebookand/or following him on Twitter.

Click here for Mitch Tulloch's section.

Latest articles by Mitch Tulloch

Trench Tales (Par t 1) - Hardware Troubleshooting

Office 2010 Security (Part 3) - Information Control

Office 2010 Security (Part 2) - Threat Mitigation (Continued)Product Review: Centrify DirectAudit for Windows

Office 2010 Security (Part 1) - Threat Mitigation

Internet monitoring, Web security and Internet Access Control - All in one!Boost employee productivity by monitoring, controlling and reporting on employee internet access. Protect users and company network against malware infection through web browsingand downloads, as well as phishing scams.

ManageEngine OpManager - The Complete Network Monitoring SoftwareMonitor WAN infrastructure, LAN, Servers, Switches, Routers, Services, Apps, CPU, Memory, AD, URL, Logs, Printers. Satisfies your entire Network infrastructure Management

needs.

ManageEngine ServiceDesk Plus - The Out-of-the-box ITIL Ready HelpDesk SoftwareGet an out-of-the-box, flexible helpdesk with integrated asset management and ITIL features, used by more than 10000 IT managers in 23 different languages

Get a free Windows SIP Server / IP PBXIP Telefonanlage, VOIP Telefooncentrale, Centralino Telefonico IP, PABX-IP, Centralita Telefonica VOIP, Centrala Telefoniczna, Telefonni system, IP telefonvaxel, Central Telefonica

IP, VOIP Telefonsentral, IP telefonanlaeg, IP Puhelinvaihde, Telefon Sistemi, IP PBX (Russian), IP PBX (Greek), IP PBX (Japanese), IP PBX (Korean), IP PBX (Simplified Chinese),IP PBX (Traditional Chinese), IP PBX (Arabic)

Get Spiceworks IT Management & Help Desk Software & Request Price Quotes - All Free!Download Spiceworks IT management software to make your IT day easier! In addition to network monitoring, help desk functionality, UPS management software, & IT community

access, Spiceworks now offers a free multi-vendor request for quote service. And it's still 100% free! Get it today!

Receive all the latest articles by email!

5 of 26 3/31/2012 3:23 PM



26/26

Receive Real-Time & Monthly WindowsNetworking.com article updates in your mailbox. Enter your email below!

Click for Real-Time sample & Monthly sample

Become a WindowsNetworking.com member!

Discuss your network issues with thousands of other network administrators. Click here to join!

About Us : Email us : Product Submission Form : Advertising Information

WindowsNetworking.com is in no way affiliated with Microsoft Corp. *Links are sponsored by advertisers.

Copyright 2012 TechGenix Ltd. All rights reserved. Please read ourPrivacy Policy andTerms & Conditi ons.

Documents

Creating and Configuring FTP Sites in Windows Server 2003