Windows Server 2003 FTP Query

Fizman

Our server in work operates on Windows Server 2003. We have an FTP site/server set up so that when we are off site, we can log on an download/upload files etc. We also have several other people working for us around the country who have access to this FTP server.

We could have 20+ folders on this server at any one time, and whoever logs on, currently has access to all data. My boss however, wants to limit the access some users have, to just one folder for example.

E.g. Mark works from Galway, and has a 'Mark' folder on the FTP at the minute. Is it possible to limit Marks access to just this folder? I have had a quick look over lunch on the MS website, and saw that there is an FTP User Isolation feature. Would this be the way to go? I have personally had little or no experience in MS Server in the past.

Any info appreciated!

seamus

It's not even so much about isolation. Much like any FTP server, you can specify who has logon rights to the FTP Server and then you specify a base (home) directory for that user when they log in. The user then can only navigate within that directory tree.

Sorry, haven't got much more info than that as I don't have access to Win FTP server right here. You manage the FTP server through the IIS admin tool.

Fizman

Thanks. I'll have a look through the IIS options later on to see if it is an obvious option. If not i'll look deeper into the MS FTP pages.

Fizman

Ok so I set up a few user accounts in Active Directory, and set their profile/root path to specific folders on our FTP site. The whole thing works a charm when viewed through Windows Explorer, with the user only seeing the files which are in their own folder. Internet Explorer is a different story altogether though.

When IE is fired up and the FTP address is entered, the user is then asked for their username and password. When these are entered, our entire root directory appears in list form, in full view to the user whose root I had set to their own folder on our site. Logged in as one of these new users, I was able to download some content that would not be located in their folder (i.e. its in our root and they should not have access to it). However, when I click on 'Page' and select 'View FTP in Windows Explorer', only their own data from their own folder appears.

Any ideas what the problem might be?? Is there further security required to have our directory locked when viewed in IE?

Any help appreciated as I am looking to get these accounts up and running as soon as possible!

moridin

You could actually change the filesystem access to these files so that the user can only read and/or write to specific areas. When someone logs into a machine via FTP using a windows login account they get the same access they would to files as a user of that machine.

Just because you set someone's home folder to say c:\ftproot\jim doesn't mean that he can't change back up to the ftproot if he wants to, it just sets his home folder, i.e. the folder he sees when he logs in with that account.

What happens when you use a proper FTP client, like commandline FTP or Filezilla?

It sounds to me like you need to tighten up your NTFS file permissions and put these "external" users in a group where they don't get access to view the full contents of the ftproot

seamus

moridin wrote: »

It sounds to me like you need to tighten up your NTFS file permissions and put these "external" users in a group where they don't get access to view the full contents of the ftproot

Yep, that would be my thinking.

The ideal situation would be a distinct folder where all FTP Files are uploaded. Then you remove the user's access to the root folder (and below), and provide them with a folder in the FTP root which they have access to.

If you're doing your testing on a domain machine from within the domain, IE may also be just acting clever and compiling the information based on NFS shares and the like.