How to Setup User Authentication in FTP 7 on IIS 7.0
As I wrote in the article on installing FTP 7 on IIS 7.0, Microsoft completely rewrote the FTP service code for Server 2008. Included in this update were a number of ways to secure your FTP server against intrusion. One of the easiest ways to secure your FTP site is to have users authenticate instead of allowing anonymous access, and that’s what we’ll look at today.
For this article I will assume that you already have Server 2008, IIS 7, and FTP installed and ready to go. Now let’s secure your FTP servers.
User Authentication in FTP 7 on IIS 7
In our first article on FTP, I showed you how to install and then configure an anonymous public site. This allowed anyone to get the files located in those directories.
While this is great for a certain type of site, if you require greater security you can setup authentication for your FTP site. We are going to look at two types of user authentication, one using Windows users and another using IIS Manager authentications.
Windows Users FTP Authentication
This type of user authentication allows the FTP site to use the local Server user accounts/groups for access to the FTP site.
This example assumes you already have a user created for this purpose and given the account access to the FTP directory; we are using the account FTPUser.
1. Start by opening IIS Manager
2. Right click on Sites, and then click on Add FTP Site …
3. Fill in the site name and path to the directory that will hold the files. We are usingWindowsFTPuser.com and C:\inetpub\privateftp for our example. Click Next when done.
4. Choose an IP for this FTP site to use, and change the radio button to Allow SSL. Leave the rest of the setting alone for now.
5. In this window we will specify what users are allowed access and Read/Write permissions will be assigned to those users.
Check the box next to Basic, set the dropdown to Specified users, under that type in the user name (in our case FTPUser), and check Read & Write. Click Next after you enter all the information.
6. That ends the FTP site wizard, if you want to add or remove users after the initial setup, in the IIS Manager click on the site you want to manage and then click on FTP Authorization Rules.
7. In this pane you can select to Add Allow Rule …, Add Deny Rule …, and Remove. This allows you to manage access to your ftp site through basic Windows authorization.
With this configuration only those users assigned to the FTP site will be allowed access. Please note that you can also use Group permissions the same way.
IIS Manager Authentication
For a long time compared to *nix implementations of FTP, Windows was sorely lacking. One of the biggest hurdles was the fact that if you had site managers who wanted to give access to certain users there would have to be a corresponding account setup for them on the local server. Not the best situation from a security or administration standpoint.
With the release of FTP 7 and IIS 7 this has been corrected by the use of IIS 7 Management Service. In this example, I’m going to setup the service and apply the users to the domain we setup earlier.
1. We have to grant special permissions to the Network Service to be able to use this Service so open up a command prompt.
2. Type the following:
CACLS “%SystemDrive%\Windows\System32\inetsrv\config” /G “Network Service”:R /ECACLS “%SystemDrive%\Windows\System32\inetsrv\config\administration.config” /G “Network Service”:R /ECACLS “%SystemDrive%\Windows\System32\inetsrv\config\redirection.config” /G “Network Service”:R /E
Now we have to give rights to the Network Service to the root FTP folder, in our instance this is C:\inetpub\privateftp. When you run this command replace the directory with your own.
3. Open Command Prompt
4. Type the following:
CACLS “%SystemDrive%\inetpub\privateftp” /G “Network Service”:C /T /E
Next we need to install the IIS 7.0 management service on the server.
5. Open Server Manager
6. Open the Roles, find the Web Server (IIS) role, and click on Add Role Services.
7. In the Select Role Services window scroll down till you find Management Service, if it is unchecked then place a check mark next to it and click Next.
If there are any required features that also need to be installed you will be prompted to install those also.
8. Next you will have a summary screen of everything that is going to be installed, click Install to start the process.
9. The next window will show you the progress of the installation process.
10. Installation Results window will appear when the installation is finished, click on Close when done.
11. Open IIS Manager
Select the server in IIS Manager; in our case, TSTEST, and scroll down in the center pane toManagement Service and click on it.
12. In the Management Service pane, look for the Identity Credentials box and select Windows credentials or IIS Manager credentials, then click Apply.
13. In the connections pane select the server you are working on, and double click on IIS Manager Users.
14. Click on Add User … in the Actions pane.
15. Now you will create a user account that can be used, in our case I am going to add Gomerand enter a password for that user.
16. You will now see that the user is created and you can do some limited administration in this panel for those users, including Disable User and Change Password.
17. Now click the site you want to configure to use IIS 7 Manager Authentication in the connections pane, choose FTP Authentication in the center pane
18. Click on Custom Providers in the action pane.
19. In the Custom Providers dialog window place a check next to IisManagerAuth, then click Ok.
20. Now let’s add the user we created earlier by selecting the FTP site in the connections pane and then select IIS Manager Permissions in the center panel.
21. Click on Allow User … in the Actions pane
22. The Allow User … dialog box now shows both types of users, Windows & IIS Manager. In our case we are going to click the Select … button.
23. In the Users dialog select the user, (Gomer in our case) and click OK.
24. Click Ok to continue and add the user to IIS Manager Permissions.
25. Now we have to add an authorization rule, so let’s choose the site again in the connection pane, then FTP Authorization Rules, in the central pane.
26. Select Add Allow Rule … in the actions pane.
27. The Add Allow Authorization Rule dialog box is next, so select Specified users and type the users’ names in, separated by commas. Place a check next to either or both Read/Writepermissions, and click OK.
We have now setup this site to use both types of users Windows and IIS Manager Users. You can use these in conjunction with each other or completely independent of the other — all depending on the needs of your organization.