PART-3
Introduction
In the previous article in this series, I showed you how you could get the IIS 7.0 version of the FTP services. In this article, I will show you how to add SSL encryption to your FTP site.
Acquiring an SSL Certificate
Before your FTP server will be able to provide SSL encryption, you will need an X.509 certificate. You can either purchase the certificate from a commercial certificate authority such as VeriSign or Thawte, or you can use an in house certificate authority to issue the certificate.
For the purposes of this article, I am going to assume that you have a Windows 2008 server that is configured to act as an enterprise certificate authority. I will show you how to issue a certificate request and download the necessary certificate in the next section. If you are getting the SSL certificate from a commercial certificate authority, then you can skip the next section.
Acquiring an SSL Certificate
In order to use SSL encryption, we need to issue a request to our Enterprise Certificate Authority. For the purpose of this article, I am going to assume that your FTP server is a member of the same Active Directory forest as your Enterprise Certificate Authority.
To request the necessary certificate, open Internet Explorer, and enter the URL that is associated with your Enterprise Certificate Authority. By default, the URL is
https://<server name>/CertSrv. When entering this URL, you will usually have to enter your Enterprise Certificate Authority’s fully qualified domain name rather than just entering the server’s NetBIOS name.
Once you enter the Enterprise Certificate Authority’s URL, log into the Active Directory Certificate Services Web site add a domain administrator (if necessary). After doing so, click on the Request a Certificate link. You should now see a screen asking you if you would like to request a user certificate, or if you would like to submit an advanced certificate request. Click on the Advanced Certificate Request option.
The following screen gives you a choice of issuing a request directly to the certificate authority or of uploading a certificate request file that is encoded in Base-64 or in PKCS #10 format. Click on the Create and Submit a Request to This CA link.
At this point, you may be prompted to install an ActiveX control. If that happens, go ahead and install the control and allow it to run.
You should now be at the main Advanced Certificate Request screen. Select the Web Server option from the Certificate Template drop down list. You must now enter some basic identification information that can be included within your certificate. This includes things such as your name, E-mail address, mailing address, and phone number.
In the Key Options section, choose the option to Create a New Key Set. You should also verify that the Cryptographic Service Provider (CSP) is set to Microsoft RSA SChannel Cryptographic Provider, and that the Key Size is set to 1024, as shown in Figure A.
Figure A: You must make sure that the Cryptographic Service Provider (CSP) is set to Microsoft RSA SChannel Cryptographic Provider, and that the Key Size is set to 1024
Now, scroll down to the bottom of the interface, and click the Submit button. You should see a warning message telling you that the Web site is trying to generate a certificate request. Click Yes to allow the request to go through. When the process completes, you should see a message telling you that a certificate was issued to you, and asking you if you want to install it. Go ahead and click the Install This Certificate link. Once again, you will see a warning message telling you that the Web site is attempting to install a certificate. Click Yes to allow the operation.
You should see a message telling you that the certificate was installed successfully, but we need to make sure. To do so, enter the MMC command at the Run prompt on your FTP server. When you do, Windows will open an empty instance of the Microsoft Management Console. At this point, you must choose the Add / Remove Snap-In command from the console’s File menu. This will cause Windows to display the Add or Remove Snap-ins dialog box.
Choose the Certificates option from the list of available snap-ins, and click the Add button. You will now be asked if the console should be used to manage certificates for your user account, a service account, or the computer account. Choose the Computer Account option, and click the Next button.
The following screen will ask you if you want to manage certificates for the local computer, or if you want to manage certificates for another computer on the network. Make sure that the Local Computer option is selected, and then click the Finish button, followed by the OK button.
The console should now load the Certificates snap-in. You must now navigate through the console tree to Console Root | Certificates (Local Computer) | Personal | Certificates. When you select the Certificates container, the Details pane should show you the certificate that has been issued.
Enabling SSL for the FTP Server
Now that we have an SSL certificate, we can enable SSL encryption for our FTP server. To do so. Open the Internet Information Services (IIS) Manager. Navigate through the console tree to <your server> | Sites | <your FTP site>. With your FTP site selected, double click on the FTP SSL settings icon, located in the Details pane.
The console should now display the FTP SSL Settings page. Select your SSL certificate from the SSL Certificate drop down list, as shown in Figure B. You then have the option of either allowing SSL connections or of requiring SSL connections. You can also choose to use 128 bit encryption for stronger security. Click the Apply button to save your changes.
Figure B: Select your certificate from the SSL Certificates drop down list.
To Use SSL or not to use SSL?
At first, having the option to use SSL for your FTP site probably sounds like a no brainer. After all, encryption is a good thing, right? Not necessarily.
One of the drawbacks to using SSL encryption is that the encryption process increases the CPU’s workload. The extra workload is probably worth it if you are transmitting sensitive information back and forth, or if the FTP site is only used occasionally. If you anticipate the FTP site being heavily used though, then it is a good idea to do some testing to make sure that the encryption process is not going to cause performance problems for the server.
I recommend monitoring the Performance Monitor’s Processor / %Processor Time counter both before and after SSL encryption is enabled. Spikes in CPU activity are normal, but the average utilization should remain below 80%. Otherwise, it means that the CPU is having trouble keeping up with the demands that are being made of it.
Conclusion
Having the ability to encrypt your FTP site is nice, but it is not everything. Without proper security it is still possible for someone to log onto your FTP site anonymously, even if SSL encryption is enabled. In Part 4, I will conclude the series by discussing authorization for FTP sites.
PART-4
Introduction
So far in this series, I have shown you how to create an FTP site that users can access over a secure SSL session. SSL encryption is not everything though. Without the proper authorization mechanisms in place, it is still possible for anonymous users to access your FTP site. In this article, I want to conclude the series by talking about authorization as it applies to FTP sites in IIS 7.0.
Authentication
You can not really perform any type of authorization unless you are also performing authentication.
Open the Internet Information Services (IIS) Manager, and navigate through the console tree to <your server> | Sites | <your FTP site>. Next, double click on the FTP Authentication icon, located in the console’s middle pane. As you can see in Figure A, you have a choice of enabling either Anonymous Authentication or Basis Authentication. For our purposes, we need to enable Basic Authentication. Therefore, right click on the Basic Authentication option, and then select the Enable option from the shortcut menu.
Figure A: You must enable Basic Authentication
Authorization
Authentication establishes the user’s identity, but now we need to take some steps to determine whether or not the user is going to be allowed to access the FTP site. If the user is allowed to access the site, then authorization dictates whether or not the user is allowed to perform the action that they are attempting.
There are a couple of different forms of authorization that are supported for FTP sites. You can perform authorization by domain and IP address or by user and group name.
Address and Domain Name Restrictions
Address and domain name restrictions are usually used when users access the site anonymously, but can be used in conjunction with basic authentication to provide an extra degree of security. Adding a domain or IP address restriction is really easy to do. With your FTP site selected, double click on the FTP IPv4 Address and Domain Restrictions icon, located in the center column.
When the console switches to Features View, right click on an empty area in the center pane, and then choose either the Add Allow Entry or the Add Deny Entry option from the shortcut menu. Both options work in the same way, but one will grant access to the specified address or domain, while the other will block access.
When prompted, simply enter either the IP address or the domain name that you wish to base the rule on. As you can see in Figure B, you have the option of specifying either a single IP address, or an entire IP address range.
Figure B: You can create an authorization rule based on IP addresses or domain names
As you look at the figure above, you might notice that there is no field to specify a domain name. The reason for this is that domain name restriction rules place a huge burden on the server because each connection requires a reverse DNS lookup in order to determine the domain name that is associated with the IP address. Therefore, Microsoft hides the domain name option by default.
If you want to enable domain name rules, then right click in an empty area of the Features View pane, and then choose the Edit Feature Settings command from the shortcut menu. Doing so will cause Windows to display a dialog box that allows you to set the default behavior for unspecified connections to either Allow or to Deny. Besides controlling the FTP server’s default behavior though, the dialog box also contains a check box that you can use to enable domain name restrictions, as shown in Figure C.
Figure C: You can use the Edit IPv4 Addresses and Domain Restriction Settings dialog box to enable domain name restrictions
FTP Authorization Rules
Normally, if you are going to be performing basic authentication on FTP connections, you will use FTP authorization rules to control who is able to do what. You can access the FTP authorization rules by selecting your FTP site in the IIS Manager console, and then double clicking on the FTP Authorization Rules icon, found in the console’s middle pane.
Once the console switches to Features view, you can create an FTP Authorization Rule by right clicking in an empty area of the console’s middle pane, and then choosing either the Add Allow Rule or the Add Deny Rule command from the shortcut menu.
Setting up a rule is pretty simple. If you look at Figure D, you can see that a rule basically just consists of a user or a group to whom the rule will apply, and a permission. For example, a rule can be applied to All Users, All Anonymous Users, Specified User Groups (such as Admins, Users, or Guests), or to specific users.
Figure D: You must specify a user or a group of users, and then specify a permission
Even though the console will allow you to do so, I recommend that you never apply rules to individual users. Otherwise, managing permissions could turn into a logistical nightmare. You are always better off either specifying a group or using one of the other available options.
Setting a permission could not be any easier. All you have to do is select; the Read check box, the write check box, or both. One thing that you must keep in mind though, is that these are IIS level permissions. There will almost always also be NTFS permissions that apply to the folder that the FTP site is using. You must ensure that the NTFS permissions are adequate to allow the specified users to access the FTP site or else the permissions that you set through IIS won’t matter.
Directory Browsing
Although it seems a little strange (at least to me it does), you ca not use authorization rules to control directory browsing. For that you will have to select your FTP site in the IIS Manager console, and then double click on the FTP Directory Browsing icon located in the console’s middle column.
As you can see in Figure E, you can display the directory listing in either MS-DOS style, or in UNIX style. There is not an option to disable directory browsing though. If you want to disable directory browsing, then make sure that you do not assign users the Read permission when you create an authorization rule.
Figure E: You can customize directory browsing for the FTP site to make the server look like a DOS (Windows) server or a UNIX server
In addition to controlling the directory style, you also have the option of displaying virtual directories, the number of available bytes in the directory, and four digit years, all by selecting the corresponding check boxes.
Conclusion
As you can see, setting up an FTP site in IIS 7.0 is pretty straight forward. The main things that you need to remember are that SSL encryption does not take the place of authentication and authorization, and that the permissions that you set through the IIS console do not override NTFS permissions