Configuring IIS To Host an FTP Site

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/Configuring-IIS-Host-FTP-Site-Part1.html

PART-1


Introduction

It is easy to think of IIS as just being an application for hosting Websites, but IIS can also be configured to act as an FTP server that allows users to upload and / or download files. An IIS FTP site can be bound to a Web site or it can be a standalone site. In either case, IIS offers you a great deal of flexibility in setting up an FTP site. In this article series, I will show you how to install the necessary services, and how to provision your IIS server. I will also show you some variations of these techniques that you can use to adapt your FTP site to specific types of situations.
Why Use FTP?

FTP (File Transfer Protocol) is far from being the only game in town when it comes to file transfers, so you may be wondering why I am bothering to write about FTP as opposed to some other type of file transfer mechanism. After all, the FTP protocol has been around since 1971, and is a bit dated to say the least.
I am not going to try to tell you that FTP is the be all – end all when it comes to file transfer protocols. There are certainly file transfer methods that are more efficient. Even so, there are a couple of different reasons why I chose to write about FTP. For starters, FTP is universal. Everybody knows what FTP is, and it works on pretty much every operating system.
FTP completely masks the complexities of interacting with various operating systems and file systems. It doesn’t matter if a user is using Linux, Windows 95, Windows Vista, or something really obscure. As long as their operating system is FTP aware, they can transfer files to or from an IIS server that is running on Windows Server 2008.
The other reason why I wanted to write about FTP is because the FTP services are included with IIS. You do not have to develop or purchase any additional software. Simply install the necessary components, adjust a few configuration settings, and you are in business.
Installing an FTP Server

Windows Server 2008 gives you two different options for installing an FTP Server. One option is that you can install the FTP server through the GUI. The other option is to configure the server to operate as a server core installation. As you might have heard, server core deployments are entirely command line driven, but are arguably more secure than their GUI counterparts because fewer Windows components are installed. In the interest of reducing complexity, I am going to focus my discussion on performing a traditional, GUI based installation.
With that said, begin the process by opening the Server Manager and scrolling through the pane on the right to the Roles Summary section. Next, click the Add Roles link that’s located within this section. When you do, Windows will launch the Add Roles Wizard.
Click next to bypass the wizard’s Welcome screen, and you will be taken to the Select Server Roles screen. Select the check box corresponding to the Web Server (IIS) role, and click Next. You will now be taken to the wizard’s Select Role Services screen. This screen lists the various IIS related components that you can install. Since many of the services required by an FTP server are selected by default, go ahead and click Next to accept the default values. You will now be taken to a confirmation screen that lists the choices that you have made. Take a moment to review the components that will be installed, and then click the Install button. When the installation process completes, verify that the installation was successful, and then click the Close button.
Now, open the Server Manager and navigate through the console tree to Server Manager | Roles | Web Server (IIS). Upon selecting the Web Server (IIS) container, scroll through the pane on the right until you locate the Role Services section. As you examine the entries in this section, you will notice that the FTP Publishing Service and its subcomponents are not installed.
You can install these components by clicking the Add Role Service link. Upon doing so, Windows will open a dialog box that prompts you to select the role services that you want to install. Select the check box corresponding to the FTP Publishing Service. Upon doing so, the underlying FTP Server service and the FTP Management Console check boxes will also be selected. Leave these items selected.
Click Next, and Windows will display a summary screen that shows you which role services that you are about to install. Assuming that your choices appear to be correct, go ahead and click the Install button. Windows will now install the selected role services. When the installation process completes, take a moment to verify that the installation was successful, and then click the Close button. I also recommend going back to the Server Manager and taking another look at the Role Services for the Web Server (IIS) role. You should be able to verify that the FTP Publishing Service, the FTP Server, and the FTP Management Console are all installed.
Securing Your FTP Server

Now that the necessary role services are installed, it is probably a good idea to secure your FTP server. One of the primary techniques used to secure an FTP session is to encrypt the session using SSL. Keep in mind that SSL encryption is not mandatory though. In some cases uploading or downloading unencrypted files is not a big deal. For example, I downloaded a new Microsoft Word template from one of my publishers via FTP last week. The transmission wasn’t encrypted, but it really did not matter because it was just a document template. In any case, it is a good idea to at least give your users the option of encrypting the session if they want to.
SSL encryption is based on the use of digital certificates. The certificate is not just used as the basis for encryption, it also serves as a mechanism to positively identify your server. There are actually three different options available to you in regard to using a certificate. You can purchase a certificate from a commercial certificate authority, you can generate your own certificate from a Windows Server that is configured to act as an Enterprise Certificate Authority, or you can configure your FTP server to generate a self signed certificate.
When you are trying to decide which method to use, remember that the client computer has to trust the certificate that the server is using. Windows clients automatically trust certificates from the major commercial certificate providers. They will usually also automatically trust an Enterprise Certificate Authority, so long as the client machine is a domain member. A client will never automatically trust a self signed certificate.
Conclusion

As you can see, certificate trust is a major issue when it comes to providing SSL encryption. In Part 2, I will continue the discussion by showing you how to configure a client to trust an otherwise untrusted certificate. I will also show you how to enable SSL encryption for your FTP server.


PART-2


Introduction

In my previous article in this series, I showed you how to install the FTP role services, and I began talking about SSL encryption for FTP. Although SSL encryption is certainly not a requirement for using FTP, it is a good idea to at least give your users the option of encrypting their FTP sessions, because you never know when they will need to transfer a sensitive document. Over the next two articles, I will show you how to add SSL security to your FTP server.
The New Version

If you look at your server’s Administrative Tools menu, you will notice that it contains a link for the Internet Information Services (IIS) Manager, and another link for the Internet Information Services (IIS) 6.0 Manager, as shown in Figure A. There is actually a really good reason for this.

Figure A: Windows Server 2008 includes two separate IIS management tools
When Microsoft created Windows Server 2008, one of their goals was to completely revamp the FTP server in an effort to modernize it. However, the new code was not completed in time for the Windows Server 2008 release. Since Microsoft did not want to release Windows Server 2008 with no FTP support, they ended up porting the IIS 6.0 version of the FTP services from Windows Server 2003 into Windows Server 2008.
If you choose the Internet Information Services (IIS) 6.0 option from the Administrative Tools menu, you will see the console shown in Figure B. This is essentially just a watered down version of the IIS Management Console that was included for the sole purpose of managing the FTP services. If you right click on the Default FTP Site, and choose the Properties command from the resulting shortcut menu, Windows will display the FTP site’s properties sheet. A quick look at the properties sheet’s various tabs will show you that there simply isn’t an option for encrypting FTP sessions.

Figure B: The Internet Information Services (IIS) 6.0 manager is a leftover from Windows Server 2003
The good news is that you are not stuck using the legacy FTP server. Microsoft went on to complete their new FTP server, and released it as an out of band add-on. This means that it is not technically a part of the operating system, but is an add-on that is designed to work with the operating system.
I once asked someone in Redmond if the new version of the FTP server would be integrated into Windows Server 2008 when the next service pack was released. I was told that the FTP server was going to remain an out of band add-on, because doing so allowed the IIS team to modify it whenever they wanted without having to deal with all of the politics associated with modifying an operating system component.
Since the new FTP server is far superior to the one that ships with the operating system, let us go ahead and uninstall the IIS 6.0 version, and then we will download and install the new version.
Removing the IIS 6.0 FTP Server

Even though we just installed the IIS 6.0 version of the FTP services, let us go ahead and remove it. I only wanted to install it as a way of showing you the difference between what was included in Windows Server 2008, and what you got with the out of band release.
To remove the previous version of the FTP services, open the Server Manager, and select the Roles container from the console tree. Scroll down until the console lists all of the role services that are installed, and click the Remove Role Services link. When you do, Windows will open the Remove Role Services Wizard. Deselect the FTP Publishing Service check box, and click Next, followed by Remove and Close.
Installing the IIS 7 FTP Server

The first thing that you will have to do is to download the Microsoft FTP Services for IIS 7.0. The actual download link that you will use varies depending on whether you are running the 32-bit or the 64-bit version of Windows Server 2008. If you are running the 32-bit version, you can download the FTP services here. If you are running the 64-bit version of Windows Server 2008, then you will want to download the FTP services here.
Save the file that you have downloaded to an empty folder on your server’s hard drive. Next, double click on the file that you have downloaded, and click the Run button when prompted by Windows. Windows will now launch the Microsoft FTP Services for IIS 7.0 installation wizard.
Click Next to bypass the wizard’s Welcome screen. The wizard will now display the End User License Agreement. Accept the license agreement, and click Next. At this point, you will see a screen that is similar to the one shown in Figure C, asking you which of the individual FTP services components you would like to install. For our purposes, make sure that all of the components are set to be installed, and click Next.

Figure C: Make sure that all of the FTP components are going to be installed
You should now see a message telling you that Windows is ready to install the FTP services. Click the Install button to initiate the installation process. When the installation process completes, click Finish.
Accessing the FTP Server

Now that our quick and painless installation process is complete, let us open the IIS 7.0 management console. To do so, select the Internet Information Services (IIS) Manager option from the Administrative Tools menu. When the Internet Information Services (IIS) Manager console opens, select the container from the console tree that bears the name of your server. As you can see in Figure D, some FTP management tools have been added to the server.

Figure D: The Internet Information Services (IIS) Manager console now supports FTP
Now scroll through the console tree to <your server> | Sites. Right click on the Default Web Site container, and choose the Add FTP Site option from the shortcut menu. You will now be prompted to enter a name for the FTP site, and a physical path that you want to link the site to. Go ahead and do that, as shown in Figure E, and then click Next.

Figure E: Enter the name of the site and the site’s physical path
On the following screen, select the Allow SSL option, and click Next. Click Finish, and IIS will create a bare bones FTP site. We will configure and secure this site in Part 3.
Conclusion

As you can see, the IIS 7.0 version of the FTP services offers a lot more options than the IIS 6.0 version does. In the next article in the series, I will show you how to apply SSL encryption to an FTP server. In the mean time though, I would strongly recommend that you take the time to check for any updates to the FTP services that might have been released since the time that Microsoft first made the services available

---

موضوعات مشابه:

• درهنگام استفاده از ftp site نحوه استفاده از host name
• Installing and Configuring NTP on an ESX host
• HOWTO: Configuring a Office SharePoint Server 2007 Publishing Site with Dual Authentication Provider

---

[patris1]

PART-3

Introduction

In the previous article in this series, I showed you how you could get the IIS 7.0 version of the FTP services. In this article, I will show you how to add SSL encryption to your FTP site.
Acquiring an SSL Certificate

Before your FTP server will be able to provide SSL encryption, you will need an X.509 certificate. You can either purchase the certificate from a commercial certificate authority such as VeriSign or Thawte, or you can use an in house certificate authority to issue the certificate.
For the purposes of this article, I am going to assume that you have a Windows 2008 server that is configured to act as an enterprise certificate authority. I will show you how to issue a certificate request and download the necessary certificate in the next section. If you are getting the SSL certificate from a commercial certificate authority, then you can skip the next section.
Acquiring an SSL Certificate

In order to use SSL encryption, we need to issue a request to our Enterprise Certificate Authority. For the purpose of this article, I am going to assume that your FTP server is a member of the same Active Directory forest as your Enterprise Certificate Authority.
To request the necessary certificate, open Internet Explorer, and enter the URL that is associated with your Enterprise Certificate Authority. By default, the URL is https://<server name>/CertSrv. When entering this URL, you will usually have to enter your Enterprise Certificate Authority’s fully qualified domain name rather than just entering the server’s NetBIOS name.
Once you enter the Enterprise Certificate Authority’s URL, log into the Active Directory Certificate Services Web site add a domain administrator (if necessary). After doing so, click on the Request a Certificate link. You should now see a screen asking you if you would like to request a user certificate, or if you would like to submit an advanced certificate request. Click on the Advanced Certificate Request option.
The following screen gives you a choice of issuing a request directly to the certificate authority or of uploading a certificate request file that is encoded in Base-64 or in PKCS #10 format. Click on the Create and Submit a Request to This CA link.
At this point, you may be prompted to install an ActiveX control. If that happens, go ahead and install the control and allow it to run.
You should now be at the main Advanced Certificate Request screen. Select the Web Server option from the Certificate Template drop down list. You must now enter some basic identification information that can be included within your certificate. This includes things such as your name, E-mail address, mailing address, and phone number.
In the Key Options section, choose the option to Create a New Key Set. You should also verify that the Cryptographic Service Provider (CSP) is set to Microsoft RSA SChannel Cryptographic Provider, and that the Key Size is set to 1024, as shown in Figure A.

Figure A: You must make sure that the Cryptographic Service Provider (CSP) is set to Microsoft RSA SChannel Cryptographic Provider, and that the Key Size is set to 1024
Now, scroll down to the bottom of the interface, and click the Submit button. You should see a warning message telling you that the Web site is trying to generate a certificate request. Click Yes to allow the request to go through. When the process completes, you should see a message telling you that a certificate was issued to you, and asking you if you want to install it. Go ahead and click the Install This Certificate link. Once again, you will see a warning message telling you that the Web site is attempting to install a certificate. Click Yes to allow the operation.
You should see a message telling you that the certificate was installed successfully, but we need to make sure. To do so, enter the MMC command at the Run prompt on your FTP server. When you do, Windows will open an empty instance of the Microsoft Management Console. At this point, you must choose the Add / Remove Snap-In command from the console’s File menu. This will cause Windows to display the Add or Remove Snap-ins dialog box.
Choose the Certificates option from the list of available snap-ins, and click the Add button. You will now be asked if the console should be used to manage certificates for your user account, a service account, or the computer account. Choose the Computer Account option, and click the Next button.
The following screen will ask you if you want to manage certificates for the local computer, or if you want to manage certificates for another computer on the network. Make sure that the Local Computer option is selected, and then click the Finish button, followed by the OK button.
The console should now load the Certificates snap-in. You must now navigate through the console tree to Console Root | Certificates (Local Computer) | Personal | Certificates. When you select the Certificates container, the Details pane should show you the certificate that has been issued.
Enabling SSL for the FTP Server

Now that we have an SSL certificate, we can enable SSL encryption for our FTP server. To do so. Open the Internet Information Services (IIS) Manager. Navigate through the console tree to <your server> | Sites | <your FTP site>. With your FTP site selected, double click on the FTP SSL settings icon, located in the Details pane.
The console should now display the FTP SSL Settings page. Select your SSL certificate from the SSL Certificate drop down list, as shown in Figure B. You then have the option of either allowing SSL connections or of requiring SSL connections. You can also choose to use 128 bit encryption for stronger security. Click the Apply button to save your changes.

Figure B: Select your certificate from the SSL Certificates drop down list.
To Use SSL or not to use SSL?

At first, having the option to use SSL for your FTP site probably sounds like a no brainer. After all, encryption is a good thing, right? Not necessarily.
One of the drawbacks to using SSL encryption is that the encryption process increases the CPU’s workload. The extra workload is probably worth it if you are transmitting sensitive information back and forth, or if the FTP site is only used occasionally. If you anticipate the FTP site being heavily used though, then it is a good idea to do some testing to make sure that the encryption process is not going to cause performance problems for the server.
I recommend monitoring the Performance Monitor’s Processor / %Processor Time counter both before and after SSL encryption is enabled. Spikes in CPU activity are normal, but the average utilization should remain below 80%. Otherwise, it means that the CPU is having trouble keeping up with the demands that are being made of it.
Conclusion

Having the ability to encrypt your FTP site is nice, but it is not everything. Without proper security it is still possible for someone to log onto your FTP site anonymously, even if SSL encryption is enabled. In Part 4, I will conclude the series by discussing authorization for FTP sites.



PART-4


Introduction

So far in this series, I have shown you how to create an FTP site that users can access over a secure SSL session. SSL encryption is not everything though. Without the proper authorization mechanisms in place, it is still possible for anonymous users to access your FTP site. In this article, I want to conclude the series by talking about authorization as it applies to FTP sites in IIS 7.0.
Authentication

You can not really perform any type of authorization unless you are also performing authentication.
Open the Internet Information Services (IIS) Manager, and navigate through the console tree to <your server> | Sites | <your FTP site>. Next, double click on the FTP Authentication icon, located in the console’s middle pane. As you can see in Figure A, you have a choice of enabling either Anonymous Authentication or Basis Authentication. For our purposes, we need to enable Basic Authentication. Therefore, right click on the Basic Authentication option, and then select the Enable option from the shortcut menu.

Figure A: You must enable Basic Authentication
Authorization

Authentication establishes the user’s identity, but now we need to take some steps to determine whether or not the user is going to be allowed to access the FTP site. If the user is allowed to access the site, then authorization dictates whether or not the user is allowed to perform the action that they are attempting.
There are a couple of different forms of authorization that are supported for FTP sites. You can perform authorization by domain and IP address or by user and group name.
Address and Domain Name Restrictions

Address and domain name restrictions are usually used when users access the site anonymously, but can be used in conjunction with basic authentication to provide an extra degree of security. Adding a domain or IP address restriction is really easy to do. With your FTP site selected, double click on the FTP IPv4 Address and Domain Restrictions icon, located in the center column.
When the console switches to Features View, right click on an empty area in the center pane, and then choose either the Add Allow Entry or the Add Deny Entry option from the shortcut menu. Both options work in the same way, but one will grant access to the specified address or domain, while the other will block access.
When prompted, simply enter either the IP address or the domain name that you wish to base the rule on. As you can see in Figure B, you have the option of specifying either a single IP address, or an entire IP address range.

Figure B: You can create an authorization rule based on IP addresses or domain names
As you look at the figure above, you might notice that there is no field to specify a domain name. The reason for this is that domain name restriction rules place a huge burden on the server because each connection requires a reverse DNS lookup in order to determine the domain name that is associated with the IP address. Therefore, Microsoft hides the domain name option by default.
If you want to enable domain name rules, then right click in an empty area of the Features View pane, and then choose the Edit Feature Settings command from the shortcut menu. Doing so will cause Windows to display a dialog box that allows you to set the default behavior for unspecified connections to either Allow or to Deny. Besides controlling the FTP server’s default behavior though, the dialog box also contains a check box that you can use to enable domain name restrictions, as shown in Figure C.

Figure C: You can use the Edit IPv4 Addresses and Domain Restriction Settings dialog box to enable domain name restrictions
FTP Authorization Rules

Normally, if you are going to be performing basic authentication on FTP connections, you will use FTP authorization rules to control who is able to do what. You can access the FTP authorization rules by selecting your FTP site in the IIS Manager console, and then double clicking on the FTP Authorization Rules icon, found in the console’s middle pane.
Once the console switches to Features view, you can create an FTP Authorization Rule by right clicking in an empty area of the console’s middle pane, and then choosing either the Add Allow Rule or the Add Deny Rule command from the shortcut menu.
Setting up a rule is pretty simple. If you look at Figure D, you can see that a rule basically just consists of a user or a group to whom the rule will apply, and a permission. For example, a rule can be applied to All Users, All Anonymous Users, Specified User Groups (such as Admins, Users, or Guests), or to specific users.

Figure D: You must specify a user or a group of users, and then specify a permission
Even though the console will allow you to do so, I recommend that you never apply rules to individual users. Otherwise, managing permissions could turn into a logistical nightmare. You are always better off either specifying a group or using one of the other available options.
Setting a permission could not be any easier. All you have to do is select; the Read check box, the write check box, or both. One thing that you must keep in mind though, is that these are IIS level permissions. There will almost always also be NTFS permissions that apply to the folder that the FTP site is using. You must ensure that the NTFS permissions are adequate to allow the specified users to access the FTP site or else the permissions that you set through IIS won’t matter.
Directory Browsing

Although it seems a little strange (at least to me it does), you ca not use authorization rules to control directory browsing. For that you will have to select your FTP site in the IIS Manager console, and then double click on the FTP Directory Browsing icon located in the console’s middle column.
As you can see in Figure E, you can display the directory listing in either MS-DOS style, or in UNIX style. There is not an option to disable directory browsing though. If you want to disable directory browsing, then make sure that you do not assign users the Read permission when you create an authorization rule.

Figure E: You can customize directory browsing for the FTP site to make the server look like a DOS (Windows) server or a UNIX server
In addition to controlling the directory style, you also have the option of displaying virtual directories, the number of available bytes in the directory, and four digit years, all by selecting the corresponding check boxes.
Conclusion

As you can see, setting up an FTP site in IIS 7.0 is pretty straight forward. The main things that you need to remember are that SSL encryption does not take the place of authentication and authorization, and that the permissions that you set through the IIS console do not override NTFS permissions