The New Features of IIS 6.0's FTP Server
Find out more about some of IIS 6.0's less publicized features.
July 14, 2003
Microsoft Internet Information Services (IIS) 6.0's performance, fault tolerance, and scalability features have received so much press that the less publicized IIS 6.0 features and components tend to get overlooked. One powerful new IIS 6.0 component that doesn't receive enough credit is the feature-rich FTP server, which includes the following new major features:
- Unicode Transformation Format-8 (UTF-8) and Unicode Internet Server API (ISAPI) support–IIS now supports multiple character sets for FTP, a long-awaited feature that resolves a security risk inherent in earlier versions of IIS FTP server. IIS 6.0 includes Unicode and UTF-8 support for filenames and URLs. Active Server Pages (ASP) and ASP.NET can now process any filename by using the Unicode filename string. When IIS 6.0's FTP server receives an incoming UTF-8 URL, the server automatically converts the URL to a Unicode representation and presents it to ASP or ASP.NET.
- VectorSend–Through a feature called VectorSend, IIS 6.0's FTP server supports the transmission of ordered lists of buffers and file handles. Http.sys compiles the buffer(s) into one response buffer within the kernel, then sends the buffer(s). As a result, IIS doesn't have to do buffer reconstruction or multiple write clients, which results in much better performance.
- FTP User Isolation–This feature is one of the most important FTP features for the IIS administrator, and lets an IIS administrator restrict users to their own FTP directories. FTP User Isolation keeps an FTP user from viewing or overwriting Web content by restricting users to their own directories. To prevent FTP users from navigating higher in the FTP directory tree, this feature presents each user's top-level FTP directory as the root of the FTP service. Within his or her own FTP site, the user still can create, modify, or delete files and folders. FTP User Isolation is a site property, not a server property, so IIS administrators can turn FTP User Isolation on or off for individual FTP sites.
Microsoft designed FTP User Isolation for ISPs and application service provider (ASPs) that need to offer their customers individual FTP directories to upload files and Web content. But FTP User Isolation is equally important to companies that want to extend FTP access to their customers, employees, and partners.
FTP User Isolation supports three isolation modes, each of which enables a different level of isolation and authentication. These modes are
- Do not isolate users-FTP User Isolation isn't enabled. This mode is designed to operate with earlier versions of IIS. Because isolation isn't enforced, this mode is ideal for a site that offers only download capabilities for shared content or for sites that don't need to prevent other users from accessing data.
- Isolate users-This mode authenticates FTP users against local or domain accounts before letting them access the home directory that corresponds to their username. All FTP user home directories are in a directory structure under one FTP root directory in which each user is placed and restricted to his or her home directory. Users can't navigate outside their home directory. The IIS 6.0 FTP server lets the IIS administrator establish a virtual root for users who need access to dedicated shared folders. Warning: IIS Server performance can degrade dramatically when this mode is used to create hundreds of home directories, so scalability testing is important when configuring large numbers of FTP home user directories.
- Isolate users using Active Directory-This mode authenticates user credentials against an Active Directory (AD) domain. In the authentication process, when a user's object is located within the AD container, the msIIS-FTPRoot and msIIS-FTPDir properties (attributes) provide the full path to the FTP user's home directory. When the FTP service can access the path, the user is placed within the FTP home directory, which represents the FTP root location. The user sees only his or her FTP root location, and is therefore restricted from navigating up the directory tree. If the msIIS-FTPRoot and msIIS-FTPDir properties (attributes) don't exist in AD or if they don't form a valid and accessible path, the user is denied access. Obviously, this isolation mode requires an AD server that's running on an OS in the Windows Server 2003 family.
The lack of FTP User Isolation has been a huge problem for IIS 5.0 and earlier administrators. FTP User Isolation is easy to set up, configure, and lock down. The three new features of IIS 6.0 FTP server, especially FTP User Isolation, make a compelling case for an IIS administrator to set up, configure, and publish more feature-rich FTP services.
Microsoft Internet Information Services (IIS) 6.0's performance, fault tolerance, and scalability features have received so much press that the less publicized IIS 6.0 features and components tend to get overlooked. One powerful new IIS 6.0 component that doesn't receive enough credit is the feature-rich FTP server, which includes the following new major features:
- Unicode Transformation Format-8 (UTF-8) and Unicode Internet Server API (ISAPI) support–IIS now supports multiple character sets for FTP, a long-awaited feature that resolves a security risk inherent in earlier versions of IIS FTP server. IIS 6.0 includes Unicode and UTF-8 support for filenames and URLs. Active Server Pages (ASP) and ASP.NET can now process any filename by using the Unicode filename string. When IIS 6.0's FTP server receives an incoming UTF-8 URL, the server automatically converts the URL to a Unicode representation and presents it to ASP or ASP.NET.
- VectorSend–Through a feature called VectorSend, IIS 6.0's FTP server supports the transmission of ordered lists of buffers and file handles. Http.sys compiles the buffer(s) into one response buffer within the kernel, then sends the buffer(s). As a result, IIS doesn't have to do buffer reconstruction or multiple write clients, which results in much better performance.
- FTP User Isolation–This feature is one of the most important FTP features for the IIS administrator, and lets an IIS administrator restrict users to their own FTP directories. FTP User Isolation keeps an FTP user from viewing or overwriting Web content by restricting users to their own directories. To prevent FTP users from navigating higher in the FTP directory tree, this feature presents each user's top-level FTP directory as the root of the FTP service. Within his or her own FTP site, the user still can create, modify, or delete files and folders. FTP User Isolation is a site property, not a server property, so IIS administrators can turn FTP User Isolation on or off for individual FTP sites.
Microsoft designed FTP User Isolation for ISPs and application service provider (ASPs) that need to offer their customers individual FTP directories to upload files and Web content. But FTP User Isolation is equally important to companies that want to extend FTP access to their customers, employees, and partners.
FTP User Isolation supports three isolation modes, each of which enables a different level of isolation and authentication. These modes are
- Do not isolate users-FTP User Isolation isn't enabled. This mode is designed to operate with earlier versions of IIS. Because isolation isn't enforced, this mode is ideal for a site that offers only download capabilities for shared content or for sites that don't need to prevent other users from accessing data.
- Isolate users-This mode authenticates FTP users against local or domain accounts before letting them access the home directory that corresponds to their username. All FTP user home directories are in a directory structure under one FTP root directory in which each user is placed and restricted to his or her home directory. Users can't navigate outside their home directory. The IIS 6.0 FTP server lets the IIS administrator establish a virtual root for users who need access to dedicated shared folders. Warning: IIS Server performance can degrade dramatically when this mode is used to create hundreds of home directories, so scalability testing is important when configuring large numbers of FTP home user directories.
- Isolate users using Active Directory-This mode authenticates user credentials against an Active Directory (AD) domain. In the authentication process, when a user's object is located within the AD container, the msIIS-FTPRoot and msIIS-FTPDir properties (attributes) provide the full path to the FTP user's home directory. When the FTP service can access the path, the user is placed within the FTP home directory, which represents the FTP root location. The user sees only his or her FTP root location, and is therefore restricted from navigating up the directory tree. If the msIIS-FTPRoot and msIIS-FTPDir properties (attributes) don't exist in AD or if they don't form a valid and accessible path, the user is denied access. Obviously, this isolation mode requires an AD server that's running on an OS in the Windows Server 2003 family.
The lack of FTP User Isolation has been a huge problem for IIS 5.0 and earlier administrators. FTP User Isolation is easy to set up, configure, and lock down. The three new features of IIS 6.0 FTP server, especially FTP User Isolation, make a compelling case for an IIS administrator to set up, configure, and publish more feature-rich FTP services.
About the Author
You May Also Like