Securing FTP Sites Using FTP Publishing Service for IIS 7.0

If users who aren’t part of your corporate intranet need to transfer files to or from a server on your network, FTP might spring to mind as a common solution. Although previous versions of Microsoft IIS included an FTP server, user credentials and data were transmitted in clear text, introducing significant risk if used over an un-trusted network. The FTP Publishing Service for IIS 7.0 includes several security enhancements that help mitigate the risks of using FTP, such as the ability to tunnel FTP over SSL (FTPS), the ability to configure usernames and passwords independently of Windows and Active Directory (AD) for managing access to websites, and the ability to log more detailed information. In this article, we’ll look at how to use the FTP Publishing Service for IIS 7.0 to secure FTP sites, as well as how to configure User Isolation, which restricts users to their home directory in a given FTP site.

IIS was overhauled for Windows Server 2008, but so many changes were planned for FTP that Microsoft couldn’t quite get it ready in time for Server 2008’s release to manufacturing (RTM). (The version of FTP that’s included with Server 2008 is based on FTP from IIS 6.0.) However, the FTP Publishing Service for IIS 7.0 is now available as an out-of-band release, and can be downloaded from
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1619.

The instructions in this article should be carried out on a standalone Server 2008 box. Note that the IIS server role defaults should be installed before running the FTP Publishing Service for IIS 7.0 package. There’s no need to install FTP from the Server 2008 installation disc. If you’ve installed FTP from the disc, you’ll need to remove it before running the updated FTP server package. Furthermore, a third-party FTP client that supports FTPS, such as CuteFTP, will be required to verify that your configuration is working correctly.

Configuring an FTP Site with SSL
Support for FTPS is the most important addition to FTP in IIS 7.0. FTPS can be used to securely transmit credentials and/or data across un-trusted networks. When configuring FTPS, you can enforce SSL or let the client choose if credentials and/or data are encrypted. Let’s start by creating a folder and a self-signed certificate for our new FTP site.

In your production environment, you should use a certificate created by Server 2008 or a third-party Certification Authority (CA), as self-signed certificates are intended for test environments only. To generate a certificate, you must first log on to your server as an administrator. Then open Server Manager from the Start menu and go to Configuration, Local Users and Groups. Now right-click Groups and select New Group from the context menu. Name the group FTP Users and add a user account (e.g., user1) to the group. Click Create and close Server Manager.

Then, create a new folder in c:inetpub named ftpsite1. Right-click the folder and select Properties from the menu. Then select the Security tab and click Edit. Click Add, type ftp users into the Select Users or Groups dialog box, and click OK. Then set the Allow permissions to include Modify and click OK.

Next, open IIS Manager from Administrative Tools on the Start menu. Highlight your server in the left pane of Microsoft Management Console (MMC) under Connections and double-click Server Certificates in the central pane under IIS as Figure 1 shows. Under Actions click Create Self-Signed Certificate. Give the certificate a name (e.g., FTP Cert) and click Next. The new certificate should appear in the central pane under Server Certificates. Under Connections, expand the node for your server, right-click Sites, and select Add FTP Site. Enter FTPSITE1 for the site name and c:inetpubftpsite1 as the path for the folder that we created under Content Directory and click Next. Then select the self-signed certificate (FTP Cert) from the drop-down menu at the bottom of the Binding and SSL Settings dialog box and click Next. Then select Basic under the Authentication section of the Authentication and Authorization Information dialog box and select Specified roles or user groups from the Allow access to drop-down menu. In the empty box under the Allow access to drop-down menu, type the name of the group that we created (ftp users). Select the Read and Write check boxes (as Figure 2 shows) and click Finish.

Now, expand Sites under Connections and you should see the new FTP site listed. Highlight FTPSITE1 and double-click FTP Settings in the central pane. Under SSL Policy select Custom and click Advanced. The Advanced SSL Policy dialog box lets you configure whether the FTP client can choose if data is encrypted for the control and data channels. The control channel is responsible for transmitting user credentials. For this example, leave the default settings and click OK. Then, highlight FTPSITE1 under Sites and double-click FTP Authentication. Finally, select Basic Authentication in the central pane and click Enable under Actions on the right.

Finally, connect to your FTP site using your FTP client. For the sake of simplicity, run the client on the FTP server itself. For this example, you can safely ignore any certificate-related warnings. In your FTP client, type localhost for the address of your FTP server, and then enter the username and password for user1. Figure 3 shows the settings in CuteFTP when connecting to the server using FTPS. You can download CuteFTP from http://www.cuteftp.com.

Configuring Authentication for IIS Manager Users
There might be situations in which you want to grant a user access to an FTP site but don’t want to create a local or AD user account. For example, you might need to provide FTP access to a business partner who doesn’t require any other access to your systems. IIS 7.0 includes a new feature that lets the IIS Management Service have its own users, which are independent from Windows and can be used for authorization to IIS and/or FTP sites.

This feature requires the IIS Management Service to be pre-installed on your server, so if you haven’t already installed it, you need to add it from Server Manager. To do so, log on as an administrator and open Server Manager from the Start menu. Then click Roles under Server Manager in the left pane and scroll down to Role Services. If Management Service is listed as Not installed, then click Add Role Services. In the Select Role Services dialog box, select Management Service under Management Tools. Now, click Add Required Features in the pop-up dialog box, Next in the Select Role Services dialog box, and Install on the final screen.

IIS Manager users are used primarily for connecting remotely to the Management Service for administration of IIS and FTP. IIS Manager users authenticating to an FTP site is a secondary function of this feature. To configure IIS Manager, open IIS Manager from Administrative Tools on the Start menu. Then highlight your server under Connections. In the central pane, select the Enable remote connections check box and the Windows credentials or IIS Manager credentials radio button, as shown in Figure 4. In the Connections section, select your self-signed certificate (FTP Cert) from the SSL certificate drop-down menu. Click Apply in the Actions pane, and then click Start to start the IIS Management Service.
 Next, configure the FTP server to accept authentication requests from IIS Manager users. To do so, expand Sites (located in the Connections section of the IIS Manager window) under your server and select FTPSITE1. Double-click FTP Authentication in the central pane and then Custom Providers in the Actions section. In the Custom Providers dialog box, select the IisManagerAuth check box and click OK. IisManagerAuth should now be showing an Enabled status in the central pane.

Now that the appropriate features are installed, you can configure some users in IIS Manager. First, highlight your server under Connections, scroll down to Management in the central pane, and double-click IIS Manager Users. Click Add User under Actions. Enter a username (e.g., remoteuser) and password and click OK. Highlight FTPSITE1 under Connections and double-click IIS Manager Permissions in the central pane. Click Allow User under Actions. In the Allow User dialog box, select IIS Manager and click Select. Select remoteuser from the list and click OK twice. Highlight FTPSITE1 under Connections again, but this time double-click FTP Authorization Rules. Then click Add Allow Rule under Actions. Select Specified Users in the Add Allow Authorization Rule dialog box and type remoteuser into the empty box. Under Permissions, select Read and Write and click OK. The new rule should appear under FTP Authorization Rules in the central pane.

The final step is to set NTFS permissions on the FTPSITE1 folder. IIS Manager works with the built-in Network Service to authenticate IIS Manager users to resources. Therefore, we need to grant NTFS Modify permission for the Network Service on the FTPSITE1 folder, and Read permission for the IIS configuration files. To grant NTFS these permissions, open a command prompt as an administrator and run the following four CACLS commands to add ACLs for the Network Service:

cacls "%systemdrive%windowssystem32
inetsrvconfig" /g "network service":r /e

cacls "%systemdrive%windowssystem32
inetsrvconfigredirection.config" 
/g "network service":r /e

cacls "%systemdrive%windowssystem32
inetsrvconfigadministration.config" 
/g "network service":r /e

cacls "%systemdrive%inetpubftpsite1"
/g "network service":c /e

Finally, start your FTP client and connect to FTPSITE1 with the IIS Manager user (remoteuser) and the password you assigned.

Configuring User Isolation
User Isolation was first introduced with IIS 6.0 in Windows Server 2003 and lets you configure one FTP site, while restricting individual users to their own directories. This isolation is achieved by providing each user with his or her own folder at the root of the FTP site, which prevents the user from viewing or overwriting other users’ data higher up the folder hierarchy. When User Isolation is enabled, users are automatically directed to their own folder when accessing the root address for the FTP site, so any data they upload will actually be written to their home directories.

Before enabling User Isolation, you need to create either a physical, or, new to this release of FTP, virtual directory, for each user. In this example, let’s keep it simple and create a physical directory for a user on our server (user1). Using Windows Explorer, create a new folder in c:inetpubftpsite1 called LocalUser. In the LocalUser folder, create a folder called user1. Next, open IIS Manager from Administrative Tools on the Start menu and select FTPSITE1. Then double-click FTP User Isolation in the central pane. Select User name directory (disable global virtual directories) and click Apply under Actions.

User name directory is the default option in FTP 7.0 and lets you use either physical or virtual directories for users’ homes folders. If you want to share a physical folder with multiple users in addition to their home folders, you’ll have to create a virtual directory for each user. The second option, User name physical directory (enable global virtual directories), supports only physical directories. However, users will have access to global virtual directories. In practice, this means that if you create a virtual directory (called Public, for example) in the root of FTPSITE1, users will be able to ”break out” of their home directory and access the folder by typing /Public into their FTP client. If you enable a directory listing of virtual folders and global virtual folders are enabled, users will see your Public directory, and any other global virtual folders, listed in their root logon. This saves them the trouble of having to type the name of the folder. To enable directory listings for virtual folders, select FTPSITE1 under Connections and double-click FTP Directory Browsing in the central pane. Under Directory Listing Options, select Virtual directories and click Apply under Actions. (For more information about virtual directories, see “Virtual Directories: Targeting Local Directories and Network Shares,” September 2002, InstantDoc ID 25930.)

Now connect to the FTP site using credentials for user1. Upload a file and you should see that the file has been added to c:inetpubftpsite1localuseruser1, as opposed to the root of the site. Figure 5 shows the Public global virtual directory listed in the root logon for user1. For extra security, you can configure NTFS permissions on user1’s folder to ensure that only user1 has access locally. If you want to configure User Isolation for domain users, you should substitute LocalUser for a folder with the same name as your domain.

Improved Logging
In the FTP Publishing Service for IIS 7.0, you can log more detailed information, such as all FTP traffic by session, than you could in previous versions of FTP. Although available only for users who are logged on to the server locally, more detailed error messages are displayed, such as an explanation why a user can’t log on, which might be useful for troubleshooting problems. In addition, information such as failed logons and other error status messages are recorded in the Windows Security Event Log, courtesy of Event Tracing for Windows (ETW).

Securely Transfer Sensitive Data
Enabling FTPS means that you no longer have to worry about exposing sensitive information or credentials, and there’s an added degree of flexibility with support for authentication using IIS Manager users. An external IP address and port range can be configured for Passive mode connections in the event that users need to access a server located behind a Network Address Translation (NAT) firewall using FTPS, as FTP-aware firewalls and routers won’t be able to inspect the encrypted control channel. It’s also worth noting that FTP now supports IPv6, and anonymous connections to FTP sites are disabled by default. And as in previous versions of FTP, the ability to restrict access by IP address or domain name is available.