FTP Directories

[Editor's Note: Share your IIS and Web administration discoveries, comments, problems, solutions, and experiences with products. Email your contributions (500 words or less) to [email protected]. We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.]

The FTP service is an integral part of IIS. An understanding of the FTP home directory and virtual directories will help you better organize your FTP server.

Just as the IIS World Wide Web Publishing Service does, the IIS FTP service has a default home directory that can be on the IIS server or on a remote computer. When you put the directory on a remote server, the FTP service authenticates connections according to the credentials you supply in the directory's Connect As setting. (To access this setting and other directory properties, open the Microsoft Management Console—MMC—Internet Information Services snap-in, open the Default FTP Site object's Properties dialog box, and go to the Home Directory tab. This setting works in the same way it does for a Web server directory; for more information about the setting, see "Virtual Directories: Targeting Local Directories and Network Shares," September 2002, InstantDoc ID 25930.) You can enable pass-through authentication, which employs a security delegation of the client's credentials to a third machine. (Unlike pass-through authentication for a Web server, pass-through authentication will always work on an FTP directory because the FTP service by default uses a token that supports delegation.) When you place your FTP directories on a server that uses NTFS, you get the added benefit of precise user-access control, which is unachievable on a FAT file system. Last but not least, the FTP server offers virtual directory structures, which can help you simplify control and customization. However, no option exists for redirecting clients to other servers or directories; the FTP protocol doesn't have a provision for redirection.

When a client connects to the FTP server, the server's home directory becomes the client's current working directory. When you map the home directory to the FTP root (i.e., C:inetpubftproot), a user can use the Ls command to get a directory listing of the root directory. If the home directory is inaccessible because of restricted access permissions or a change in the directory structure, IIS logs an error in the System log when clients try to access the directory.

You might prefer to configure the FTP service so that upon connection, users are automatically placed in individual, user-specific subdirectories. (This option is perfect for ISPs that want to let users access FTP sites.) To use this configuration, create a physical directory for each user, name each directory so that it matches the user's logon name, and place the directories directly under C:inetpubftproot. For example, the directory C:inetpubftprootLocalAltoid would become the default directory for the user LocalAltoid, as the FTP session in Figure 1 shows. You can leverage NTFS's capabilities to make sure that each user has the permissions you want. All users must have Read permission on inetpubftproot, but each user can then have full access to his or her directory and no access to other users' directories.

You can use virtual directories to publish the content of physical directories without exposing the physical directories' locations. A nice feature of FTP virtual directories is that they're automatically hidden from client browsers, but users who know the name of a hidden directory can still use the Cd command to access that directory. You can make hidden virtual directories visible to the Ls command. Simply create a physical directory under C:inetpubftproot, and give the physical directory the same name as the virtual directory you want to be visible. Note that the physical directory serves only as a placeholder for the corresponding virtual directory. The Cd command places the user in the virtual directory, so be sure to place all content in the virtual directory and leave the physical directory empty. Any content you place in the physical directory will be inaccessible. For example, suppose I create two virtual directories—the Hidden directory, which maps to C:inetpubFtpVDir1, and the Visible directory, which maps to C:inetpubFtpVDir2—under the FTP home directory. I then create a corresponding physical directory (i.e., C:inetpubftprootvisible) to reveal the Visible virtual directory. Figure 2, page 16, shows the FTP session that an anonymous client would see when using the Ls command, then the Cd command. Anonymous users don't have a preconfigured individual directory and so go directly to the FTP home directory (i.e., C:inetpubftproot) upon connecting to the FTP server. The Ls command shows only two directories: the physical directory I created for the LocalAltoid user and the physical directory I created to correspond to the Visible virtual directory. However, the user has no trouble changing to the Hidden virtual directory.

—Leon Braginski
[email protected]