<%@ LANGUAGE = VBScript %> <% PageID = 1305 %> <%= sHeadSpace %> <%= sMetaString %> HowTo Setup FTP in Windows 2000
skyBuilders HomePage

HowTo Setup FTP in Windows 2000



Jesse Burkhardt - begun on 2001/11/08

last modified on 2001/11/11


1. Configure the Default FTP Server

Your FTP server may require a few tweaks depending on the nature of your Windows 2000 installation. You will need to open the Internet Information Services Manager (IIS). Click on Start > Programs > Administrative Tools > Internet Information Services:



Select the FTP Site tab and make sure to supply the relevent IP address of your FTP serving machine. Click the Apply button. (You may want to optionally change the site name.)



Then select the Home Directory tab and browse to the physical drive and directory where your FTP service will originate, sometime known as the FTP server root - drive F: in this example. I recommend turning on Write privileges, which can be then be limited on a per user basis. (See Setting User privileges below.) Click the Apply button to save your edits.



If your FTP server is stopped you may now start it by right clicking on the FTP server entry in the IIS Manager and clicking the Start selection.

Back to top of page.


2. Create the FTP User

The first thing to do in setting up FTP access for a user is to create the actual FTP user. (In normal, non-Microsoft parlance this is the same as creating an FTP account.) This is done through the Computer Management interface.

Click on Start > Programs > Administrative Tools > Computer Management, causing the following interface to display:



Right click on the Users folder and select New User yielding the following. You may want to uncheck "User must change password at next logon" if you are entering a password that the user has selected already.



Back to top of page.


3. Setting User privileges

It is important to tailor the privileges of each of the users with FTP access to your system. privileges granted to specifically created users should parallel those given to the IUSR, who is an anonymous, generic user with HTTP access privileges. (The IUSR must exist for the public at large to be able to visit a web site running on a IIS based web server.) I have written a related document, skyBuilders Security Policy which discusses file permissions security and the user privileges associated with directory structures.

*

Access to FTP virtual directories may be established in the same manner that virtual directories are deployed within the physical directory hierarchy of a web site. This virutal to physical directory correspondence is used to create navigation barriers within the web site or FTP site directory structure. This navigation barrier prevents an FTP user from traversing a directory tree beyond a certain point, known as the FTP virtual server root. Likewise, a web based virtual directory prevents the IUSR from traversing the web site down beyond a certain point. A virutal directory can only originate from one place associated with the FTP server. The analogy to a web server virtual directory breaks down here in that there can be only one instance of a virtual FTP directory. Whereas with web server site virtual web directories can be multiply deployed, but only on a one per site basis. It is for this reason we recommend associating an FTP server's origin at the outer drive level, where many web sites' physical origins may lie.

This document will not get into the deployment of virtual directories.


To set directory security privileges for an FTP user you first open an instance of the Windows file explorer. In the case illustrated below we are accessing the F: drive at the outermost (drive) level.



Right clicking on the F: drive entry and selecting Properties will bring you into the drive properties display. Clicking on the Security tab will show the following interface. Click the Add button to add privileges for the FTP user.



Now you will be presented with a user list as is shown next. Find the user previously created, "jesse" as illustrated in the second section above, and select the new user by clicking on him. Then click on the OK button to save the change.



After having clicked the OK button shown in the above picture, you be placed back into the prior properties interface. Select the newly added user, "jesse", and uncheck Read & Execute and List Folder Contents checkboxes, making sure that only Read privileges have been selected, as highlighted.



After clicking the Apply button the resulting diplay should look as follows:



Now click the Advanced button for the next disply.



Click the View/Edit button to ensure the privileges have been properly applied. As you see, incredibly, this security privileges interface routinely fails to apply the privileges selected correctly. This means we must forced them to be correctly applied. The circled privileges are those that should be selected when we have set read only privileges. (Unclick the Reset privileges checkbox if it is checked.)



Your settings should look as follows:



Click the OK button, saving the changes and closing each interface display successively until you are back at the Windows file explorer diplay.

Next we want to expand the FTP user privileges for the the Jesse subdirectory (F:\Inetpub\wwwroot\Jesse) for the user "jesse", first by right cliking on the appropriate subdirectory.



This again brings up a properties display interface. Make sure the Security tab is selected as shown. Add Write privileges and uncheck the Allow inheritable permissions box and click the Apply button.



Unchecking the Allow inheritable permissions checkbox will bring up the following warning display.



Simply click the Copy button and you will revert back to the prior display with the Allow inheritable permissions unchecked.



Clicking the Advanced button will show the following:



Now you must check the Delete Subfolders and FIles and the Delete checkboxes to complete the granting of read and write privileges for user "jesse" in the subdirectory tree originating at F:\Inetpub\wwwroot\Jesse. Don't forget to click OK (click Apply first, if button is not grayed out) saving changes and closing each interface display successively.



The last step involves backing out any privileges that may have inadvertantly been given to user "jesse" in places where he should have no privileges at all. For instance, at the level parallel to the subdiretory Jesse there are other subdirectories, eg. DC, as shown



The right click and select properties to bring up the properties display again, making sure that the Security tab is selected.



Highlight the user to be removed ("jesse" in this case) and click the Remove button. Don't forget to hit the Apply and OK buttons to save and exit the interface setting. Repeat this process on all subdirectories where any FTP privileges were inadvertently granted to unauthorized users.

Back to top of page.


<%= sFooterString %>