Part 1: Managing multiple users with one IP Address
In choosing which software to use for managing the server-side of FTP, often times people don't use Microsoft's FTP program because they think that it's too simple or they think that it doesn't do what they want. I'm going to attempt to reveal some of the hidden but powerful features that exist with Microsoft's FTP program. Understanding just a couple basic concepts and putting those concepts to good use will open up a new world of possibility.
I'm not trying to convert the many people that are using another FTP program or try to say that Microsoft's is better. I don't work for Microsoft and I'm not being paid to endorse their product. But for those that aren't happy with their current solution, want to utilize Microsoft FTP better or are diving into this fresh, read on.
I'm assuming that you are somewhat familiar with using Microsoft IIS / FTP. The 10 second description for those coming in brand new is: For those running a version of Windows that includes IIS (Internet Information Services), you already have Microsoft FTP available to you. This is included in Windows NT/2000/2003/XP. Except for Windows NT, use the IIS snap-in found in Start -> Administrative Tools -> Internet Information Services. If you don't have that installed, it can be installed from Add/Remove Programs in the control panel. For some people using Windows XP you won't see Administrative Tools off your Start Menu. You can still find them in your control panel. For those wondering what FTP means, you've probably stumbled across the wrong article.
Let's get started:
Rule #1: If (virdir name = user name) Then (path of virdir takes effect)
Now, what does that mean? Microsoft FTP, which I'll call MS FTP after this, doesn't have an interface like most of us would expect, where you can add a user and point to a particular folder. Instead, it has a strange way of handling this. If the Virtual Directory name is exactly the same as a Windows User's name, then the Virtual Directory will “catch“ the user rather than the root FTP account.
Of course, if you have lots of IP addresses, you can assign one IP address per user and setup multiple sites and then rely on the NTFS permissions to grant or deny access to particular sites. (Note: Windows XP only allows 1 FTP site.) But, even if you do this, there may come a time when you want to use the same IP address for multiple users who will be destined for different locations. For those trying to run a web server with multiple sites and one IP address, you'll benefit the most from this rule. Let me start with an example:
Let's say you have this directory structure:
D:\domains\site1.com
D:\domains\site2.com
D:\domains\site2.com\graphics
And you have 3 users.
- Mike needs access to the root of site1.com
- Sue needs access to the root of site2.com
- Joe needs access to the graphics folder of site2.com
I'll repeat myself because I feel this is important. The trick with MS FTP is that if the Virtual Directory name is the same as a Windows Username, the user will be "caught" by the Virtual Directory and directed to the folder specified in the Virtual Directory.
Example in MS-FTP
Behind the scenes, the “Mike” Virtual Directory is pointing to D:\domains\site1.com, Sue is pointing to D:\domains\site2.com and Joe is pointing to D:\domains\site2.com\graphics.
- If you logged in as Mike, then the Mike virdir would "catch" it and you would be dropped into the D:\domains\site1.com folder.
- Same with Joe or Sue. They would be caught by their corresponding Virtual Directories.
Now, let's say you had another user called Jane. If you logged in as Jane then the settings on the “Default FTP Site“ will handle her because there isn't a Virtual Directory to “catch“ her and direct her elsewhere.
Rule #2: The username used to log in needs List permissions to the root FTP site folder
Even if the Virtual Directory is pointing to a different location, the user that is logging in always needs List permissions to the folder specified in “Default FTP Site“. Yes, it seems strange, but even in IIS6, this is still the case.
So, each user must have read/write permissions, D:\domains\site1.com needs read/write for Matt. D:\domains\site2.com needs read/write for Sue. D:\domains\site2.com\graphics needs read\write for Joe. This is the obvious part.
The non-obvious consideration is if the path of “Default FTP Site“ was D:\domains than that folder needs "List" permissions for all 3 users. Otherwise they won't be able to log in at all.
Tip #1: Set the root FTP account to a dummy location if assigning multiple users
If the path of the “Default FTP Site“ is D:\domains then you have a fairly large security issue with this setup. If you log in as Mike for example, you'll have the option to move up a folder (..) (well, most FTP programs will give you that option). If you do, you'll be dropped into the folder of the “Default FTP Site” root. (d:\domains). As I just mentioned, you are forced to give List permissions for all users which means that every user can view the names of all the sites. If you ever slip up and give too many permissions at the NTFS level your users can potentially access other people's sites.
Fortunately there is an easy solution. Just consider your Master FTP Site root a dummy location that isn't meant to be used for anything practical. Point it to d:\ftproot\dummyfolder or something like that. (I call mine 'deadend'). Give List permissions to the Everyone group on that folder and make sure it's completely empty. Now, you've solved the security issue. If Mike connects with their FTP program and moves up a folder or does a chgdir to '\' he will dropped into d:\ftproot\dummyfolder which is completely empty. You'll never have to worry about users gaining access to d:\domains which is a folder that you want to keep your users out of.
And, in all this, don't forget that every user that will be logging into your FTP account needs to have a Virtual Directory assigned or else they will immediately be placed into the dummyfolder location.
I've covered managing multiple users with a single IP address, required permissions for setting up FTP and given a tip on keeping users out of your confidential folders. There is more to come. In the following 3 weeks I plan to cover: IIS6 User Isolation; Managing Virtual Directories (why can't I see the virtual directory that I created in my FTP program); and how to have a logged in user only see and access some, but not all, of the subfolders in a folder.
by Scott Forsyth is Director of IT at ORCS Web, Inc. - a company that provides managed hosting services for clients who develop and deploy their applications on Microsoft Windows platforms.