 Admin KnowledgeBase

 Articles & Tutorials

 Authors
 Blogs
 Free Tools
 Hardware
 Message Boards
 Newsletters
 RSS
 Software
 White Papers

Search Site Submit

Site Search

Advanced Search

Creating and Configuring FTP Sites in

Windows Server 2003

In this article we'll walk you through the steps of creating FTP sites in
Windows Server 2003 using both Internet Services Manager and
scripts. The tutorial will also will explain how to perform common
administration tasks involving FTP sites and also how to implement
FTP User Isolation, a new feature of Windows Server 2003 enables
users to have their own separate FTP home directories.

 Published: Aug 11, 2004

 Updated: Aug 11, 2004
 Section: Articles & Tutorials :: Windows 2003
 Author: Mitch Tulloch
 Printable Version
 Adjust font size:
 Rating: 4.1/5 - 1180 Votes

vote

 1
 2
 3
 4
 5

In a previous article we saw that Internet Information Services 6 (IIS 6) is a powerful platform
for building and hosting web sites for both the Internet and corporate intranets. IIS 6 is also
equally useful for setting up FTP sites for either public or corporate use, and in this article we''ll
walk through the process of creating and configuring FTP sites using both the GUI (IIS
Manager) and scripts included in Windows Server 2003. The specific tasks we''ll walk through in
this article are:

 Creating an FTP Site

 Controlling Access to an FTP Site
 Configuring FTP Site Logging
 Stopping and Starting FTP Sites
 Implementing FTP User Isolation

For sake of interest, we''ll again explain these tasks in the context of a fictitious company called
TestCorp as it deploys FTP sites for both its corporate intranet and for anonymous users on the
Internet.

Preliminary Steps
As mentioned in the previous article, IIS is not installed by default during a standard installation
of Windows Server 2003, and if you installed IIS using Manage Your Server as described in the
previous article this installs the WWW service but not the FTP service. So before we can create
FTP sites we first have to install the FTP service on our IIS machine. To do this, we need to add
an additional component to the Application Server role we assigned our machine when we used
Manage Your Server to install IIS.

Begin by opening Add or Remove Programs in Control Panel and selecting Add/Remove
Windows Components. Then select the checkbox for Application Server:
Click Details and select the checkbox for Internet Information Services (IIS):

Click Details and select the checkbox for File Transfer Protocol (FTP) Services.
Click OK twice and then Next to install the FTP service. During installation you''ll need to insert
your Windows Server 2003 product CD or browse to a network distribution point where the
Windows Server 2003 setup files are located. Click Finish when the wizard is done.

Creating an FTP Site

As with web sites, the simplest approach to identifying each FTP site on your machine is to
assign each of them a separate IP address, so let''s say that our server has three IP addresses
(172.16.11.210, 172.16.11.211 and 172.16.11.212) assigned to it. Our first task will be to create
a new FTP site for the Human Resources department, but before we do that let''s first examine
the Default FTP Site that was created when we installed the FTP service on our machine. Open
IIS Manager in Administrative Tools, select FTP Sites in the console tree, and right-click on
Default FTP Site and select Properties:
Just like the Default Web Site, the IP address for the Default FTP Site is set to All Unassigned.
This means any IP address not specifically assigned to another FTP site on the machine opens
the Default FTP Site instead, so right now opening either ftp://172.16.11.210, ftp://172.16.11.211
or ftp://172.16.11.212 in Internet Explorer will display the contents of the Default FTP Site.

Let''s assign the IP address 172.16.11.210 for the Human Resources FTP site and make D:\HR
the folder where its content is located. To create the new FTP site, right-click on the FTP Sites
node and select New --> FTP Site. This starts the FTP Site Creation Wizard. Click Next and type
a description for the site:
Click Next and specify 172.16.11.210 as the IP address for the new site:

Click Next and select Do not isolate users, since this will be a site that anyone (including guest
users) will be free to access:
Click Next and specify C:\HR as the location of the root directory for the site:

Click Next and leave the access permissions set at Read only as this site will only be used for
downloading forms for present and prospective employees:
Click Next and then Finish to complete the wizard. The new Human Resources FTP site can now
be seen in IIS Manager under the FTP Sites node:

To view the contents of this site, go to a Windows XP desktop on the same network and open the
URL ftp://172.16.11.210 using Internet Explorer:
Note in the status bar at the bottom of the IE window that you are connected as an anonymous
user. To view all users currently connected to the Human Resources FTP site, right-click on the
site in Internet Service Manager and select Properties, then on the FTP Site tab click the Current
Sessions button to open the FTP User Sessions dialog:

Note that anonymous users using IE are displayed as IEUser@ under Connected Users.

Now let''s create another FTP site using a script instead of the GUI. We''ll create a site called
Help and Support with root directory C:\Support and IP address 172.16.11.211:
Here's the result of running the script:

The script we used here is Iisftp.vbs, which like Iisweb.vbs and Iisvdir.vbs which we discussed
in the previous article is one of several IIS administration scripts available when you install IIS
on Windows Server 2003. A full syntax for this script can be found here. Once you create a new
FTP site using this script you can further configure the site using IIS Manager in the usual way.

Note: At this point you could add structure to your FTP site by creating virtual directories, and
this is done in the same way as was described in the previous article for working with web sites.

Controlling Access to an FTP Site

Just like for web sites, there are four ways you can control access to FTP sites on IIS: NTFS
Permissions, IIS permissions, IP address restrictions, and authentication method. NTFS
permissions are always your first line of defense but we can't cover them in detail here. IIS
permissions are specified on the Home Directory tab of your FTP site's properties sheet:
Note that access permissions for FTP sites are much simpler (Read and Write only) than they are
for web sites, and by default only Read permission is enabled, which allows users to download
files from your FTP site. If you allow Write access, users will be able to upload files to the site as
well. And of course access permissions and NTFS permissions combine the same way they do
for web sites.

Like web sites, IP address restrictions can be used to allow or deny access to your site by clients
that have a specific IP address, an IP address in a range of addresses, or a specific DNS name.
These restrictions are configured on the Directory Security tab just as they are for web sites, and
this was covered in the previous article so we won't discuss them further here.

FTP sites also have fewer authentication options than web sites, as can be seen by selecting the
Security Accounts tab:
By default Allow anonymous connections is selected, and this is fine for public FTP sites on the
Internet but for private FTP sites on a corporate intranet you may want to clear this checkbox to
prevent anonymous access to your site. Clearing this box has the result that your FTP site uses
Basic Authentication instead, and users who try to access the site are presented with an
authentication dialog box:
Note that Basic Authentication passes user credentials over the network in clear text so this
means FTP sites are inherently insecure (they don't support Windows integrated authentication).
So if you're going to deploy a private FTP site on your internal network make sure you close
ports 20 and 21 on your firewall to block incoming FTP traffic from external users on the
Internet.

Configuring FTP Site Logging

As with web sites, the default logging format for FTP sites is the W3C Extended Log File
Format, and FTP site logs are stored in folders named

%SystemRoot%\system32\LogFiles\MSFTPSVCnnnnnnnnnn

where nnnnnnnnnn is the ID number of the FTP site. And just as with web sites, you can use the
Microsoft Log Parser, part of the IIS 6.0 Resource Kit Tools, to analyze these FTP site logs.

Stopping and Starting FTP Sites

If an FTP site becomes unavailable you may need to restart it to get it working again, which you
can do using IIS Manager by right-clicking on the FTP site and selecting Stop and then Start.
From the command-line you can type net stop msftpsvc followed by net start msftpsvc or use
iisreset to restart all IIS services. Remember that restarting an FTP site is a last resort as any
users currently connected to the site will be disconnected.

Implementing FTP User Isolation

Finally, let's conclude by looking at how to implement the new FTP User Isolation feature of IIS
in Windows Server 2003. When an FTP site uses this feature, each user accessing the site has an
FTP home directory that is a subdirectory under the root directory for the FTP site, and from the
perspective of the user their FTP home directory appears to be the top-level folder of the site.
This means users are prevented from viewing the files in other users' FTP home directories,
which has the advantage of providing security for each user's files.

Let's create a new FTP site called Staff that makes use of this new feature, using C:\Staff Folders
as the root directory for the site and 172.16.11.212 for the site's IP address. Start the FTP Site
Creation Wizard as we did previously and step through it until you reach the FTP User Isolation
page and select the Isolate users option on this page:

Continue with the wizard and be sure to give users both Read and Write permission so they can
upload and download files.

Now let's say you have two users, Bob Smith (bsmith) and Mary Jones (mjones) who have
accounts in a domain whose pre-Windows 2000 name is TESTTWO. To give these users FTP
home directories on your server, first create a subfolder named \TESTTWO beneath \Staff
Folders (your FTP root directory). Then create subfolders \bsmith and \mjones beneath the
\Accounts folder. Your folder structure should now look like this:

C:\Staff Folders
\TESTTWO
\bsmith
\mjones
To test FTP User Isolation let's put a file name Bob's Document.doc in the \bsmith subfolder and
Mary's Document.doc in the \mjones subfolder. Now go to a Windows XP desktop and open
Internet Explorer and try to open ftp://172.16.11.212, which is the URL for the Staff FTP site we
just created. When you do this an authentication dialog box appears, and if you're Bob then you
can enter your username (using the DOMAIN\username form) and password like this:

When Bob clicks the Log On button the contents of his FTP home directory are displayed:
Note that when you create a new FTP site using FTP User Isolation, you can't convert it to an
ordinary FTP site (one that doesn't have FTP User Isolation enabled). Similarly, an ordinary FTP
site can't be converted to one using FTP User Isolation.

We still need to explore one more option and that's the third option on the FTP User Isolation
page of the FTP Site Creation Wizard, namely Isolate users using Active Directory. Since we've
run out of IP addresses let's first delete the Help and Support FTP site to free up 172.16.11.211.
One way we can do this is by opening a command prompt and typing iisftp /delete "Help and
Support" using the iisftp.vbs command script. Then start the FTP Site Creation Wizard again
and select the third option mentioned above (we'll name this new site Management):
Click Next and enter an administrator account in the domain, the password for this account, and
the full name of the domain:
Click Next and confirm the password and complete the wizard in the usual way. You'll notice
that you weren't prompted to specify a root directory for the new FTP site. This is because when
you use this approach each user's FTP home directory is defined by two environment variables:
%ftproot% which defines the root directory and can be anywhere including a UNC path to a
network share on another machine such as \\test220\docs, and %ftpdir% which can be set to
%username% so that for example Bob Smith's FTP home directory would be
\\test220\docs\bsmith and this folder would have to be created beforehand for him. You could set
these environment variables using a logon script and assign the script using Group Policy, but
that's beyond the scope of this present article.

Summary
In this article I've explained how to create and configure FTP sites in various ways on IIS 6.
With the exception of FTP User Isolation, everything we've covered here also applies to IIS 5 on
Windows 2000. If you want to learn more about IIS 6 and its capabilities, see my book IIS 6
Administration (Osborne/McGraw-Hill).

About Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration,

networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP)
status by Microsoft for his outstanding contributions in supporting users who deploy and use
Microsoft platforms, products and solutions. Mitch has written or contributed to two dozen
books and is lead author of the bestselling Windows 7 Resource Kit from Microsoft Press. Mitch
is based in Winnipeg, Canada, and you can find more information about his books at his website
www.mtit.com

Click here for Mitch Tulloch's section.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on
WindowsNetworking.com! Choose between receiving instant updates with the Real-Time Article
Update, or a monthly summary with the Monthly Article Update. Sign up to the
WindowsNetworking.com Monthly Newsletter, written by Dr. Tom Shinder, containing news,
the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a
thing!
 Check 24,25,33 {D67B20E7-F97D HTML

 Real-Time Article Update (click for sample)

 Monthly Article Update (click for sample)
 Monthly Newsletter (click for sample)

Enter email

Latest articles by Mitch Tulloch

 Deploying Windows 7 - Part 15: Configuring the MDT Database
 Deploying Windows 7 - Part 14: Automated Migration from Windows XP to Windows 7
 Product Review: GFI WebMonitor 2009
 Using Windows Server as a NAT Router
 Deploying Windows 7 - Part 13: Manual Migration from Windows XP to Windows 7

Related links
 Using WebDAV with IIS
 Understanding the FTP Protocol
 Understanding the TFTP Protocol
 FTP Resources
 TCP/IP advanced: Ports

Featured Links*
ManageEngine OpManager - The Complete Network Monitoring Software
Monitor WAN infrastructure, LAN, Servers, Switches, Routers, Services, Apps, CPU, Memory,
AD, URL, Logs, Printers. Satisfies your entire Network infrastructure Management needs.
Too many drivers across your Citrix/MS Terminal Server network? UniPrint is your
solution.
A single PDF-based universal printer driver eliminates printer driver incompatibility issues and
enables fast driverless printing. PC and Mac, thin- and fat-client users can print from anywhere,
any time, to any printer with printing security using PIN. Free download.
Get a free Windows SIP Server / IP PBX
IP Telefonanlage, VOIP Telefooncentrale, Centralino Telefonico IP, PABX-IP, Centralita
Telefonica VOIP, Centrala Telefoniczna, Telefonni system, IP telefonvaxel, Central Telefonica
IP, VOIP Telefonsentral, IP telefonanlaeg, IP Puhelinvaihde, Telefon Sistemi, IP PBX (Russian),
IP PBX (Greek), IP PBX (Japanese), IP PBX (Korean), IP PBX (Simplified Chinese), IP PBX
(Traditional Chinese), IP PBX (Arabic)
Stop Spam, Viruses and Other Email Threats Before They Reach Your Network
GFI MAX MailProtection provides hosted spam filtering & zero-hour anti-virus protection, and
works with any email system or OS. Easy, reliable & cost-effective.
Monitoring Your Network Through Event Logs
Get the event log information that really matters through automated alerts on critical events
across your network. Install, set and pat yourself on the back!

Receive all the latest articles by email!

Receive Real-Time & Monthly WindowsNetworking.com article updates in your mailbox. Enter
your email below!
Click for Real-Time sample & Monthly sample

Check 24,25 ON ON {D67B20E7-F97D HTML

Enter Email

Become a WindowsNetworking.com
member!
Discuss your network issues with thousands of other network administrators. Click here to join!

Community Area

Log in | Register
Featured Freeware!

SolarWinds WMI Monitor monitors any Windows application or server, giving you amazing
insight into real-time performance.

Get your free copy today!

 Admin KnowledgeBase
 Articles & Tutorials
o Common for all OSes
o Dial up Networking, ICS, RAS, ADSL
o General Networking
o Network Protocols
o Network Troubleshooting
o Product Reviews
o VoIP
o Windows 7
o Windows 2000
o Windows 2003
o Windows 95/98/ME
o Windows NT 4
o Windows Server 2008
o Windows Vista
 o Windows XP
o Wireless Networking
 Authors
o Deb Shinder
o Brien M. Posey
o David Davis
o Mitch Tulloch
o Peter Schmidt
o Robert J. Shimonski
o Russell Hitchcock
o Andrew Z. Tabona
o Don Parker
o Johannes Helmig
 Blogs
 Free Tools
 Hardware
o Anti-Spam Hardware
o Anti-Virus Hardware
o Firewalls & VPN
o Mail Archiving
o Servers
o Storage
 Message Boards
 Newsletter Signup
 RSS Feed
 Software
o Administration tools / Ping & trace utils
o Backup software
o Data recovery software
o Email archiving
o Free Tools
o Help desk software
o IP PBX Servers
o Misc. network administrator tools
o Network inventory software
o Network monitoring / management
o Patch Management
o Remote control software
o Software distribution and metering
o Storage and quota software
o Terminal Servers
o Thin Client Servers
 White Papers
 IP PBX, SIP & VoIP FAQ Sponsored by 3CX

Featured Products
 3CX VOIP Phone System
Download Free edition

Email Archiving
Download Free Trial!

Readers' Choice

211
Which is your preferred Network Monitoring & Management solution?

 ActiveXperts Network Monitor

 GFI Network Server Monitor
 ManageEngine WiFi Manager
 NetStat Agent
 PRTG - Paessler Router Traffic Grapher
  ServersCheck Monitoring Software
 Softinventive Total Network Monitor
 Solarwinds ipMonitor
please spe
 Other

Vote!

TechGenix Sites

ISAserver.org
The No.1 ISA Server 2006 / 2004 / 2000 resource site.
MSExchange.org
The leading Microsoft Exchange Server 2007 / 2003 / 2000 resource site.
WindowSecurity.com
Network Security & Information Security resource for IT administrators.
VirtualizationAdmin.com
The essential Virtualization resource site for administrators.

 Admin KnowledgeBase
 Articles & Tutorials
 Authors
 Blogs
 Free Tools
 Hardware
 Links
 Message Boards

 Newsletters
 RSS
 Software
 White Papers

About Us : Email us : Product Submission Form : Advertising Information

WindowsNetworking.com is in no way affiliated with Microsoft Corp. *Links are sponsored by
advertisers.

Copyright © 2010 TechGenix Ltd. All rights reserved. Please read our Privacy Policy and Terms
& Conditions.