Configuring the FTP 7.5 Features and Properties
The FTP Site Creation
Wizard configures the basic settings for an FTP server; however, there
is still a need to configure more advanced settings or refine the
original ones. Similar to managing websites, you no longer manage
property pages by right-clicking the site. The new FTP feature icons
have replaced the old style property FTP pages. The FTP feature icons
are installed during the installation process and are located in the
Central Details pane, as shown in Figure 4. The new FTP features for configuring basic and advanced FTP properties consist of the following:
Figure 4. The FTP feature icons.
FTP Authentication Feature Page
The FTP Authentication
feature page is utilized to configure authentication methods for FTP
clients. By default, an FTP site does not have authentication configured
and all mechanisms are disabled out of the box. An administrator must
grant the desired authentication to the FTP site. The authentication
mechanisms for FTP consist of the following items:
This built-in authentication mechanism should be selected when you want
to provide public access to an FTP site without having end users pass
It is another built-in authentication mechanism for FTP sites. Basic
authentication requires the FTP clients to enter a valid Windows user
account and password when gaining access to the FTP site. Basic
Authentication sends password credentials in clear text, which is a
security hazard. As such, implement SSL when using this mechanism to
encrypt passwords in transit.
The FTP site will provide authorization to FTP clients by having them
enter a valid ASP.NET user account and password. This is a custom
authentication mechanism that requires a provider and connection string
to an ASP.NET user database.
IIS Manager Authentication—
This is another custom authentication mechanism similar to ASP.NET. An
FTP client must provide a legitimate IIS Manager username and password
to gain access to FTP content. Similar to Basic Authentication, the
credentials are not encrypted, so it is recommended for this
authentication to be used in conjunction with SSL.
Don’t forget that to
utilize these authentication mechanisms, the appropriate authentication
role services must be installed prior to configuration.
FTP Authorization Rules Feature Page
This page should be used to
manage Allow and Deny authorization rules that control access to FTP
sites. The Actions pane options Add Allow Rule and Add Deny Rule should
be selected to invoke the Allow or Deny Authorization Rule page. After
the page is invoked, rules can be applied to All Users, All Anonymous
Users, Specified Roles or User Groups, and Specified Users. In addition,
the rules are based on Read or Write permissions.
FTP Current Sessions Feature Page
This page should be
used to monitor current sessions for an FTP site. The following elements
are displayed: User Name, Session Start Time, Current Command, Previous
Command, Command Start Time, Bytes Sent, Bytes Received, Session ID,
and Client IP.
FTP Directory Browsing Feature Page
The FTP Directory Browsing page illustrated in Figure 5
is broken out into two sections. The first section is called Directory
Listing Style. The format presentation options include MS-DOS and UNIX.
The second section, Directory Listing Options, controls how directory
information is displayed. The display options include the following:
Virtual Directories— This option allows you to specify whether to include virtual directories.
Available Bytes— This setting controls the display behavior of the available bytes remaining when a disk quota is enabled.
When enabled, this setting displays the last modified date for a file
based on the four-year date, such as 1974, and not a two-year date
format, such as 74.
Figure 5. The FTP Directory Browsing feature page.
FTP Firewall Support Feature Page
A new FTP feature associated
with IIS 7.5 is the FTP Firewall Support. This feature allows the server
to accept passive connections when the FTP client is behind a firewall.
An administrator must enter the Data Channel Port Range and External IP
Address of the Firewall settings and then click Apply in the Actions
FTP IPv4 and Domain Restrictions Feature Page
The exact same settings are
associated with the FTP IPv4 and Domain Restrictions as for a website in
IIS 7.5. The FTP IPv4 and Domain Restrictions feature page should be
used to create and manage rules that allow computer networks and IP
addresses the opportunity to either gain access or be denied to specific
web content. You can either allow or deny access. It is also possible
to enter a single IP address, a range of IP addresses, or a domain name.
Finally, rules can be added to a page, site, or inherited from the
FTP Logging Feature Page
The FTP Logging feature
page includes the exact same logging settings as for a website. This
page controls the type of log file to use, the location to be stored,
and the log file rollover settings.
FTP Messages Feature Page
The FTP Messages feature page illustrated in Figure 6
is a great way to create a banner, or welcome and exit message that
will be displayed to FTP users. The message behavior is controlled by
the following elements:
Suppress Default Banner— If enabled, this option displays a default welcome banner. Otherwise, a customizable banner is displayed.
Support User Variables in Messages—
By enabling this setting, user variables such as BytesReceived,
BytesSent, SessionID, SiteName, and UserName are included in the message
Show Detailed Messages for Local Requests—
This setting controls the behavior for displaying FTP error messages.
If enabled, FTP error messages are displayed to the local host.
Figure 6. The FTP Messages feature page.
The next section on
the FTP Messages feature page is called Message Text. The administrator
enters message text in the various text boxes. The message boxes include
Banner, Welcome, Exit, and Maximum Connections.
FTP Request Filtering
The FTP Request Filtering feature page should be used to define the list of Allow or Deny rules based on the specific elements:
File Name Extensions—
This tab allows for the creation of filename extensions for which the
FTP service will either allow or deny access to the site. For example,
an administrator can prevent Internet clients from uploading any files
with the extension of *.txt or *.com.
The Hidden Segments tab should be used if you want to hide specific
areas of your FTP site. If hidden, the specific section will not be
displayed in the directory listings.
Defined URL Sequences— This setting should be used to define the list of URL sequences for which the FTP service will deny access.
The final tab Commands defines the list of commands for which the FTP
service will either allow or deny access to further tighten security.
FTP SSL Settings Feature Page
This page should be
utilized for enabling and configuring SSL settings for an FTP site. The
options include a drop-down menu for selecting the SSL certificate you
will use and SSL policy. The SSL Policy options include Allow SSL
Connections, Require SSL Connections, and Advanced Custom Settings. You
will also have the chance to choose whether to use 128-bit encryption
for SSL connections.
FTP User Isolation Feature Page
Similar to IIS 6.0, IIS 7.5
can still isolate FTP users so FTP content is protected. This is an
especially useful feature for Internet service providers (ISPs) and
application service providers (ASPs) servicing a large number of users.
FTP users can have their own separate directory to upload and download
files to the web or FTP server. Users who connect see only their
directory as the top-level directory and can’t browse other FTP
directories. Permissions can be set on the FTP home directory to allow
create, modify, or delete operations.
It is worth noting that FTP
user isolation is based on an FTP site rather than at the server level
and is either enabled or disabled. However, sites that need to enable
FTP user isolation aren’t forced to strictly use this feature. You can
enable anonymous access in conjunction with FTP user isolation by
creating a virtual directory within the FTP site and allowing read-only
access. The only limitation to mixing the FTP user isolation and
anonymous access is that information can be downloaded only from the
public or read-only virtual directory.
The configuration settings on the FTP User Isolation page, as shown in Figure 7,
consist of the following options for where to start the user when they
connect. The options include the FTP Root Directory or User Name
Directory. In addition, it is possible to isolate users by restricting them to following directories. The Isolate Users options consist of the following:
User Name Directory (Disable Global Virtual Directories)
User Name Physical Directory (Enable Global Virtual Directories)
FTP Home Directory Configured in Active Directory
Figure 7. The FTP User Isolation feature page.