Creating a New FTP Site with Isolate Users Using Active Directory Mode (IIS 6.

0)
Isolate users using Active Directory mode authenticates user credentials against a corresponding Active Directory container, rather than searching the entire Active Directory, which requires large amounts of processing time. Note This mode requires an Active Directory server running on an operating system in the Windows Server 2003 family. A Windows 2000 Active Directory can also be used but requires manual extension of the User Object schema. To learn more about setting up an Active Directory server, see Help and Support Center for Windows Server 2003. Specific FTP server instances can be dedicated to each customer to ensure data integrity and isolation. When a user's object is located within the Active Directory container, the msIIS-FTPRoot and msIIS-FTPDir properties are extracted to provide the full path to the user's home directory. If the FTP service can successfully access the path, the user is placed within the home directory, which represents the FTP root location. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the directory tree. The user is denied access if either the msIIS-FTPRoot or msIISFTPDir property do not exist, or, if these two together do not form a valid and accessible path. Important You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot %\system32\inetsrv\iis.msc".

To create FTP sites with Isolate users using Active Directory mode
1.In IIS Manager, click the local computer, right-click the FTP Sites folder, point to New, and click FTP Site. 2.In the Welcome to the FTP Site Creation Wizard, click Next. 3.In FTP Site Description, type a description for the FTP site, and then click Next. 4.In IP Address and Port Settings, type an IP address and port, and then click Next. 5.In FTP User Isolation, click Isolate users using Active Directory, and then click Next. 6.In the User name text box, type the user name, using the Domain\User format, or browse to the user name. Choose a user with minimal domain privileges. This user name is used to access Active Directory and read the home directory properties. 7.In the Password text box, type the password of the user.

8.In the Enter the default Active Directory domain text box, type or browse to the default domain name. Note This domain name is used for the users who do not specify their user domain when they log on. In other words, a user connecting with the user name Domain1\User1 is authenticated against Domain1, while a user connecting as User2 is authenticated against the default logon domain. If a default domain is not named and a user does not specify a domain name, access is denied for all but anonymous users. Type the base domain name only, not the fully qualified name. For example, type MyDomain, not MyDomain.dept.microsoft.com. 9.Click Next. You are prompted to re-enter the password for the user entered in the previous steps. 10Enable the Read and Write permissions as appropriate, and then click Next, and click .Finish.

Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0)
You can host multiple FTP sites on the same server running IIS. If you are an ISP or an application service provider in a multi-site Internet hosting scenario and you want to ensure that your customers cannot access the FTP directories of one another, then you can enable FTP User Isolation. When you enable FTP User Isolation, the user's toplevel directory appears as the root of the FTP site, so other users cannot view or overwrite content. Within the user's specific site, the user can create, modify, or delete files and folders. FTP User Isolation supports three isolation modes: Do not isolate users, Isolate users, and Isolate users using Active Directory. You can select the isolation mode during FTP site setup using the FTP Site Creation Wizard. You can use Iisftp.vbs to configure FTP User Isolation, using the/isolationparameter. When you use the /isolation parameter, specify either AD, for Active Directory isolation, or Local, for local isolation. If you do not include the /isolation parameter, the site will not isolate users. You can select a different isolation mode for each FTP site. Important After you set the FTP User Isolation mode and finish the FTP Site Creation Wizard or create the site using Iisftp.vbs, do not change the isolation setting manually.

Do Not Isolate Users Mode

The Do not isolate users mode does not enforce FTP User Isolation and is designed to work like earlier versions of the FTP service in IIS. Because isolation is not enforced among the different users that log on to your FTP server, this mode is ideal for a site that offers only download capabilities for shared content or for sites that do not require protection of data between users. In this mode, all user directories are in one level as a subdirectory of the FTP site directory. The site directory can reside either on the local computer or on a network share. When a user accesses the FTP site, the home directory is determined as follows: By default, the initial user directory is set to the physical path configured as the FTP site directory. If this directory does not exist, the user connection is denied. If a user name is supplied, the home directory is derived from the user name. For anonymous users, the derived name is anonymous. For local computer users, the derived name is the user name. For domain users, the derived name is the user name without the domain name. If a directory with the derived name exists in the site directory, then that directory becomes the initial log-on directory for the user.

Important The user is not restricted to this subdirectory and can navigate up to the site directory and into other subdirectories unless you have set ACLs to prevent users from accessing them. Top of page

Isolate Users Mode

The Isolate usersmode determines a unique home directory for each user derived from the user name. The home directory of the user is treated as a root directory for the user, and the user cannot navigate or access the physical file system outside of the root directory. If users need access to dedicated shared folders, then you can establish a virtual directory. User home directories are located in a two-level directory structure under the FTP site directory. The site directory can reside either on the local computer or on a network share. When a user accesses the FTP site, the home directory is determined in one of three ways: For anonymous users, the home directory is LocalUser\Public under the FTP root directory. For local users, the home directory is LocalUser\UserName under the FTP root directory. For users that log on with Domain\UserName, the home directory is Domain\UserName under the FTP root directory. The user home directory must be created before the user logs on. If the directory does not exist when the user attempts to connect, the connection is denied. For information about creating a new FTP site or converting an existing FTP site to Isolate users mode, see Creating a New FTP Site with Isolate Users Mode and Converting an Existing FTP Site to Isolate Users Mode. Top of page

Isolate Users Using Active Directory Mode

In the Isolate users using Active Directory mode, the FTP service is integrated with Active Directory to retrieve home directory information for users. To accomplish this integration, the Active Directory user object is extended with two properties: msIISFTPRoot and msIIS-FTPDir. The msIIS-FTPRoot property stores the file server share, and the msIIS-FTPDir property stores the relative physical path to the home directory for each user. You can use Iisftp.vbs to get and set these properties. Information that is frequently retrieved from Active Directory is cached by the FTP service. The default caching interval is 10 minutes. You can adjust the caching interval

by editing the registry entry DsCacheRefreshSecs. Para vaciar el cach del servicio FTP ejecutar: iisreset Caution Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Registry Reference on the Microsoft Windows Server 2003 Resource Kit companion CD or at . If the FTP service successfully accesses the path, it becomes the home directory for the user. The user cannot access the file system outside this directory. The user is denied access if either the msIIS-FTPRoot or msIIS-FTPDir property does not exist, or if the resulting home directory cannot be accessed. This configuration option provides maximum flexibility and control over user home directories in an ISP environment. For example, John Doe connects to his FTP site at ftp.example.com. The example.com network load-balancing server (NLBS) resolves this request to the server FTPS3. John Doe enters the user name JohnDoe. FTPS3 is configured with the default domain name Domain4, so the user Domain4\JohnDoe is authenticated and the home directory information for John Doe is retrieved from Active Directory as \\FS1\Share2\Users\u2\johndoe_dir. From now on, FTPS3 will access the data under this home directory for all the FTP requests from John Doe. This example is illustrated in Figure 8.1.

Figure 8.1 FTP User Isolation Example: Isolate Users by Using Active Directory Mode

User Home Directories

In the Isolate users using Active Directory mode, each user's home directory resides on an arbitrary network path, which provides you with the flexibility to distribute user home directories across multiple servers, volumes, and directories. In addition, you can move user's home directories transparently from one location to another, which affects the service for the users only during the duration of the move. You can also set the

msIIS-FTPRoot and msIIS-FTPDir properties so that the users home directory maps to a local folder on the FTP server; for example, msIIS-FTPRoot is set to E:\FTPUsers.

Configuring Isolate Users Using Active Directory Mode

There are three main steps to configuring the Isolate users using Active Directory mode: Configure the file servers. Configure Active Directory. Create and configure the FTP sites to be isolated. When you configure the file servers, you must create the shares and user directories for all the users that are permitted to connect to the FTP service, including the user configured to impersonate anonymous users. Before you complete this step, consider factors such as expected disk space usage, storage management, and network traffic. To configure Active Directory, you need a server running Windows Server 2003, Standard Edition, and Active Directory. Configure the user object in Active Directory for each user, including the user configured to impersonate the anonymous user, by setting the msIIS-FTPRoot and msIIS-FTPDir properties to point to the home directories that you previously created. You can do this by using the Iisftp.vbs command-line utility with the /SetADPropcommand. To learn more about setting up Active Directory, see Active Directory in Help and Support Center for Windows Server 2003. For information about working with FTP sites with Isolate users using Active Directory mode, see Creating a New FTP Site with Isolate Users Using Active Directory Mode, Enabling Anonymous Access for a FTP Site Configured with Isolate Users Using Active Directory Mode, and Converting an Existing FTP Site to Isolate Users Using Active Directory Mode.

Las propiedades msIIS-FTPRoot y msIIS-FTPDir se pueden cambiar instalando las herramientas de soporte de Windows 2003 Server, con el programa ADSI Edit, que viene en estas herramientas.

En las propiedades del usuario seleccionar y editar de manera que el FTProot apunte a la raz del sitio FTP creado y el FTPDir apunte a la carpeta local de ese usuario.

Estructura de carpetas:

Permisos de FTProot. Debe habilitarse la herencia para objetos secundarios. La cuenta de acceso annimo tiene acceso de lectura solo en esta carpeta.

Permisos de la carpeta Publica: Aadir la cuenta de acceso annimo con control de lectura en esta carpeta. El resto de los permisos son heredados.

Permisos de las carpetas de usuarios: Aadir la cuenta del propietario de la carpeta con acceso total. El resto de los permisos son heredados.

Permisos del usuario Master (Puede ver y/o cambiar el contenido de todas las carpetas). Adir el permiso de acceso total a la carpeta Localuser. El resto de los permisos son heredados.

Enabling Anonymous Access for a FTP Site Configured with Isolate Users Using Active Directory Mode (IIS 6.0)
By default, anonymous access is disabled to sites created in Isolate users using Active Directory mode.

To enable anonymous access for the FTP site configured with Isolate users using Active Directory mode
1Configure the metabase properties as shown in the following example. You can do so .by using the adsutil.vbs SET command-line tool. adsutil set /msftpsvc/6634/AllowAnonymous TRUE adsutil set /msftpsvc/6634/AnonymousOnly FALSE adsutil set /msftpsvc/6634/AnonymousUserName MyDomain\LowPrivUser adsutil set /msftpsvc/6634/AnonymousUserPass PaSsWoRd Note When a site is created with Isolate Users Using Active Directory mode, the Path property of the root FTP virtual directory (which, for the other isolation modes identifies the home directory) is set empty. Also, the AccessFlags property of the root FTP virtual directory contains the AccessNoPhysicalDir flag. Do not alter these two values. If you change or remove them, further access to the site is not allowed. Para conocer la instancia de msftpsvc en vez de msftpsvc/6634, utilizar: cscript.exe iisftp.vbs /query