Académique Documents
Professionnel Documents
Culture Documents
0)
Isolate users using Active Directory mode authenticates user credentials against a corresponding Active Directory container, rather than searching the entire Active Directory, which requires large amounts of processing time. Note This mode requires an Active Directory server running on an operating system in the Windows Server 2003 family. A Windows 2000 Active Directory can also be used but requires manual extension of the User Object schema. To learn more about setting up an Active Directory server, see Help and Support Center for Windows Server 2003. Specific FTP server instances can be dedicated to each customer to ensure data integrity and isolation. When a user's object is located within the Active Directory container, the msIIS-FTPRoot and msIIS-FTPDir properties are extracted to provide the full path to the user's home directory. If the FTP service can successfully access the path, the user is placed within the home directory, which represents the FTP root location. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the directory tree. The user is denied access if either the msIIS-FTPRoot or msIISFTPDir property do not exist, or, if these two together do not form a valid and accessible path. Important You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot %\system32\inetsrv\iis.msc".
To create FTP sites with Isolate users using Active Directory mode
1.In IIS Manager, click the local computer, right-click the FTP Sites folder, point to New, and click FTP Site. 2.In the Welcome to the FTP Site Creation Wizard, click Next. 3.In FTP Site Description, type a description for the FTP site, and then click Next. 4.In IP Address and Port Settings, type an IP address and port, and then click Next. 5.In FTP User Isolation, click Isolate users using Active Directory, and then click Next. 6.In the User name text box, type the user name, using the Domain\User format, or browse to the user name. Choose a user with minimal domain privileges. This user name is used to access Active Directory and read the home directory properties. 7.In the Password text box, type the password of the user.
8.In the Enter the default Active Directory domain text box, type or browse to the default domain name. Note This domain name is used for the users who do not specify their user domain when they log on. In other words, a user connecting with the user name Domain1\User1 is authenticated against Domain1, while a user connecting as User2 is authenticated against the default logon domain. If a default domain is not named and a user does not specify a domain name, access is denied for all but anonymous users. Type the base domain name only, not the fully qualified name. For example, type MyDomain, not MyDomain.dept.microsoft.com. 9.Click Next. You are prompted to re-enter the password for the user entered in the previous steps. 10Enable the Read and Write permissions as appropriate, and then click Next, and click .Finish.
Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0)
You can host multiple FTP sites on the same server running IIS. If you are an ISP or an application service provider in a multi-site Internet hosting scenario and you want to ensure that your customers cannot access the FTP directories of one another, then you can enable FTP User Isolation. When you enable FTP User Isolation, the user's toplevel directory appears as the root of the FTP site, so other users cannot view or overwrite content. Within the user's specific site, the user can create, modify, or delete files and folders. FTP User Isolation supports three isolation modes: Do not isolate users, Isolate users, and Isolate users using Active Directory. You can select the isolation mode during FTP site setup using the FTP Site Creation Wizard. You can use Iisftp.vbs to configure FTP User Isolation, using the/isolationparameter. When you use the /isolation parameter, specify either AD, for Active Directory isolation, or Local, for local isolation. If you do not include the /isolation parameter, the site will not isolate users. You can select a different isolation mode for each FTP site. Important After you set the FTP User Isolation mode and finish the FTP Site Creation Wizard or create the site using Iisftp.vbs, do not change the isolation setting manually.
Important The user is not restricted to this subdirectory and can navigate up to the site directory and into other subdirectories unless you have set ACLs to prevent users from accessing them. Top of page
by editing the registry entry DsCacheRefreshSecs. Para vaciar el cach del servicio FTP ejecutar: iisreset Caution Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Registry Reference on the Microsoft Windows Server 2003 Resource Kit companion CD or at . If the FTP service successfully accesses the path, it becomes the home directory for the user. The user cannot access the file system outside this directory. The user is denied access if either the msIIS-FTPRoot or msIIS-FTPDir property does not exist, or if the resulting home directory cannot be accessed. This configuration option provides maximum flexibility and control over user home directories in an ISP environment. For example, John Doe connects to his FTP site at ftp.example.com. The example.com network load-balancing server (NLBS) resolves this request to the server FTPS3. John Doe enters the user name JohnDoe. FTPS3 is configured with the default domain name Domain4, so the user Domain4\JohnDoe is authenticated and the home directory information for John Doe is retrieved from Active Directory as \\FS1\Share2\Users\u2\johndoe_dir. From now on, FTPS3 will access the data under this home directory for all the FTP requests from John Doe. This example is illustrated in Figure 8.1.
Figure 8.1 FTP User Isolation Example: Isolate Users by Using Active Directory Mode
msIIS-FTPRoot and msIIS-FTPDir properties so that the users home directory maps to a local folder on the FTP server; for example, msIIS-FTPRoot is set to E:\FTPUsers.
Las propiedades msIIS-FTPRoot y msIIS-FTPDir se pueden cambiar instalando las herramientas de soporte de Windows 2003 Server, con el programa ADSI Edit, que viene en estas herramientas.
En las propiedades del usuario seleccionar y editar de manera que el FTProot apunte a la raz del sitio FTP creado y el FTPDir apunte a la carpeta local de ese usuario.
Estructura de carpetas:
Permisos de FTProot. Debe habilitarse la herencia para objetos secundarios. La cuenta de acceso annimo tiene acceso de lectura solo en esta carpeta.
Permisos de la carpeta Publica: Aadir la cuenta de acceso annimo con control de lectura en esta carpeta. El resto de los permisos son heredados.
Permisos de las carpetas de usuarios: Aadir la cuenta del propietario de la carpeta con acceso total. El resto de los permisos son heredados.
Permisos del usuario Master (Puede ver y/o cambiar el contenido de todas las carpetas). Adir el permiso de acceso total a la carpeta Localuser. El resto de los permisos son heredados.
Enabling Anonymous Access for a FTP Site Configured with Isolate Users Using Active Directory Mode (IIS 6.0)
By default, anonymous access is disabled to sites created in Isolate users using Active Directory mode.
To enable anonymous access for the FTP site configured with Isolate users using Active Directory mode
1Configure the metabase properties as shown in the following example. You can do so .by using the adsutil.vbs SET command-line tool. adsutil set /msftpsvc/6634/AllowAnonymous TRUE adsutil set /msftpsvc/6634/AnonymousOnly FALSE adsutil set /msftpsvc/6634/AnonymousUserName MyDomain\LowPrivUser adsutil set /msftpsvc/6634/AnonymousUserPass PaSsWoRd Note When a site is created with Isolate Users Using Active Directory mode, the Path property of the root FTP virtual directory (which, for the other isolation modes identifies the home directory) is set empty. Also, the AccessFlags property of the root FTP virtual directory contains the AccessNoPhysicalDir flag. Do not alter these two values. If you change or remove them, further access to the site is not allowed. Para conocer la instancia de msftpsvc en vez de msftpsvc/6634, utilizar: cscript.exe iisftp.vbs /query