IIS 101
File servers are extremely handy when you want a central location in which your users can store all their important work. If all your users rely on a file server, the risk of people losing files on their desktops greatly diminishes. As your company grows and your users become more mobile, they will move to laptops and dial in to work. When users make this move, server access won’t be as easy as it was when the users were on your LAN. To give your users the remote access they need, you can use the FTP server built into IIS.
With IIS’s FTP server, users can log on to the FTP server, which then transfers them to their Personal folder. (This setup is similar to the home folder you set up in User Manager.) For my example, I use the RPG Consulting Company, a fictitious e-consulting startup company. The company has 45 employees and just opened a new remote office on the West Coast. To save money, the company opted for a Digital Subscriber Line (DSL) for the new office rather than a more costly private line or WAN connection. The existing Windows 2000 file server in the East Coast office has a hidden shared folder for every user. The users automatically map this folder during their network logon, so each network share appears as \\fileserver\username$ (the dollar sign—$—makes the share hidden on the network). All these shared folders are on the D drive beneath the Users folder. The folder names for each user must be the same as the users’ usernames. The D drive is formatted as an NTFS drive, and each user’s folder lets only that particular user access its contents.
Setting Up the FTP Server
When you installed Win2K on the file server, you automatically installed IIS 5.0. I recommend that you use the minimum number of required services. If you don’t need the SMTP, Network News Transfer Protocol (NNTP), or Indexing services, uninstall them. To begin configuring the FTP server, choose Start, Administrative Tools, Internet Services Manager. Right-click the FTP server, then select Properties. On the Default FTP Site Properties dialog box, which Figure 1 shows, click the FTP Site tab. Because RPG has only 45 employees, I recommend changing the maximum number of connections to 100. (If you set this number to 45, you might have to change it every time you add an employee; therefore, don’t set the limit too close to the employee count.)
I also recommend that you leave Logging on; if you have any breaches, you can use the log files to trace it. To add logging for the User Name (cs-username) and Host (cs-host), click Properties on the FTP Site tab, then click the Extended Properties tab, which Figure 2 shows. These options are available only when you’re using W3C Extended logging, which is the default for IIS.
On the Default FTP Site Properties dialog box, click the Security Accounts tab. Clear the Allow Anonymous Connections check box, which Figure 3 shows. Note that when you remove an Anonymous account, your FTP site isn’t necessarily completely safe. The system sends FTP usernames and passwords in clear-text format, and malicious intruders can easily sniff them. Seriously consider this vulnerability if the information stored in users’ personal directories is important.
The Messages tab has three simple input boxes—a welcome message, an exit message, and the error message users receive if the server has exceeded its maximum number of users. The message on the FTP welcome page can be information about RPG or perhaps a legal statement about unauthorized users.
On the Home Directory tab, you set your home directory, which is the location from which users access their folders. In RPG’s case, the home directory is the D drive. The Directory Listing Style on this tab defines file-date format. The default style is MS-DOS, which lists dates with a two-digit year format. The UNIX style displays the date in a four-digit year style, and no year is returned if the file date is the same as the current year.
The Directory Security tab lets you allow connections to the server only from certain individual computers or groups of computers. RPG could use these settings to provide IP addresses for computers in the West Coast office. However, because many employees aren’t in the office, the company will continue to allow connections from any host, relying on authentication as the only means of security.
Two important tasks remain. The first task is to ensure that you’re using your domain accounts rather than the local machine to authenticate users. If your file server is also a domain controller (DC), you can skip this step because the local users are the domain accounts. If your file server is only a member server, you need to configure IIS to use your Windows NT domain to authenticate. The "Resolution 4" section of the Microsoft article "Err Msg: 530 User <Username> Cannot Log In. Login Failed." (http://support.microsoft.com/support/kb/articles/q200/4/75.asp) provides information about configuring IIS.
The final and perhaps most complex task is correctly setting your NTFS permissions so that users will be able to access only their data and nothing they shouldn’t. The home directory (in my example, the root of the D drive) has the following NTFS settings:
- Set the local System account and the Domain and Local Administrators accounts to Full Control permission.
- Set the Users group to Read & Execute permission.
When you create new users, they automatically go into the Users group, which is a good way to generalize your user base without having to add all the users to a permissions page individually.
You can give the Users group extremely limited permissions to the root of the D drive. To set these permissions, click Advanced on the Security tab of the folder’s Properties dialog box. On the Access Control Settings for Folder dialog box, select the Users group, and click View/Edit, as Figure 4 shows. On the Permission Entry for Folder dialog box, which Figure 5 shows, select This folder only from the Apply onto drop-down list, then clear all check boxes except those allowing the following permissions:
- List Folder/Read Data
- Read Attributes
- Read Extended Attributes
- Read Permissions
Rolling Out the FTP Server
Testing is the most important part of this whole process. Create a few new accounts, and test this setup thoroughly. Ensure that users can access only their folders and no one else’s. Make sure they can’t write to folders they shouldn’t be able to. If everything works, roll the FTP server out to your users, and let them know that they can now access all their files on the road with ease.