FTP 7 for IIS 7

ovenforksqueeSecurity

Nov 3, 2013 (3 years and 9 months ago)

117 views




FTP 7 for IIS 7



Installing and Configuring FTP on IIS 7



FTP Extension
-

Video Walkthrough



What Is New for Microsoft and FTP 7.5?



Creating a New FTP Site



Adding FTP to a Web Site



Using FTP Over SSL



Configuring FTP Firewall Settings



Configuring FTP 7.5 User Isolation



Using FT
P Virtual Host Names



Configure FTP with IIS 7 Manager Authentication



Configuring FTP with .NET Membership Authentication



Using FSRM Folder Quotas with FTP












Installing and Configuring FTP on IIS 7



Introduction

Microsoft has created a new FTP service that has been completely rewritten for Windows Server® 2008. This
new FTP service incorporates many new features that enable web authors to publish content better than
before, and offers web a
dministrators more security and deployment options.



Integration with IIS 7
: IIS 7 has a brand
-
new administration interface and configuration store, and
the new FTP service is tightly integrated with this new design. The old IIS 6.0 metabase is gone, and
a

new configuration store that is based on the .NET XML
-
based *.config format has taken its place.
In addition, IIS 7 has a new administration tool, and the new FTP server plugs seamlessly into that
paradigm.



Support for new Internet standards
: One of the
most significant features in the new FTP server is
support for FTP over SSL. The new FTP server also supports other Internet improvements such as
UTF8 and IPv6.



Shared hosting improvements
: By fully integrating into IIS 7, the new FTP server makes it
possi
ble to host FTP and Web content from the same site by simply adding an FTP binding to an
existing Web site. In addition, the FTP server now has virtual host name support, making it possible
to host multiple FTP sites on the same IP address. The new FTP ser
ver also has improved user
isolation, now making it possible to isolate users through per
-
user virtual directories.



Custom authentication providers
: The new FTP server supports authentication using non
-
Windows accounts for IIS Managers and .NET Membership.



Improved logging support
: FTP logging has been enhanced to include all FTP
-
related traffic,
unique tracking for FTP sessions, FTP sub
-
statuses, additional detail fields in FTP logs, and much
more.



New supportability features
: IIS 7 has a new option to dis
play detailed error messages for local
users, and the FTP server supports this by providing detailed error responses when logging on locally
to an FTP server. The FTP server also logs detailed information using Event Tracing for Windows
(ETW), which provid
es additional detailed information for troubleshooting.



Extensible feature set
: FTP supports extensibility that allows you to extend the built
-
in functionality
that ships with the FTP service. More specifically, there is support for creating your own
authe
ntication and authorization providers. You can also create providers for custom FTP logging and
for determining the home directory information for your FTP users.

Additional information about new features in FTP 7.5 is available in the "
What's New for Microsoft and FTP
7.5?
" topic on Microsoft's
http://www.iis.net/

web site.

This document will walk you through installing the new FTP service and
troubleshooting installation issues.



Installing FTP for IIS 7.5



Installing FTP for IIS 7.0



Known Issues in This Release



Getting Started with FTP 7.5

Installing FTP for IIS 7.5

IIS 7.5 for Windows Server 2008 R2

1.

On the taskbar, click
Start
, point to
Administrative Tools
, and then click
Server Manager
.

2.

In the
Server Manager

hierarchy pane, expand
Roles
, and then click
Web Server (IIS)
.

3.

In the
Web Server (IIS)

pane, scroll to the
Role Services

section, and then click
Add Role
Services
.

4.

On the
Select Role Services

page o
f the
Add Role Services Wizard
, expand
FTP Server
.

5.

Select
FTP Service
. (
Note
: To support ASP.NET Membership or IIS Manager authentication for the
FTP service, you will also need to select
FTP Extensibility
.)

6.

Click
Next
.

7.

On the
Confirm Installation
Selections

page, click
Install
.

8.

On the
Results

page, click
Close
.

IIS 7.5 for Windows 7

1.

On the taskbar, click
Start
, and then click
Control Panel
.

2.

In
Control Panel
, click
Programs and Features
, and then click
Turn Windows Features on or
off
.

3.

Expand
Int
ernet Information Services
, then
FTP Server
.

4.

Select
FTP Service
. (
Note
: To support ASP.NET Membership or IIS Manager authentication for the
FTP service, you will also need to select
FTP Extensibility
.)

5.

Click
OK
.

Installing FTP for IIS 7.0

Prerequisites

The following items are required to complete the procedures in this section:

1.

You must be using Windows Server 2008.

2.

Internet Information Services 7.0 must be installed.

3.

If you are going to manage the new FTP server by using the IIS 7.0 user interface, the

administration
tool will need to be installed.

4.

You must install the new FTP server as an administrator. (See the
Downloading and Installing

section for more.)

5.

IIS 7.0 supports a shared configuration environment, which must be disabled on each server in a
web
farm before installing the new FTP server for each node.
Note
: Shared configuration can be re
-
enabled after the FTP server had been installed.

6.

The FTP server that is shipped on the Windows Server 2008 DVD must be uninstalled before installing
the new F
TP server.

Downloading the right version for your server

There are two separate downloadable packages for the new FTP server; you will need to download the
appropriate package for your version of Windows Server 2008:



32
-
bit Installation Package
:



FTP 7.5 for IIS 7.0 (x86)




64
-
bit Installation Package
:



FTP 7.5 for IIS 7.0 (x64)


Launching the installation package

You

will need to run the installation package as an administrator. This can be accomplished by one of the
following methods:

1.

Logging in to your server using the actual account named "Administrator", then browsing to the
download pages listed above or double
-
c
licking the download package if you have saved it to your
server.

2.

Logging on using an account with administrator privileges and opening a command
-
prompt by right
-
clicking the Command Prompt menu item that is located in the Accessories menu for Windows
prog
rams and selecting "Run as administrator", then typing the appropriate command listed below
for your version of Windows to run the installation:



32
-
bit Windows Versions
:



msiexec /i FTP 7_x86_75.msi



64
-
bit Windows Versions
:



msiexec /i FTP 7_x64_75.msi

Note
: One of the above steps is required because the User Account Control (UAC) security component in the
Windows Vista and Windows Server 2008 operating systems prevents access to your applicationHost.config
file. For more information about UAC, please se
e the following documentation:



http://go.microsoft.com/fwlink/?LinkId=113664

The following steps walk you through all of the required settings to add FTP publishing for the Default Web
Site.

Wal
king through the installation process

1.

When the installation package opens, you should see the following screen. Click
Next

to continue.


2.

On the next screen, click the
I accept

check box if you agree to the license terms, and then click
Next
.


3.

The following screen lists the installation options. Choose which options you want installed from the
list, and then click
Next
.



Common files
: this option includes the schema file. When installing in a shared server
environment, each server in the web far
m will need to have this option installed.



FTP Publishing Service
: this option includes the core components of the FTP service. This
option is required for the FTP service to be installed on the server.



Managed Code Support
: this is an optional component,
but features that use managed
extensibility require this option before using them, such as ASP.NET and IIS manager
authentication.
Note
: This feature cannot be installed on Windows Server 2008 Core.



Administration Features
: this option installs the FTP 7 m
anagement user interface. This
requires the IIS 7.0 manager and .NET framework 2.0 to be installed.
Note
: This feature
cannot be installed on Windows Server 2008 Core.


4.

On the following screen, click
Install

to begin installing the options that you chose
on the previous
screen.


5.

When installation has completed, click
Read notes

to view the FTP README file, or click
Finish

to
close the installation dialog.


Note
: If an error occurs during installation, you will see an error dialog. Refer to the
Troubleshooting
Installation Issues

section of this document for more information.

Troubleshooting Installation Issues

When the installation of FTP 7 fails for some reason, you should see a dialog with a button called "Installation
log". Clicking the "Inst
allation log" button will open the MSI installation log that was created during the
installation. You can also manually enable installation logging by running the appropriate command listed
below for your version of Windows. This will create a log file tha
t will contain information about the installation
process:



32
-
bit Windows Versions
:



msiexec /L FTP 7.log /I FTP 7_x86_75.msi



64
-
bit Windows Versions
:



msiexec /L FTP 7.log /I FTP 7_x64_75.msi

You can analyze this log file after a failed installation to he
lp determine the cause of the failure.

Clicking the "Online information" button on the error dialog will launch the "Installing and Troubleshooting FTP
7.5" document in your web browser.

Note
: If you attempt to install the downloaded package on an unsuppor
ted platform, the following dialog will
be displayed:


Known Issues in This Release

The following issues are known to exist in this release:

1.

While Web
-
based features can be delegated to remote managers and added to web.config

files using
the new IIS 7 configuration infrastructure, FTP features cannot be delegated or stored in web.config
files.

2.

The icon of a combined Web/FTP site may be marked with a question mark even though the site is
currently started with no error. This oc
curs when a site has a mixture of HTTP/FTP bindings.

3.

After adding an FTP publishing to a Web site, clicking the site's node in the tree view of the IIS 7
management tool may not display the FTP icons. To work around this issue, use one of the following:



H
it F5 to refresh the IIS 7 management tool.



Click on the Sites node, then double
-
click on the site name.



Close and re
-
open the IIS 7 management tool.

4.

When you add a custom provider in the site defaults, it shows up under each site. However, if you
attempt
to remove or modify the settings for a custom provider at the site
-
level, IIS creates an
empty <providers /> section for the site, but the resulting configuration for each site does not
change. For example, if the custom provider is enabled in the site def
aults, you cannot disable it at
the site
-
level. To work around this problem, open your applicationHost.config file as an administrator
and add a <clear/> element to the list of custom authentication providers, the manually add the
custom provider to your s
ettings. For example, in order to add the IIS Manager custom
authentication provider, you would add settings like the following example:


<ftpServer>



<security>



<authentication>



<customAuthentication>



<providers>




<clear />



<add name="IisManagerAuth" enabled="true" />



</providers>



</customAuthentication>



</authentication>



</security>

</ftpServer>

5.

The following issues are specific to the IIS 7.0 release:



The FTP service

that is shipped on the Windows Server 2008 DVD should not be installed after
the new FTP service has been installed. The old FTP service does not detect that the new FTP
service has been installed, and running both FTP services at the same may cause port
conflicts.



IIS 7 can be uninstalled after the new FTP service has been installed, and this will cause the
new FTP service to fail. If IIS is reinstalled, new copies of the IIS configuration files will be
created and the new FTP service will continue to fai
l because the configuration information for
the new FTP service is no longer in the IIS configuration files. To fix this problem, re
-
run the
setup for the new FTP service and choose "Repair".

Getting Started with FTP 7.5

In order to help get started using
the new FTP server, the following walkthroughs have been published on
Microsoft's
http://www.iis.net/

web site:



Working with FTP Sites
:



Creating a New FTP Site




Add FTP publishing to an existing Web site




Configuring Security Features
:



Configure FTP over SSL




Configure FTP User Isolation




Configure FTP Firewall Settings




Configure IIS Manager Authentication




Advanced Administrative Features
:



Configure FTP virtual host names




Using FSRM Folder Quotas with FTP


In addition to these documents, the help file for the new FTP server contains a great deal of inform
ation
regarding the use and administration of the new FTP server. To open the help file, open one of the FTP
features in the IIS manager and click the "Help" item in the "Actions" pane.







Creating a New FTP Site

Introduction

Microsoft has created a new FTP service that has been completely rewritten for Windows Server® 2008. This
new FTP service incorporates many new features that enable Web authors to publish content better than
before, and offers Web administrators more secur
ity and deployment options.

This document walks you through creating FTP sites from scratch using the new FTP user interface and by
directly editing the IIS 7 configuration files. It contains:



Cre
ating a New FTP Site Using the IIS 7 Manager



Creating a New FTP Site by Editing the IIS 7 Configuration Files

Note
: This walk
-
through contains a series of steps in which you log in to your FTP sit
e using the local
administrator account. These steps should only be followed on the server itself using the loopback address or
over SSL from a remote server. If you prefer to use a separate user account instead of the administrator
account, you will need
to create the appropriate folders and set the correct permissions for that user account
when necessary.

Prerequisites

The following items are required to complete the procedures in this article:

1.

IIS 7 must be installed on your Windows 2008 Server, and the
Internet Information Services Manager
must be installed.

2.

The new FTP service must be installed. You can download and install the FTP service from the
http://www.iis.net/

Web site using one of the following links:



FTP 7.5 for IIS 7 (x64)



FTP 7.5 for IIS 7 (x86)

3.

You must create a root folder for FTP publishing.


Creating a New FTP Site Using IIS 7
Manager

The new FTP service makes it easy to create new FTP sites by providing you with a wizard that walks you through
all of the required steps to create a new FTP site from scratch.

Step 1: Use the FTP Site Wizard to Create an FTP Site

In this first
step you will create a new FTP site that anonymous users can open.

Note
: The settings listed in this walkthrough specify "%SYSTEMDRIVE%
\
inetpub
\
ftproot" as the path to your FTP
site. You are not required to use this path; however, if you change the locatio
n for your site you will have to
change the site
-
related paths that are used throughout this walkthrough.

1.

Open IIS 7 Manager. In the
Connections

pane, click the
Sites

node in the tree.

2.

As shown in the image below, right
-
click the
Sites

node in the tree and

click
Add FTP Site
, or click
Add FTP
Site

in the
Actions

pane.



Create a folder at "%SystemDrive%
\
inetpub
\
ftproot"



Set the permissions to allow anonymous access:

1.

Open a command prompt.

2.

Type the following command:

ICACLS "%SystemDrive%
\
inetpub
\
ftproot" /G
rant IUSR:R /T

3.

Close the command prompt.


3.

When the
Add FTP Site

wizard appears:



Enter "My New FTP Site" in the
FTP site name

box, then navigate to the %SystemDrive%
\
inetpub
\
ftproot

folder
that you created in the Prerequisites section. Note that if you choose to type in the path to your content folder,
you can use environment variables in your paths.



When you have completed these items, click
Next
.


4.

On the next page of the wizard:



Choose an IP address for your FTP site from the
IP Address

drop
-
down, or choose to accept the default selection
of "All Unassigned." Because you will be using the administrator account later in this walk
-
through, you must
ensure that you restrict access to

the server and enter the local loopback IP address for your computer by typing
"127.0.0.1" in the
IP Address

box. (
Note
: If you are using IPv6, you should also add the IPv6 localhost binding
of "::1".)



Enter the TCP/IP port for the FTP site in the
Port

box. For this walk
-
through, choose to accept the default port of
21.



For this walk
-

through, do not use a host name, so make sure that the
Virtual Host

box is blank.



Make sure that the
Certificates

drop
-
down is set to "Not Selected" and that the
Allow SSL

option is selected.



When you have completed these items, click
Next
.


5.

On the next page of the wizard:



Select
Anonymous

for the
Authentication

settings.



For the
Authorization

settings, choose "Anonymous users" from the
Allow access to

drop
-
down, and sele
ct
Read

for the
Permissions

option.



When you have completed these items, click
Finish
.


Summary

You have successfully created a new FTP site using the new FTP service. To recap the items that you completed in
this step:

1.

You created a new FTP site named
"My New FTP Site", with the site's content root at
"%SystemDrive%
\
inetpub
\
ftproot".

2.

You bound the FTP site to the local loopback address for your computer on port 21, and you chose not to use
Secure Sockets Layer (SSL) for the FTP site.

3.

You created a defau
lt rule for the FTP site to allow anonymous users "Read" access to the files.

Step 2: Adding Additional FTP Security Settings

Creating a new FTP site that anonymous users can browse is useful for public download sites, but web authoring
is equally importan
t. In this step, you add additional authentication and authorization settings for the
administrator account. To do so, follow these steps:

1.

In IIS 7 Manager, click the node for the FTP site that you created earlier, then double
-
click
FTP Authentication

to o
pen the FTP authentication feature page.


2.

When the
FTP Authentication

page displays, highlight
Basic Authentication

and then click
Enable

in the
Actions

pane.


3.

In IIS 7 Manager, click the node for the FTP site to re
-
display the icons for all of the FTP
features.

4.

You must add an authorization rule so that the administrator can log in. To do so, double
-
click the
FTP
Authorization Rules

icon to open the FTP authorization rules feature page.


5.

When the
FTP Authorization Rules

page is displayed, click
Add All
ow Rule

in the
Actions

pane.


6.

When the
Add Allow Authorization Rule

dialog box displays:



Select
Specified users
, then type "administrator" in the box.



For
Permissions
, select both
Read

and
Write
.



When you have completed these items, click
OK
.


Summary

To recap the items that you completed in this step:

1.

You added Basic authentication to the FTP site.

2.

You added an authorization rule that allows the administrator account both "Read" and "Write" permissions for the
FTP site.

Step 3: Logging in to Your FTP S
ite

In Step 1, you created an FTP site that anonymous users can access, and in Step 2 you added additional security
settings that allow an administrator to log in. In this step, you log in anonymously using your administrator
account.

Note
: In this step lo
g in to your FTP site using the local administrator account. When creating the FTP site in Step
1 you bound the FTP site to the local loopback IP address. If you did not use the local loopback address, use SSL
to protect your account settings. If you prefe
r to use a separate user account instead of the administrator
account, set the correct permissions for that user account for the appropriate folders.

Logging in to your FTP site anonymously

1.

On your FTP server, open a command prompt session.

2.

Type the following command to connect to your FTP server:

FTP localhost



3.

When prompted for a user name, enter "anonymous".

4.

When prompted for a password, enter your email address.

You should now be logged in to your FTP site anonymously. Based on the auth
orization rule that you added in
Step 1, you should only have Read access to the content folder.

Logging in to your FTP site using your administrator account

1.

On your FTP server, open a command prompt session.

2.

Type the following command to connect to your FTP server:

FTP localhost



3.

When prompted for a user name, enter "administrator".

4.

When prompted for a password, enter your administrator password.

You should now be logged in to your FTP site as the local
administrator. Based on the authorization rule that you
added in Step 2 you should have both Read and Write access to the content folder.

Summary

To recap the items that you completed in this step:

1.

You logged in to your FTP site anonymously.

2.

You logged in
to your FTP site as the local administrator.

Creating a New FTP Site by Editing the IIS 7 Configuration Files

You can also create FTP sites for the new FTP service by editing the IIS 7 configuration files.

Note
: Editing your ApplicationHost.config file req
uires full administrative permissions. This is best accomplished
using one of two methods:



Log in to your computer using the local "administrator" account.



If you are logged in using an account with administrative permissions that is not the local
"administrator" account,
open Notepad using the "Run as Administrator" option.

Note
: The above steps are required because the User Account Control (UAC) security component in the Windows
Vista and Windows Server 2008 operating systems prevent access to you
r ApplicationHost.config file. For more
information about UAC, please see the following documentation:

http://go.microsoft.com/fwlink/?LinkID=113664


The following steps walk you th
rough all of the required settings to create a new FTP site from scratch.

1.

Using a text editor such as Windows Notepad, open your ApplicationHost.config file, which is located in your
%SystemRoot%
\
System32
\
inetsrv
\
config folder by default.

2.

Locate the <sites
> section. This section contains your Default Web Site and should begin with something like the
following:

<sites>



<site name="Default Web Site" id="1">



<application path="/">



<virtualDirectory path="/" physicalPath="%SystemDrive%
\
inetpub
\
ww
wroot" />



</application>



<bindings>



<binding protocol="http" bindingInformation="*:80:" />



</bindings>



</site>

3.

Copy the entire section for the Default Web Site and paste it on a new line just below the closing </site> tag.

4.

Change the site's settings to create a unique FTP site:



Modify the
name

and
id

attributes for the new site to respectively contain "Default FTP Site" and "2".

Note
: You may need to choose a different number than "2" for the site ID if any site is currentl
y using that site
identifier.



Change the value of the
protocol

attribute on the binding element to contain "ftp".



Change the
physicalPath

attribute to "%SystemDrive%
\
inetpub
\
ftproot".



Change the
port

value of the
bindingInformation

attribute to contain "21
".

5.

Add an <ftpServer> section beneath the closing bindings tag that will contain your authentication settings.

<ftpServer>



<security>



<authentication>



<anonymousAuthentication enabled="true" userName="IUSR" />



<basicAuthentication
enabled="true" />



</authentication>



<ssl controlChannelPolicy="SslAllow" dataChannelPolicy="SslAllow" />



</security>

</ftpServer>

Note
: The authentication settings for FTP sites are configured at the site
-
level, unlike authentication for Web
si
tes, which can be configured per URL.


Your <sites> section should now contain something similar to the following example:

<sites>



<site name="Default Web Site" id="1">



<application path="/">



<virtualDirectory path="/" physicalPath="%Syst
emDrive%
\
inetpub
\
wwwroot" />



</application>



<bindings>



<binding protocol="http" bindingInformation="*:80:" />



</bindings>



</site>



<site name="Default FTP Site" id="2">



<application path="/">



<virtualDirectory

path="/" physicalPath="%SystemDrive%
\
inetpub
\
ftproot" />



</application>



<bindings>



<binding protocol="ftp" bindingInformation="*:21:" />



</bindings>



<ftpServer>



<security>



<authentication>



<anonymousAuthentication enabled="true" userName="IUSR" />



<basicAuthentication enabled="true" />



</authentication>



<ssl controlChannelPolicy="SslAllow" dataChannelPolicy="SslAllow" />



</securi
ty>



</ftpServer>



</site>

6.

Scroll to the bottom of your ApplicationHost.config file and add a location section for your Default FTP Site that
will contain your authorization settings.

<location path="Your FTP Site Name">



<system.ftpServer>



<security>



<authorization>



<add accessType="Allow" users="*" permissions="Read" />



<add accessType="Allow" users="administrator" permissions="Read,
Write" />



</authorization>



</security>



</syst
em.ftpServer>

</location>

Note
: In this example, the authorization settings for FTP sites are configured per URL, and these settings
specifically enable Read permissions for all users, and Read/Write permissions for the administrator account.

7.

Save your
ApplicationHost.config file.

You should now be able to log in to your newly created FTP site using an FTP client. To use Internet Explorer
anonymously on your IIS 7.0 server, enter ftp://localhost in the Internet Explorer address bar. You should be
logged
in and see your files anonymously; you should not be prompted for user credentials.

Summary

In this task you created an FTP site by editing the IIS 7 configuration files. To recap the items that you completed
in this step:

1.

You created a new FTP site by usi
ng the Default Web Site's settings as a template.

2.

You configured the following authorization rules for the FTP site:



All users have Read permissions.



The administrator account had Read/Write permissions.



Adding FTP Publishing Using the IIS 7.0 Manager

The new FTP service makes it easy to add FTP publishing to existing sites by providing you with a wizard that
walks you through all of the required steps.

Step 1: Use the FTP Site Wizard to add FTP publishing

In this first step, add FTP publishing to the

Default Web site, and add the require settings to allow the local
administrator account to edit the content.

1.

In IIS 7.0 Manager, in the
Connections

pane, expand the
Sites

node in the tree, then click the Default Web
Site.

2.

As shown in the image below, cl
ick
Add FTP Publishing

in the
Actions

pane.


3.

When the
Add FTP Site
wizard appears:



Choose an IP address for your FTP site from the
IP Address

drop
-
down, or choose to accept the default selection
of "All Unassigned." Because we use the administrator later

in this walk
-
through, you want to ensure that you
restrict access to the server and enter the local loopback IP address for your computer by typing "127.0.0.1" in
the
IP Address

box.



Normally, you would enter the TCP/IP port for the FTP site in the
Port

box. For this walk
-
through, choose to
accept the default port of 21.



For this walk
-

through, we will not use a host name, so make sure that the
Virtual Host

box is blank.



Make sure that the
Certificates

drop
-
down is set to "Not Selected" and that the
Allow SSL

option is selected.



When you have completed these items, click
Next
.


4.

On the next page of the wizard:



Select
Basic

for the
Authentication

settings.



For the
Authorization

settings:



Choose "Specified users" from the
Allow access to

drop
-
down



Type "administrator" for the user name.



Select
Read

and
Write

for the
Permissions

option.



When you have completed these items, click
Finish
.


Summary

You have successfully added FTP publishing to an existing Web site.

To recap the items that you completed in this step, we added FTP publishing to the "Default Web Site" by:



Adding an FTP binding for the Web site for the local loopback IP address on port 21



Choosing not to use Secure Sockets Layer (SSL) for the FTP site.




Enabling Basic Authentication and creating an authorization rule for the local administrator account for Read and
Write access.

Step 2: Logging in to your FTP site

In Step 1, you added FTP publishing to your Default Web Site and added an authorization r
ule that allows the
local administrator account Read and Write access your Web site's content. In this step you log in using your
administrator account.

Note
: When creating the FTP site in Step 1, we bound the FTP site to the local loopback IP address. If

you were
not using the local loopback address, use SSL to protect your account settings. If you prefer to use a separate
user account instead of the administrator account, set the correct permissions for that user account for the
appropriate folders.

Log
ging in to your FTP site using your administrator account

1.

On your FTP server, open a command prompt session.

2.

Type the following command to connect to your FTP server:

FTP localhost

3.

When prompted for a user name, enter "administrator".

4.

When prompted for a password, enter your administrator password.

You should now be logged in to your FTP site as the local administrator. Based on the authorization rule that we
added in Step 1 you should have both Read and Write access to the content fol
der.

Summary

To recap the items that you completed in this step:



You logged in to your FTP site as the local administrator.

Adding FTP Publishing by Editing the IIS 7.0 Configuration Files

You can also add FTP publishing to an existing Web site by editing the IIS configuration files.

Note
: Editing your applicationHost.config file requires full administrative permissions. This is best accomplished
using one of two methods:



Log in to your co
mputer using the local "administrator" account.



If you are logged in using an account with administrative permissions that is not the local "administrator" account,
open Notepad using the "Run as Administrator" option.

Note
: The above steps are required be
cause the User Account Control (UAC) security component in the Windows
Vista and Windows Server 2008 operating systems prevent access to your applicationHost.config file. For more
information about UAC, please see the following documentation:

http://go.microsoft.com/fwlink/?LinkID=113664

The following steps walk you through all of the required settings to add FTP publishing for the Default Web Site.

1.

Using a text editor suc
h as Windows Notepad, open your applicationHost.config file, which is located in your
%SystemRoot%
\
System32
\
inetsrv
\
config folder by default.

2.

Locate the section for your Default Web Site. This should resemble the following example:

<
site

name
=
"Default We
b Site"

id
=
"1">




<
application

path
=
"/">




<
virtualDirectory

path
=
"/"

physicalPath
=
"%SystemDrive%
\
inetpub
\
wwwroot"

/>




</
application
>




<
bindings
>




<
binding

protocol
=
"http"

bindingInformation
=
"*:80:"

/>




</
bindings
>


</
site
>

3.

Create a new binding element in the bindings collection, and set the value of the protocol attribute on the new
binding element to contain "ftp", then change the port value of the bindingInformation attribute to contain "21".


Your Default Web Site's sett
ings should now resemble the following example:

<
site

name
=
"Default Web Site"

id
=
"1">




<
application

path
=
"/">




<
virtualDirectory

path
=
"/"

physicalPath
=
"%SystemDrive%
\
inetpub
\
wwwroot"

/>




</
application
>




<
bindings
>




<
binding

protocol
=
"http"

bindingInformation
=
"*:80:"

/>




<
binding

protocol
=
"ftp"

bindingInformation
=
"*:21:"

/>




</
bindings
>


</
site
>

4.

Add an ftpServer section beneath the closing bindings tag that will contain your authentication settings.


Note
: The authentication settings for FTP sites are configured at the site
-
level, unlike authentication for web
sites, which can be configured per URL.

<
ftpServer
>




<
security
>




<
authentication
>




<
anonymousAuthentication

enabled
=
"false"

/>




<
basicAuthentication

enabled
=
"true"

/>




</
authentication
>



<
ssl

controlChannelPolicy
=
"SslAllow"

dataChannelPolicy
=
"SslAllow"/>




</
security
>


</
ftpServer
>



Your <sites>

section should now contain something like the following example:

<
sites
>



<
site

name
=
"Default Web Site"

id
=
"1">



<
application

path
=
"/">



<
virtualDirectory

path
=
"/"

physicalPath
=
"%SystemDrive%
\
inetpub
\
wwwroot"

/>



</
application
>



<
bindings
>



<
binding

protocol
=
"http"

bindingInformation
=
"*:80:"

/>



<
binding

protocol
=
"ftp"

bindingInformation
=
"*:21:"

/>



</
bindings
>



<
ftpServer
>



<
security
>



<
authentication
>




<
anonymousAuthentication

enabled
=
"false"

/>



<
basicAuthentication

enabled
=
"true"

/>



</
authentication
>



<
ssl

controlChannelPolicy
=
"SslAllow"

dataChannelPolicy
=
"SslAllow"/>



</
security
>



</
ftpServer
>



</
site
>

5.

Scroll to the bottom of your applicationHost.config file and add a location section for your Default Web Site that
will contain your authorization settings.


Note
: As shown in this example, the authorization settings for FTP sites are configured per URL.

<
location

path
=
"Default Web Site">



<
system.ftpServer
>



<
security
>



<
authorization
>



<
add

accessType
=
"Allow"

users
=
"administra
tor"

permissions
=
"Read,
Write"

/>



</
authorization
>



</
security
>



</
system.ftpServer
>

</
location
>

6.

Save your applicationHost.config file.

You should now be able to log in to your FTP
-
enabled site using an FTP client using the
administrator account, but
no other users should be able to log in.

Summary

In this task you added FTP publishing to your Default Web Site by editing the IIS configuration files. To recap the
items that you completed in this task:



You added an FTP bindin
g to the Default Web Site.



You enabled FTP basic authentication and disabled FTP anonymous authentication for the Default Web Site.



You configured the administrator account for Read/Write permissions for the Default Web Site.










Using FTP Over SSL


Introduction

Microsoft has created a new FTP service that has been completely rewritten for Windows Server® 2008. This FTP
service incorporates many new features that enable web authors to publish content better than before, and offers

web administrators more security and deployment options.

One of the features is FTP over Secure Sockets Layer (SSL), which allows sessions to be encrypted between an
FTP client and server. This document walks you through: setting up an FTP site; and, conf
iguring that site to use
SSL with the new FTP user interface, which allows you to directly edit the IIS 7.0 configuration files. It contains:



Prerequisites



OPTIONAL: Creating a Self
-
signed SSL Certificate



Creating an SSL
-
enabled FTP Site Using the IIS 7.0
Manager



Adding SSL
-
based FTP Publishing by Editing the IIS 7.0 Configuration Files

Note
: This walk
-
through contains a series of steps where you log in to your FTP site using the

local administrator
account. These steps should only be followed on the server itself using the loopback address or over SSL from a
remote server. If you prefer to use a separate user account instead of the administrator account, you must create
the appro
priate folders and set the correct permissions for that user account when necessary.

Prerequisites

The following items are required to be installed to complete the procedures in this article:

1.

IIS 7.0 must be installed on your Windows 2008 Server, and the I
nternet Information Services Manager must be
installed.

2.

The new FTP service. You can download and install the FTP service from the
http://www.iis.net/

web site using
one of the following links:



FTP 7.5 for IIS 7.0 (x64)



FTP 7.5 for IIS 7.0 (x86)

3.

You will need to create a root folder for FTP publishing:



Create a folder at "%SystemDrive%
\
inetpub
\
ftproot"



Set the permissions to allow access for the administrators group:



Open a command prompt.



Type the following command:

ICACLS "%SystemDrive%
\
inetpub
\
ftproot" /Grant administrators:F /T



Close the command prompt.

Note
: The settings listed in this wal
kthrough specify "%SystemDrive%
\
inetpub
\
ftproot" as the path to your FTP
site. You are not required to use this path; however, if you change the location for your site you must change the
site
-
related paths that are used throughout this walkthrough.

OPTION
AL: Creating a Self
-
signed SSL Certificate

In this optional task you will create a self
-
signed SSL certificate that you will use for testing your FTP site.

Note
: If you are setting up an FTP site for Internet
-
based activity, you would obtain an SSL certificate from one
of the many Certification Authorities, such as VeriSign, Thawte, DigiCert, etc. For more information about
Certification Authorities, see the foll
owing page on the Microsoft Developer Network Web site:

http://msdn.microsoft.com/en
-
us/library/bb540797(VS.85).aspx

1.

Open the Internet Information Services (IIS 7.0) M
anager.

2.

Click your computer at the top node of the
Connections

tree, then double
-
click the
Server Certificates

feature.


3.

Click
Create Self
-
Signed Certificate

in the
Actions

pane.


4.

Enter "My FTP Certificate" as the name for the new certificate, then click
OK
.


Creating an SSL
-
enabled FTP Site Using the IIS 7.0 Manager

Step 1: Use the FTP Site Wizard to Create an SSL
-
based FTP Site

In this first step, you create a new FTP site that c
an only be opened using your administrator account.

1.

Go to IIS 7.0 Manager. In the
Connections

pane, click the
Sites

node in the tree.

2.

Right
-
click the
Sites

node in the tree and click
Add FTP Site
, or click
Add FTP Site

in the
Actions

pane.


3.

When the
Add
FTP Site

wizard appears:



Enter "My New FTP Site" in the
FTP site name

box, then navigate to the "%SystemDrive%
\
inetpub
\
ftproot"
folder that you created in the Prerequisites section.

Note:
If you choose to type in the path to your content
folder, you can
use environment variables in your paths.



Click
Next
.


4.

On the next page of the wizard:



Choose an IP address for your FTP site from the
IP Address

drop
-
down, or choose to accept the default selection
of "All Unassigned." Because you will use the administra
tor account later in this walk
-
through, make sure that you
restrict access to the server and enter the local loopback IP address for your computer by typing "127.0.0.1" in
the
IP Address

box.



You would normally enter the TCP/IP port for the FTP site in the

Port

box. For this walk
-
through, choose to
accept the default port of 21.



For this walk
-

through, you do not use a host name, so make sure that the
Virtual Host

box is blank.



Make sure that the
Certificates

drop
-
down is set to your SSL certificate. For ex
ample, if you followed the
optional step to create a self
-
signed certificate, the drop
-
down box should say "My FTP Certificate".



Make sure that the
Allow SSL

option is selected.



Click
Next
.


5.

On the next page of the wizard:



Select
Basic

for the
Authentica
tion

settings.



For the
Authorization

settings:



Choose "Specified users" from the
Allow access to

drop
-
down.



Type "administrator" for the user name.



Select
Read

and
Write

for the
Permissions

option.



When you have completed these items, click
Finish
.


Summary

You have successfully created a new SSL
-
based FTP site using the new FTP service.

To recap the items that you completed in this step:



You created a new FTP site named "My New FTP Site", with the site's content root at
"%SystemDrive%
\
inetpub
\
ftproot
".



You bound the FTP site to the local loopback address for your computer on port 21.



You chose to require Secure Sockets Layer (SSL) for the FTP site, and selected your SSL certificate.



You enabled Basic Authentication and created an authorization rule
for the local administrator account for Read
and Write access.

Step 2: Configuring Additional FTP SSL Settings

The SSL policy for FTP is customizable on a site
-
by
-
site basis. Different settings can be specified for the control
and data channels. In this
step, you configure additional SSL settings for your FTP site that ensure that all user
credentials are encrypted, even if all other FTP activity is not.

1.

Go to the IIS 7.0 Manager. Click the node for the FTP site that you created in Step 1. The icons for a
ll of the FTP
features display.


2.

In order to configure the SSL options, double
-
click the
FTP SSL Settings

icon to open the SSL settings feature
page.


3.

When the
FTP SSL Settings

page displays, select the
Custom

option, and then click the
Advanced

button.



4.

When the
Advanced SSL Policy

dialog box is displayed:



Select the
Require only for credentials

option for the control channel.
Note
: This setting requires that all user
names and password are encrypted via SSL, but the client can choose whether to encry
pt all other control channel
activity.



Select the
Allow

option for the data channel.

Note
: This setting allows the client to choose whether to encrypt
any data channel activity.



When you have completed these items, click
OK
.


5.

On the
FTP SSL Settings

page,

click
Apply

in the
Actions

pane to save the SSL settings.


Summary

To recap the items that you completed in this step:



You configured the control channel SSL policy to require that all user credentials are encrypted, and allowed FTP
clients to determine
whether to encrypt all other control channel activity.



You configured the data channel SSL policy to allow FTP clients to determine whether to encrypt any data channel
activity.

Logging in To Your FTP Site

In Step 1, you created an FTP site that can be ac
cessed by the administrator account. In Step 2, you configured
the control channel SSL policy to require that all user credentials are encrypted while allowing FTP clients to
choose whether or not all other control channel and data channel activity be encr
ypted.

When logging in to the FTP server using an SSL
-
capable FTP client, the FTP server supports the following explicit
security options:



TLS
-
C/TLS
-

Use TLS for the connection with RFC2228 defaults. This means that there is no implicit protection of
the
data connection.



TLS
-
P/SSL
-

Use TLS for the connection. This means that the data connection is implicitly protected.

These settings can be configured when specifying the SSL connection options in most 3
rd
-
part FTP clients.

Adding SSL
-
based FTP Publishing
by Editing the IIS 7.0
Configuration Files

You can also add SSL
-
based FTP publishing to an existing Web site by editing the IIS 7.0 configuration files.

Note
: Editing your applicationHost.config file requires full administrative permissions. Use one of two

methods:



Log in to your computer using the local "administrator" account.

Or



If you are logged in using an account with administrative permissions that is not the local "administrator" account,
open Notepad using the "Run as Administrator" option.

Note
: O
ne of the above steps is required because the User Account Control (UAC) security component in the
Windows Vista and Windows Server 2008 operating systems prevents access to your applicationHost.config file.
For more information about UAC, please see the f
ollowing documentation:



http://go.microsoft.com/fwlink/?LinkId=113664

The following steps walk you through all of the required settings to add FTP publishing for the Default Web Site.

Step 1:
Retrieve the Hash for your SSL Certificate:

1.

In the
Server Certificates

feature, double
-
click your SSL certificate. For example, if you followed the optional
step to create a self
-
signed certificate, you would double
-
click the certificate that is named "My
FTP Certificate".

2.

Click the
Details

tab.

3.

Scroll through the fields until you locate the
Thumbprint

value.

4.

Highlight the
Thumbprint

value, the data displays as:

"f0 1e d2 3c b4 5a 96 78 87 69 a5 4b c3 2d e1 0f f0 1e d2 3c"

5.

Copy the hex data from the text bo
x and paste it in the clipboard. Then, open Windows Notepad and paste the
data into a blank document.

Note:

You will use this information later.

Step 2: Add FTP to your Default Web Site

1.

Using a text editor such as Windows Notepad, open your applicationHost
.config file, which is located in your
%SystemRoot%
\
System32
\
inetsrv
\
config folder by default.

2.

Locate the section for your Default Web Site. It should resemble the following example:

3.

<site

name="Default

Web

Site"

id="1">

4.


<application

path="/">

5.


<virtualDirectory

path="/"

physicalPath="%SystemDrive%
\
inetpub
\
wwwroot"

/>

6.


</application>

7.


<bindings>

8.


<binding

protocol="http"

bindingInformation="*:80:"

/>

9.


</bindings>

</site>

10.

Create a new binding element in the bindings collect
ion. Set the value of the protocol attribute on the new binding
element to contain "ftp", then change the port value of the bindingInformation attribute to contain "21". Your
Default Web Site's settings should now resemble the following example:

11.

<site

nam
e="Default

Web

Site"

id="1">

12.


<application

path="/">

13.


<virtualDirectory

path="/"

physicalPath="%SystemDrive%
\
inetpub
\
wwwroot"

/>

14.


</application>

15.


<bindings>

16.


<binding

protocol="http"

bindingInformation="*:80:"

/>

17.


<
binding

protocol="ftp"

bindingInformation="*:21:"

/>

18.


</bindings>

</site>

19.

Add an <ftpServer> section beneath the closing <bindings> tag that will contain your authentication and SSL
settings.
Note
: The authentication settings for FTP sites are configure
d at the site
-
level, unlike authentication for
Web sites, which can be configured per URL.

20.

<ftpServer>

21.


<security>

22.


<authentication>

23.


<anonymousAuthentication

enabled="false"

userName="IUSR"

/
>

24.


<basicAuthentication

enabled
="true"

/>

25.


</authentication>

26.


<ssl

serverCertHash=""

controlChannelPolicy="SslRequire"

dataC
hannelPolicy="SslRequire"

/>

27.


</security>

</ftpServer>

28.

Copy and paste the thumbprint data from the SSL certificate into the serverCertHash

attribute of the SSL element.
Remove all the spaces from the thumbprint data. (
Note
: If you do not convert the hex data to uppercase, it will
not show up in IIS Manager later.) Your Default Web Site settings should now contain something like the following

example:

29.

<site

name="Default

Web

Site"

id="1">

30.


<application

path="/">

31.


<virtualDirectory

path="/"

physicalPath="%SystemDrive%
\
inetpub
\
wwwroot"

/>

32.


</application>

33.


<bindings>

34.


<binding

protocol="http"

bindingInformation="*:80:"

/>

35.


<binding

protocol="ftp"

bindingInformation="*:21:"

/>

36.


</bindings>

37.


<ftpServer>

38.


<security>

39.


<authentication>

40.


<anonymousAuthentication

enabled="false"

/>

41.


<basicAuthentication

enabled="true"

/>

42.


</authentication>

43.


</security>

44.


<ssl

serverCertHash="F01ED23CB45A96788769A54BC32DE10FF01ED23C"

controlChannelPolicy="SslRequire"

dataChannelPolicy="SslRequire"

/>

45.


</ftpServer>

</site>

46.

Scroll to the bottom of your applicationH
ost.config file and add a location section for your Default Web Site that
will contain your authorization settings.
Note
: As shown in this example, the authorization settings for FTP sites
are configured per URL.

47.


48.

<location

path="Default

Web

Site">

49.


<s
ystem.ftpServer>

50.


<security>

51.


<authorization>

52.


<add

accessType="Allow"

users="administrator"

permissi
ons="Read,

Write"

/>

53.


</authorization>

54.


</security>

55.


</system.ftpServer>

</location>

56.

Save your
applicationHost.config file.

You should now be able to log in to your Default Web Site using an SSL
-
based FTP client.

Summary

In this task you added SSL
-
based FTP publishing to your Default Web Site by editing the IIS 7.0 configuration
files. To recap the
items that you completed in this task:



You added an FTP binding to the Default Web Site.



You enabled FTP basic authentication and disabled FTP anonymous authentication for the Default Web Site.



You configured the site to require SSL for all control channel

and data channel activity.



You configured the administrator account for Read/Write permissions for the Default Web Site.

Configuring FTP Firewall Settings

Introduction

Microsoft has created a new FTP service that has been completely rewritten for Windows Server® 2008. This FTP
service incorporates many new features that enable web authors to publish content better than before, and offers
web administrators more security
and deployment options.

This document walks you through configuring the firewall settings for the new FTP server. It contains:



Prerequisites




Use the FTP Site Wizard to Create an FTP Site With Anonymous Authentication




Step 1: Configure the Passive Port Range for the FTP Service




Step 2: Configure the external IPv4 Address for a Specific FTP Site




(Optional) Step 3: Configure Windows Firewall Settings




More Information about Working with Firewalls


Prerequisites

The following items are required to be installed to complete the procedures in this article:

1.

IIS 7 must be installed on your Windows 2008 Server, and Internet Infor
mation Services (IIS)

Manager must be
installed.

2.

The new FTP service. You can download and install the FTP service from the
http://www.iis.net/

web site using
one of the following links:



FTP 7.5 for IIS 7 (x64)




FTP 7.5 for IIS 7 (x86)


3.

You must create a root folder for FTP publishing:



Create a
folder at "%SystemDrive%
\
inetpub
\
ftproot"



Set the permissions to allow anonymous access:



Open a command prompt.



Type the following command:

ICACLS "%SystemDrive%
\
inetpub
\
ftproot" /Grant IUSR:R /T



Close the command prompt.

Important Notes
:



The settings lis
ted in this walkthrough specify "%SystemDrive%
\
inetpub
\
ftproot" as the path to your FTP site. You
are not required to use this path; however, if you change the location for your site you will have to change the
site
-
related paths that are used throughout t
his walkthrough.



Once you have configured your firewall settings for the FTP service, you must configure your firewall software or
hardware to allow connections through the firewall to your FTP server.



If you are using the built
-
in Windows Firewall, see
the (
Optional) Step 3: Configure Windows Firewall Settings

section of this walkthrough.



If you are using a different firewall, please consult the documentation that was provided with your firew
all
software or hardware.

Use the FTP Site Wizard to Create an FTP Site With Anonymous
Authentication

In this section you, create a new FTP site that can be opened for Read
-
only access by anonymous users. To do
so, use the following steps:

1.

Go to IIS 7 Mana
ger. In the
Connections

pane, click the
Sites

node in the tree.

2.

Right
-
click the
Sites

node in the tree and click
Add FTP Site
, or click
Add FTP Site

in the
Actions

pane.


3.

When the
Add FTP Site

wizard appears:



Enter "My New FTP Site" in the
FTP site
name

box, then navigate to the "%SystemDrive%
\
inetpub
\
ftproot"
folder that you created in the Prerequisites section.
Note
: If you choose to type in the path to your content
folder, you can use environment variables in your paths.



Click
Next
.


4.

On the next page of the wizard:



Choose an IP address for your FTP site from the
IP Address

drop
-
down, or choose to accept the default selection
of "All Unassigned." Because you will be accessing this FTP site remotely, you want to make sure that you do no
t
restrict access to the local server and enter the local loopback IP address for your computer by typing "127.0.0.1"
in the
IP Address

box.



You would normally enter the TCP/IP port for the FTP site in the
Port

box. For this walk
-
through, you will choose
t
o accept the default port of 21.



For this walkthrough, you do not use a host name, so make sure that the
Virtual Host

box is blank.



Make sure that the
Certificates

drop
-
down is set to "Not Selected" and that the
Allow SSL

option is selected.



Click
Next
.


5.

On the next page of the wizard:



Select
Anonymous

for the
Authentication

settings.



For the
Authorization

settings, choose "Anonymous users" from the
Allow access to

drop
-
down. Select
Read

for the
Permissions

option.



Click
Finish
.


6.

Go to IIS 7 Manager. C
lick the node for the FTP site that you created. The icons for all of the FTP features display.


Summary

To recap the items that you completed in this step:

1.

You created a new FTP site named "My New FTP Site", with the site's content root at
"%
SystemDrive%
\
inetpub
\
ftproot".

2.

You bound the FTP site to the local loopback address for your computer on port 21, choosing not to use Secure
Sockets Layer (SSL) for the FTP site.

3.

You created a default rule for the FTP site to allow anonymous users "Read"

access to the files.

Step 1: Configure the Passive Port Range for the FTP Service

In this section, you configure the server
-
level port range for passive connections to the FTP service. Use the
following steps:

1.

Go to IIS 7 Manager. In the
Connections

pane, click the server
-
level node in the tree.


2.

Double
-
click the
FTP Firewall Support

icon in the list of features.


3.

Enter a range of values for the
Data Channel Port Range
.


4.

Once you have entered the port range for your FTP service, click
Apply

in the
Actions

pane to save your
configuration settings.

Notes
:

1.

The valid range for ports is 1024 through 65535. (Ports from 1 through 1023 are reserved for use by system
services.)

2.

You can enter a special port range of "0
-
0" to configure the FTP server t
o use the Windows TCP/IP dynamic port
range.

3.

For additional information, please see the following Microsoft Knowledge Base articles:



174904
-

Information about TCP/IP port assignments




929851
-

The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008


4.

This port range will need to be added to the allowed settings for your firewall se
rver.

Step 2: Configure the external IPv4 Address for a Specific FTP Site

In this section, you configure the external IPv4 address for the specific FTP site that you created earlier. Use the
following steps:

1.

Go to IIS 7 Manager. In the
Connections

pane, click the FTP site that you created earlier in the tree, Double
-
click the
FTP Firewall Support
icon in the list of features.


2.

Enter the IPv4 address of the external
-
facing address of your firewall server for the
External IP Address of
Firewall

set
ting.


3.

Once you have entered the external IPv4 address for your firewall server, click
Apply

in the
Actions

pane to save
your configuration settings.

Summary

To recap the items that you completed in this step:

1.

You configured the passive port range for
your FTP service.

2.

You configured the external IPv4 address for a specific FTP site.

(Optional) Step 3: Configure Windows Firewall Settings

Windows Server 2008 contains a built
-
in firewall service to help secure your server from network threats. If you
cho
ose to use the built
-
in Windows Firewall, you will need to configure your settings so that FTP traffic can pass
through the firewall.

There are a few different configurations to consider when using the FTP service with the Windows Firewall
-

whether you wi
ll use active or passive FTP connections, and whether you will use unencrypted FTP or use FTP
over SSL (FTPS). Each of these configurations are described below.

Note
: You will need to make sure that you follow the steps in this section walkthrough while
logged in as an
administrator. This can be accomplished by one of the following methods:



Logging in to your server using the actual account named "Administrator".



Logging on using an account with administrator privileges and opening a command
-
prompt by ri
ght
-
clicking the
Command Prompt menu item that is located in the Accessories menu for Windows programs and selecting "Run as
administrator".

One of the above steps is required because the User Account Control (UAC) security component in the Windows
Vista a
nd Windows Server 2008 operating systems prevents administrator access to your firewall settings. For
more information about UAC, please see the following documentation:



http://go.mi
crosoft.com/fwlink/?LinkId=113664

Note
: While Windows Firewall can be configured using the
Windows Firewall

applet in the Windows Control
Panel, that utility does not have the required features to enable all of the features for FTP. The
Windows
Firewall wi
th Advanced Security

utility that is located under
Administrative Tools

in the Windows Control
Panel has all of the required features to enable the FTP features, but in the interests of simplicity this walkthrough
will describe how to use the command
-
line
Netsh.exe

utility to configure the Windows Firewall.

Using Windows Firewall with non
-
secure FTP traffic

To configure Windows Firewall to allow non
-
secure FTP traffic, use the following steps:

1.

Open a command prompt: click
Start
, then
All Programs
, then
Acce
ssories
, then
Command Prompt
.

2.

To open port 21 on the firewall, type the following syntax then hit enter:

netsh advfirewall firewall add rule name="FTP (non
-
SSL)" action=allow
protocol=TCP dir=in localport=21

3.

To enable stateful

FTP filtering that will dynamically open ports for data connections, type the following syntax
then hit enter:

netsh advfirewall set global StatefulFtp enable

Important Notes
:



Active FTP connections would not necessarily covered by the above rules; an
outbound connection from port 20
would also need to be enabled on server. In addition, the FTP client machine would need to have its own firewall
exceptions setup for inbound traffic.



FTP over SSL (FTPS) will not be covered by these rules; the SSL negotiat
ion will most likely fail because the
Windows Firewall filter for stateful FTP inspection will not be able to parse encrypted data. (Some 3rd
-
party
firewall filters recognize the beginning of SSL negotiation, e.g. AUTH SSL or AUTH TLS commands, and return
an
error to prevent SSL negotiation from starting.)

Using Windows Firewall with secure FTP over SSL (FTPS) traffic

The stateful FTP packet inspection in Windows Firewall will most likely prevent SSL from working because
Windows Firewall filter for stateful

FTP inspection will not be able to parse the encrypted traffic that would
establish the data connection. Because of this behavior, you will need to configure your Windows Firewall settings
for FTP differently if you intend to use FTP over SSL (FTPS). The
easiest way to configure Windows Firewall to
allow FTPS traffic is to list the FTP service on the inbound exception list. The full service name is the "Microsoft
FTP Service", and the short service name is "ftpsvc". (The FTP service is hosted in a generic
service process host
(Svchost.exe) so it is not possible to put it on the exception list though a program exception.)

To configure Windows Firewall to allow secure FTP over SSL (FTPS) traffic, use the following steps:

1.

Open a command prompt: click
Start
, then
All Programs
, then
Accessories
, then
Command Prompt
.

2.

To configure the firewall to allow the FTP service to listen on all ports that it opens, type the following syntax then
hit enter:

netsh advfirewall firewall add rule name="FTP for IIS7" service=
ftpsvc
action=allow protocol=TCP dir=in

3.

To disable stateful FTP filtering so that Windows Firewall will not block FTP traffic, type the following syntax then
hit enter:

netsh advfirewall set global StatefulFtp disable

More Information about Working with F
irewalls

It is often challenging to create firewall rules for FTP server to work correctly, and the root cause for this
challenge lies in the FTP protocol architecture. Each FTP client requires two connections to be maintained between
client and server:



FT
P commands are transferred over a primary connection called the
Control Channel
, which is typically the well
-
known FTP port 21.



FTP data transfers, such as directory listings or file upload/download, require a secondary connection called
Data
Channel
.

Open
ing port 21 in a firewall is an easy task, but this means that an FTP client will only be able to send
commands, not transfer data. This means that the client will be able to use the Control Channel to successfully
authenticate and create or delete directo
ries, but the client will not be able to see directory listings or be able to
upload/download files. This is because data connections for FTP server are not allowed to pass through the
firewall until the Data Channel has been allowed through the firewall.

Note
: This may appear confusing to an FTP client, because the client will seem to be able to successfully log in to
the server, but the connection may appear to timeout or stop responding when attempting to retrieve a directory
listing from the server.

The

challenges of working with FTP and firewalls doesn't end with the requirement of a secondary data
connection; to complicate things even more, there are actually two different ways on how to establish data
connection:



Active Data Connections
: In an active
data connection, an FTP client sets up a port for data channel listening and
the server initiates a connection to the port; this is typically from the server's port 20. Active data connections
used to be the default way of connecting to FTP server; however
, active data connections are no longer
recommended because they do not work well in Internet scenarios.



Passive Data Connections
: In a passive data connection, an FTP server sets up a port for data channel listening
and the client initiates a connection t
o the port. Passive connections work much better in Internet scenarios and
recommended by
RFC 1579 (Firewall
-
Friendly FTP)
.

Note
: Some FTP clients require explicit action to enable passive con
nections, and some clients don't even support
passive connections. (One such example is command
-
line Ftp.exe utility that ships with Windows.) To add to the
confusion, some clients attempt to intelligently alternate between the two modes when network error
s happen,
but unfortunately this does not always work.

Some firewalls try to remedy problems with data connections with built
-
in filters that scan FTP traffic and
dynamically allow data connections through the firewall. These firewall filters are able to d
etect what ports are
going to be used for data transfers and temporarily open them on firewall so that clients can open data
connections. (Some firewalls may enable filtering FTP traffic by default, but it is not always the case.) This type of
filtering


i
s known as a type of Stateful Packet Inspection (SPI) or Stateful Inspection, meaning that the firewall is
capable of intelligently determine the type of traffic and dynamically choose how to respond. Many firewalls now
employ these features, including the

built
-
in Windows Firewall.

For information regarding Microsoft's Windows Firewall software, please see the following topics on Microsoft's
web sites:



Windows Firewall
FAQ




TechNet Webcast: Windows Firewall with Advanced Security (Level 200)









Configuring FTP 7.5 User Isolation

Introduction

Microsoft has created a new FTP service that has been completely rewritten for Windows Server 2008. This new
FTP service incorporates many new features that enable web authors to publish content better than before, and
offers web administrator
s more security and deployment options.

This document will walk you through the various FTP user isolation settings using the new FTP user interface and
by directly editing the IIS configuration files.

Note
: This walk
-
through contains a series of steps w
here you will be logging in to your FTP site using the local
administrator account. These steps should only be followed on the server itself using the loopback address or over
SSL from a remote server. If you prefer to use a separate user account instead o
f the administrator account, you
will need to create the appropriate folders and set the correct permissions for that user account when necessary.

In this walkthrough



Using the FTP Site Wizard to Create an FTP site



Examining the New FTP User

Isolation Settings



Configuring User Isolation Settings by Physical Directories



Configuring User Isolation Settings for All Directories

Prerequisites

The following items are required to complete the procedures in this article:

1.

IIS 7 must be installed on your Windows Server 2008 RC0 server, and the Internet Information Service
s Manager
must be installed.

2.

The new FTP service must be installed. You can download and install the FTP service from the
http://www.iis.net/

web site using one of the following links:



FTP for IIS 7 (x64)




FTP for IIS 7 (x86)


3.

You will need to create a root folder for FTP publishing:



Create a folder at "%SystemDr
ive%
\
inetpub
\
ftproot"



Set the permissions to allow anonymous access:



Open a command prompt.



Type the following command:

ICACLS "%SystemDrive%
\
inetpub
\
ftproot" /Grant IUSR:R /T



Close the command prompt.

4.

You will need to create additional content folders:



Create a folder at "%SystemDrive%
\
inetpub
\
ftproot
\
LocalUser
\
Public"



Create a folder at "%SystemDrive%