Re: FTP users and their Websites, security ?

Thanks also to Bernard for replying and comfirming my initial post. :)

Jeff-
You wrote: "You need to allow anonymous FTP access to the web folder? Then
you
have serious security problems and need to rethink your strategies."

Of course this is not desireable, that the whole point. The Web Folder IS
THE the FTP Virtual Folder used by my user JoeFTPUser, enabling his making
changes to his website. As you know, a Virtual Folders Property/Permissions
are really for the real target physical folder, think 'Shortcut'. If I
restrict access to the FTP Virtual Folder then I'm restricting also the Web
folder.

I'm just trying to figure how to DISallow anonymous FTP access to the
Virtual Folder/web folder... And maybe Bernard is right that I may need to
change the Local Account defined for Anonymous FTP access to something other
then IUSR_WEBBOX. I'm just a little hesitent into trying this change of the
Local Account, god (and maybe Bill) only knows what I'll break. I'll have to
throughly review what Permissons IUSR_WEBBOX has now and try to duplicate
them for a New Local Account which I'll then change to in IIS Admin FTP.
Anybody happen to know how to create a new Local Account as a Duplicate of an
existing one?

Jeff - You also indicated that maybe my setup is all wrong. Can you
suggest an alternative way for my user JoeFTPUser to able to make changes to
his own website pages? Joe is a typical Web user, not part of our company
per se, no domain shares, RDC is I think not a good alternate approach, etc.
I just assumed that the common method for most was FTP Login via IE6
browser, post/modify your pages, seems easy enough, and it works.

Thanks, John


"Jeff Cochran" wrote:
> On Tue, 7 Jun 2005 20:28:01 -0700, "John"
> <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> >My new FTP user is sucessfully updating their own website on our IIS 6 box.
> >I followed what I think are the well published procedures to make it happen.
> >
> >- New Windows Level User: JoeFTPUser (no group memberships, just FTP)
> >- New Folder: C:\Inetpub\ftproot\LocalUser\JoeFTPUser
> >- New Folder: C:\Inetpub\ftproot\LocalUser\JoeFTPUser\JoeWebsite
> >- New Virtual Folder "JoeWebSite" which points to
> > C:\Inetpub\wwwroot\JoeWebsite
> >- Full Control permissions for JoeFTPUser to the Virtual Folder.
> >
> >So far so good. Joe is able to upload changes to his website without any
> >assistance, and website visitors see his changes immediately.
> >
> >Only Problem: How to restrict Anonymous ftp access to
> >ftp://ftp.WebBox.com/JoeWebSite ?? Anonymous users, if they know this path
> >name, can view all of his files, including default.asp. We need to continue
> >to allow general usage Anonymous FTP access.
>
> You need to allow anonymous FTP access to the web folder? Then you
> have serious security problems and need to rethink your strategies.
>
> >I tried to change/restrict the permission for IUSER_WEBBOX of the ftp
> >Virtual Folder and quickly learned the hard way about how this really is the
> >permissions for the target folder , thus rendering the website 550 access
> >denied for web surfing visitors.
> >
> >THE QUESTION: Is there a way to Restrict anonymous FTP folder viewing when
> >that folder is a virtual folder pointing to a website which needs public
> >access??
>
> Ummm.... No. But you haven't convinced me that you *need* this
> setup.
>
> >I must be missing something simple! Please tell me ! I got to believe
> >that many small shops like ours have user modify their websites via ftp,
> >hopefully everyone is not exposing their users source code web pages.
>
> None that stay in business. :)
>
> >One thought I had was to change the FTP Anonymous account from IUSER_WEBBOX
> >to something else like IUSERFTP_WEBBOX, and restrict that UserID permissions,
> >hopefully not messing with IUSER_WEBBOX and his normal http visitors. I'm
> >assuming that ftp:// visitors are gaining read access via the same built in
> >IUSER_WEBBOX user account as http:// visitors. Please correct me if I'm
> >wrong.
>
> That's one way. Another is not to provide anonymous FTP access to the
> web folders. Why do you believe you need to provide that access?
>
> Jeff
>
.

Relevant Pages

  • Re: FTP users and their Websites, security ?
    ... "You need to allow anonymous FTP access to the web folder? ... >changes to his website. ... >restrict access to the FTP Virtual Folder then I'm restricting also the Web ... do you need anonymous FTP access at all? ...
    (microsoft.public.inetserver.iis.ftp)
  • FTP users and their Websites, security ?
    ... My new FTP user is sucessfully updating their own website on our IIS 6 box. ... How to restrict Anonymous ftp access to ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: MS Front Page file structure and publishing tips
    ... Sounds as if you've converted your entire hard drive into a web folder. ... As for multiple copies of webs, FrontPage will only save them where you tell it to. ... > how or why it got there, but the last time I tried to publish from my hard> drive to the website, MS Front Page tried to include my entire hard drive! ...
    (microsoft.public.frontpage.client)
  • Re: FTP users and their Websites, security ?
    ... >My new FTP user is sucessfully updating their own website on our IIS 6 box. ... >to allow general usage Anonymous FTP access. ... You need to allow anonymous FTP access to the web folder? ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Strange Folders
    ... IMHO anonymous FTP access is safe and probably best in many situations ... and write permission to any one folder. ... and reinstall everything for best security] ... many permissions, that is not as severe an intrusion as, say, someone ...
    (microsoft.public.inetserver.iis.security)