Re: FTP users and their Websites, security ?
- From: jeff.nospam@xxxxxxxx (Jeff Cochran)
- Date: Thu, 09 Jun 2005 11:30:31 GMT
On Wed, 8 Jun 2005 19:55:05 -0700, "John"
<John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Thanks also to Bernard for replying and comfirming my initial post. :)
>
>Jeff-
>You wrote: "You need to allow anonymous FTP access to the web folder? Then
>you
> have serious security problems and need to rethink your strategies."
>
>Of course this is not desireable, that the whole point. The Web Folder IS
>THE the FTP Virtual Folder used by my user JoeFTPUser, enabling his making
>changes to his website. As you know, a Virtual Folders Property/Permissions
>are really for the real target physical folder, think 'Shortcut'. If I
>restrict access to the FTP Virtual Folder then I'm restricting also the Web
>folder.
I may have assumed too much here, but are you not using user isolation
in FTP? That's what keeps the anonymous user out of JoeFTPUser's home
directory, where the virtual diectory pointing to the web site
resides. In addition, do you need anonymous FTP access at all? If
you don't allow anonymous in FTP, then this isn't an issue either.
>I'm just trying to figure how to DISallow anonymous FTP access to the
>Virtual Folder/web folder... And maybe Bernard is right that I may need to
>change the Local Account defined for Anonymous FTP access to something other
>then IUSR_WEBBOX. I'm just a little hesitent into trying this change of the
>Local Account, god (and maybe Bill) only knows what I'll break. I'll have to
>throughly review what Permissons IUSR_WEBBOX has now and try to duplicate
>them for a New Local Account which I'll then change to in IIS Admin FTP.
>Anybody happen to know how to create a new Local Account as a Duplicate of an
>existing one?
>
>Jeff - You also indicated that maybe my setup is all wrong. Can you
>suggest an alternative way for my user JoeFTPUser to able to make changes to
>his own website pages? Joe is a typical Web user, not part of our company
>per se, no domain shares, RDC is I think not a good alternate approach, etc.
> I just assumed that the common method for most was FTP Login via IE6
>browser, post/modify your pages, seems easy enough, and it works.
FTP is the perfect method. You may want to look at:
How To Limit Access to a FTP Site in Windows Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;816525
INFO: FTP Site Administration Documentation in IIS 6.0:
http://support.microsoft.com/default.aspx?scid=kb;en-us;814865
Normally, you would not allow anonymous connections to a site used for
managing web files. You can have multiple sites, so if you need
anonymous access you can create a second FTP site for that purpose.
Jeff
>Thanks, John
>
>
>"Jeff Cochran" wrote:
>> On Tue, 7 Jun 2005 20:28:01 -0700, "John"
>> <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>>
>> >My new FTP user is sucessfully updating their own website on our IIS 6 box.
>> >I followed what I think are the well published procedures to make it happen.
>> >
>> >- New Windows Level User: JoeFTPUser (no group memberships, just FTP)
>> >- New Folder: C:\Inetpub\ftproot\LocalUser\JoeFTPUser
>> >- New Folder: C:\Inetpub\ftproot\LocalUser\JoeFTPUser\JoeWebsite
>> >- New Virtual Folder "JoeWebSite" which points to
>> > C:\Inetpub\wwwroot\JoeWebsite
>> >- Full Control permissions for JoeFTPUser to the Virtual Folder.
>> >
>> >So far so good. Joe is able to upload changes to his website without any
>> >assistance, and website visitors see his changes immediately.
>> >
>> >Only Problem: How to restrict Anonymous ftp access to
>> >ftp://ftp.WebBox.com/JoeWebSite ?? Anonymous users, if they know this path
>> >name, can view all of his files, including default.asp. We need to continue
>> >to allow general usage Anonymous FTP access.
>>
>> You need to allow anonymous FTP access to the web folder? Then you
>> have serious security problems and need to rethink your strategies.
>>
>> >I tried to change/restrict the permission for IUSER_WEBBOX of the ftp
>> >Virtual Folder and quickly learned the hard way about how this really is the
>> >permissions for the target folder , thus rendering the website 550 access
>> >denied for web surfing visitors.
>> >
>> >THE QUESTION: Is there a way to Restrict anonymous FTP folder viewing when
>> >that folder is a virtual folder pointing to a website which needs public
>> >access??
>>
>> Ummm.... No. But you haven't convinced me that you *need* this
>> setup.
>>
>> >I must be missing something simple! Please tell me ! I got to believe
>> >that many small shops like ours have user modify their websites via ftp,
>> >hopefully everyone is not exposing their users source code web pages.
>>
>> None that stay in business. :)
>>
>> >One thought I had was to change the FTP Anonymous account from IUSER_WEBBOX
>> >to something else like IUSERFTP_WEBBOX, and restrict that UserID permissions,
>> >hopefully not messing with IUSER_WEBBOX and his normal http visitors. I'm
>> >assuming that ftp:// visitors are gaining read access via the same built in
>> >IUSER_WEBBOX user account as http:// visitors. Please correct me if I'm
>> >wrong.
>>
>> That's one way. Another is not to provide anonymous FTP access to the
>> web folders. Why do you believe you need to provide that access?
>>
>> Jeff
>>
.
- Follow-Ups:
- Re: FTP users and their Websites, security ?
- From: John
- Re: FTP users and their Websites, security ?
- References:
- FTP users and their Websites, security ?
- From: John
- Re: FTP users and their Websites, security ?
- From: Jeff Cochran
- Re: FTP users and their Websites, security ?
- From: John
- FTP users and their Websites, security ?
- Prev by Date: Re: FTP users and their Websites, security ?
- Next by Date: Re: Blind FTP in IIS6 ..
- Previous by thread: Re: FTP users and their Websites, security ?
- Next by thread: Re: FTP users and their Websites, security ?
- Index(es):
Relevant Pages
|
Loading
