• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Running IIS, and questino abou the ftp site option

D

DeadSeaSquirrels

Senior member
Ok, I am running IIS just as a newbie and messing around to see if I can get my learn on.
I have a question about the FTP server option though. If you go to the Computer Management->Internet Information Services->FTP Properties, there is an option to "allow anonymous connections," well I don't want to allow anonymous connections, but if I uncheck that box, it says my passwords will be sent unencrypted. I am confused because I don't see how allowing anonymous connections should in anyway decide whether or not to encrypt my passwords sent over the net...So I am guessing I am misunderstanding this. Can somebody explain?
 
When you allow anonymous connections, IIS will use the "IUSR_ <computername>" account to authenticate any user automatically. It does this locally (or within the domain if that is your case), and hence, no credentials are passed over a public line.

When you clear the allow anonymous connections box, the FTP site will always ask for a username and password upon connection attempt. When the connecting user sends that username and password, it does so in plaintext only if you use Basic authentication. If you want to strenthen that up, there are a number of methods to do so.

Here's a link that explains the various methods and when you might want to use one over the other



Link

Also, do yourself a favour and patch the machine all the way up before you expose any of it to the internet. If your IIS isnt patched up, you *will* get hit by Nimda or Code Red.
 
How do I make sure that I am totally patched up. I mean I ran the windows update, and I remember seeing something for IIS security, but there was a lot of stuff that didn't stay specifically for IIS, and I just took those off, becuase I didn't want to upgrade my Media Player or some other crap like that. Is there a way to check my IIS version or patch version?
 
Just make sure you've installed the latest IIS security Roll-up.

If you go to Windows update from the IIS machine and it isnt listed as a critical patch, you're good to go.

Service Pack 3 will also do the same trick, in regard to Nimda and Code Red protection.
 
Thanks for the help, I still have one confusion though. You wrote:
"IIS will use the "IUSR_ <computername>" account to authenticate any user automatically" [when logged in as anonymous]

so if somebody tries to log in to my FTP server as anonymous (no password lets say), how is IIS using the IUSR_<computername> account to authenticate anything? I mean if somebody is saying "I want to get a handle to your FTP server, but I'm not telling you who I am," how does IIS "authenticate" who they don't know?

Also do you have any idea how IIS uses teh IUSR_<Computername> to do this authentication. I'm just really interested. What exactly is in this IUSR... thing? Thanks for all your help.

P.S. If you know this, it would be great. I am trying to learn IIS because I want to learn ASPs and JSP and other J2EE stuff, I was wondering if you know if IIS runs servlets and JSP? I read somewhere that IIS doesn't and that you need to get some sort of wrapper Java API package from Microsoft to make it work with servlets. The article was hella old, so I don't know if that still applies or what, but I've been trying to get information on this for quite a while with no sucess.

 
Basically, an outside person connects to your FTP site by surfing in to the URL.

IIS treats said person as if they had connected with the IUSR account. They get the same permissions and abilities the account has on the site.

As for how the authentication occurs, it really depends on the environment. Generally, it's a local account so all authentication takes place against the local SAM (Security Account Manager).

For FTP, you would want to avoid allowing anonymous connections most likely. Anonymous connections are best suited toward a public web site where you need to allow people to connect and read/browse without troubling them with authentication.

As for your servlets question, I'm really not the best guy to answer that. I know how to administer IIS and secure it; set it up to deliver content and stuff. The actual content is usually handled by my Web guys. I'm trying to get better at web design as well, but it doesnt interest me as much as network administrations.
 
Thanks for the info. For some reason, I've been having a real hard time finding people who do a lot of servlets, JSPs, and are willing to talk a newbie through some questions. But I'll keep poking around.
 
There are JSP servers that will run with IIS. Macromedia's JRun has built-in support (but it's not free). You can also get Tomcat to work with IIS by hacking around with it (it's designed for Apache, however).

Another option is to use Sun's freely available Application Server. It has its own web server built-in (so you'll disable IIS when you run it), but it should let you play around with JSP and servlets.
 
Yeah I just downloaded the sun App server, it was free.

But I was going to ask if anybody knew any details about it, if it was easy to use, if it was secure? all that kind of stuff. Any thoughts?

I've been asking this a lot also, but I guess I'll toss this out to anybody as well. Does anybody know what kind of server comes with J2EE SDK? They have a server that comes with it, presumably something that will let you run all the J2EE platform stuff, is it cloudscape, tomcat?
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top