W2K FTP Security Problem - Help needed!

[blstriker]

I have a webserver at school streaming audio running win2k advanced server sp1 with IIS 5.0. I administer the webpages through ftp from home. The problem I have is with the security of FTP. I want to make it so that nobody except myself can have FTP access. In the IIS control panel, I disabled anonymous connections, however, anybody who has an account on the server can still log into ftp even though I have their accounts setup in the "user" and "guest" grouping. How do I configure IIS so that only people in the "Administrator" group have access to FTP. I've tried every setting and it still allows "users" and "guests" to connect via FTP. Since I am managing the website via ftp, "write" is enabled so even the users and guest can create and delete material on the website.

Thanks for your help!

 

[tim0thy]

i'm studying for my IIS4 certification, so don't know much about IIS5, but...

isn't there a setting in there where you can allow or disregard who can log in by IP? You can use that.

 

[tim0thy]

ok, *looking at my IIS4 server here on test network*... (sorry assed p100 running NT4, IIS4, IE5 LOL )

You can Deny Access except to your IP mask under Directory Security.

You can change the default TCP port as well and not let anybody know, that's another way.

 

[Wizkid]

OR... only give permission on the files in all the directories that are accessed via ftp to Administrators and IUSR_whatever...

 

[tim0thy]

The problem is that he is the only person that wants to have access and there is more than one administrator. So that's not really a viable solution. (You can't delete Administrator)

 

[tim0thy]

oops... i meant you can't delete the Administrator GROUP... my mistake... i actually tried doing this already...

 

[blstriker]

For "FTP Site Operators" only Administrators is there. However, people with plain "user" and "guest" accounts can still ftp and read and write to the webpage. Apparently and "operator" isn't the same as a plain ftp user. I've isolated the ip to my dsl line so there's some security, but now i can't access the ftp site from other computers which is kind of limiting. Thanks for all the great help so far.

 

[WoundedWallet]

Hmmm... This is how I have.

I have a main ftp folder where the administrators and the users can log in(users can list and read). So far it seems that's what you have too.

Next I have individual folders where only determined users and the administrator group have permissions.

What this does is that any user can see all the other users' folders but they can only get inside their own folder.

Is this what you asking?

 

[blstriker]

Sound very similar. How do you control who can control which folders? Is this done using NTFS permissions? I'd like to be able to control it via ftp server settings if possible. Can I set it up so that "user" and "guests" can read but not write to ftp? I only want administrators to be able to write to ftp (upload) Thanks..

 

[WoundedWallet]

Yes, it is thru NTFS permissions.

I don't think W2k ftp server allows you too much configuration. So if for some reason you can't setup NTFS permissions, then try using another ftp server like War or similar.

WW

 

[tim0thy]

I thought you were doing this through IIS? Not just normal FTP... *confused??!*

<edit> nm, you guys are talking about setting the permissions down to the file/directory levels </edit>

 

[blstriker]

Yes, I am using regular IIS 5.0 ftp service. However, I can't control the NTFS permissions through IIS 5.0, I would have to physically be at the server.

 

[ucdnam]

If you have Win2k Advanced Server, you can log onto it via Terminal Services Client. It's quick and it'll be like you're there. You can set permissions that way. Win2k advanced server comes with terminal service. Find out if you've got it installed.

 

[blstriker]

Thanks for the tip, I'll check it out.