Professional Documents
Culture Documents
Page 1 of 36
•
•
•
Train Signal
find training
• Home
• |
• Free Computer Training Videos
• |
• Certification Info & Resources
• |
• Forums
•
• Contact
• |
• About
As I wrote in the article Installing FTP 7 on IIS 7.0, Microsoft completely rewrote
the FTP service code for Server 2008.
Included in this update were a number of ways to secure your FTP server against
intrusion. One of the easiest ways to secure your FTP site is to have users
authenticate instead of allowing anonymous access, and that’s what we’ll look at
today.
For this article I will assume that you already have Server 2008, IIS 7, and FTP installed and ready
to go. Now let’s secure your FTP servers.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Free ... Page 2 of 36
User Authentication
In our first article on FTP, I showed you how to install and then configure an anonymous public
site. This allowed anyone to get the files located in those directories.
While this is great for a certain type of site, if you require greater security you can setup
authentication for your FTP site. We are going to look at two types of user authentication, one
using Windows users and another using IIS Manager authentications.
This example assumes you already have a user created for this purpose and given the account
access to the FTP directory; we are using the account FTPUser.
3. Fill in the site name and path to the directory that will hold the files. We are using
WindowsFTPuser.com and C:\inetpub\privateftp for our example. Click Next when done.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Free ... Page 3 of 36
4. Choose an IP for this FTP site to use, and change the radio button to Allow SSL. Leave the rest
of the setting alone for now.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Free ... Page 4 of 36
5. In this window we will specify what users are allowed access and Read/Write permissions will
be assigned to those users.
Check the box next to Basic, set the dropdown to Specified users, under that type in the user
name (in our case FTPUser), and check Read & Write. Click Next after you enter all the
information.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Free ... Page 5 of 36
6. That ends the FTP site wizard, if you want to add or remove users after the initial setup, in the
IIS Manager click on the site you want to manage and then click on FTP Authorization Rules.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Free ... Page 6 of 36
7. In this pane you can select to Add Allow Rule …, Add Deny Rule …, and Remove. This
allows you to manage access to your ftp site through basic Windows authorization.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Free ... Page 7 of 36
With this configuration only those users assigned to the FTP site will be allowed access. Please
note that you can also use Group permissions the same way.
With the release of FTP 7 and IIS 7 this has been corrected by the use of IIS 7 Management
Service. In this example, I’m going to setup the service and apply the users to the domain we setup
earlier.
1. We have to grant special permissions to the Network Service to be able to use this Service so
open up a command prompt.
CACLS “%SystemDrive%\Windows\System32
\inetsrv\config\administration.config” /G “Network Service”:R /E
CACLS “%SystemDrive%\Windows\System32\inetsrv\config\redirection.config” /G
“Network Service”:R /E
Now we have to give rights to the Network Service to the root FTP folder, in our instance this is
C:\inetpub\privateftp. When you run this command replace the directory with your own.
Next we need to install the IIS 7.0 management service on the server.
6. Open the Roles, find the Web Server (IIS) role, and click on Add Role Services.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Free ... Page 8 of 36
7. In the Select Role Services window scroll down till you find Management Service, if it is
unchecked then place a check mark next to it and click Next.
If there are any required features that also need to be installed you will be prompted to install
those also.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Free ... Page 9 of 36
8. Next you will have a summary screen of everything that is going to be installed, click Install to
start the process.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 10 of 36
9. The next window will show you the progress of the installation process.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 11 of 36
10. Installation Results window will appear when the installation is finished, click on Close when
done.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 12 of 36
Select the server in IIS Manager; in our case, TSTEST, and scroll down in the center pane to
Management Service and click on it.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 13 of 36
12. In the Management Service pane, look for the Identity Credentials box and select Windows
credentials or IIS Manager credentials, then click Apply.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 14 of 36
13. In the connections pane select the server you are working on, and double click on IIS
Manager Users.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 15 of 36
15. Now you will create a user account that can be used, in our case I am going to add Gomer and
enter a password for that user.
16. You will now see that the user is created and you can do some limited administration in this
panel for those users, including Disable User and Change Password.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 16 of 36
17. Now click the site you want to configure to use IIS 7 Manager Authentication in the
connections pane, choose FTP Authentication in the center pane
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 17 of 36
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 18 of 36
19. In the Custom Providers dialog window place a check next to IisManagerAuth, then click
Ok.
20. Now let’s add the user we created earlier by selecting the FTP site in the connections pane and
then select IIS Manager Permissions in the center panel.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 19 of 36
22. The Allow User … dialog box now shows both types of users, Windows & IIS Manager. In
our case we are going to click the Select … button.
23. In the Users dialog select the user, (Gomer in our case) and click OK.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 20 of 36
24. Click Ok to continue and add the user to IIS Manager Permissions.
25. Now we have to add an authorization rule, so let’s choose the site again in the connection
pane, then FTP Authorization Rules, in the central pane.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 21 of 36
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 22 of 36
27. The Add Allow Authorization Rule dialog box is next, so select Specified users and type the
users’ names in, separated by commas. Place a check next to either or both Read/Write
permissions, and click OK.
We have now setup this site to use both types of users Windows and IIS Manager Users. You can
use these in conjunction with each other or completely independent of the other — all depending
on the needs of your organization.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 23 of 36
Related Posts:
• Securing FTP 7.0 with SSL and User Isolation
• Remote Administration of IIS 7: Isolate & Delegate
• Installing FTP Publishing Service for IIS 7.0
• How to Install IIS 7 & Setup a Static Website in 13 Easy Steps
• Server 2008 Active Directory User Groups — the Easy Way!
• Server 2008: How to Setup a Remote Desktop on Windows Vista
• Configure a Cisco Router to use RADIUS for Authentication
Tags: FTP, IIS 7, IIS Manager, Secure-FTP-Service, SSL, Windows Server 2008
I couldn’t use the code that you post. It requires to change to ICACLS. But then there is
no /G and then another problem that it couldn’t under stand “network service”
• jeff Says:
there is an error with your cacls cmd, and icacls has no /g… I tried /grant but still no luck.
would love an update as I really found the iis user auth. VERY helpful!
I have users created, etc… but they can’t connect as i’m lacking the permissions from the
cacls cmds
thx
jeff
• jeff Says:
ok, so i stopped being a monkey just blindly doing copy/paste and actually looked at what
the cacls cmds were doing…
easy… just giving read access to a folder and 2 files… and then read/write/delete/whatever
you want to the ftp root folder you are using.
I manually did that, restarted the ftp site (not sure if it was needed or not) and now i’m good
to go!!
thanks Dave!!!
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 24 of 36
• Trystan Says:
I’m implementing my first 2008 server and the disk image I’m installing comes with IIS7
for web, but FTP6, I find a x86 version of IIS7 FTP, but no 64 bit however I do see RC0
x64 some places…
I have had a problem configuring a simple FTP site with the IIS6 version of the tool to give
a isolated environment on a stand alone server.
• Trystan Says:
OK I retract that
I missed the download links in your other article first scan through!!
Thank you
• forte Says:
everything worked, except when I try to access the ftp site, the directory cannot be listed
and I get a timeout.
• Go_zilla Says:
CACLS “%SystemDrive%\Windows\System32\inetsrv\config\administration.config” /G
“Network Service”:R /E
CACLS “%SystemDrive%\Windows\System32\inetsrv\config\redirection.config” /G
“Network Service”:R /E
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 25 of 36
• Phil Says:
Hey guys!
I suggest you replace NETZWERKDIENST with “Network Service” because I’m from
Austria ;)
greetings
• Phil Says:
I forgot one…
Happy ftping!
Great Article!
I’m testing this out on a Windows Server 2008 box and found I couldn’t run the calcs
command portion, got the following. I ended up just using the GUI to apply speacial
permissions but wanted to see if there was another way to use the command line with
ICALCS.
C:\>CACLS “%SystemDrive%\Windows\System32\inetsrv\config\administration.config”
/G “Network Service”:R /E
Invalid arguments.
NOTE: Cacls is now deprecated, please use Icacls.
Thanks,
-Dave
• Adam Says:
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 26 of 36
I too followed all the steps, but recieved a “550 No such host is known” when trying to
connected. Any help would be appreciated. Thanks, Adam
Hi
I run into the issue with CACLS and the fix (for me) was simply making sure you have
spaces before any backslash options and I replaced %system drive% with c:
So I ended up with
• Donny Says:
Oh come on guys… shame on you :) in command promt you should use quotes such as
these ” instead of the quotes used in the article: “ and ”
• Donny Says:
heh, this blog automatically messes up the quotes. When pasting CACLS commands into
command promt replace the quotes manually.
• khautinh Says:
Can anyone help me how to set a domain\user1 account for anonymous authentication
please?
I was be able to do that for IIS6 but not IIS7. whenever I entered the domain\user1 and pw,
it said the pw is invalid….
Thanks a lot
• Haraken Says:
I used these commands instead of the CACLS posted above and they worked perfectly.
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 27 of 36
• Jason Says:
C:\Users\Administrator>ICACLS “%SystemDrive%\Windows\System32
\inetsrv\config” /grant “NETWORK SERVICE”:R
processed file: C:\Windows\System32\inetsrv\config
Successfully processed 1 files; Failed processing 0 files
C:\Users\Administrator>ICACLS “%SystemDrive%\Windows\System32
\inetsrv\config\administration.config” /grant “NETWORK SERVICE”:R
processed file: C:\Windows\System32\inetsrv\config\administration.config
Successfully processed 1 files; Failed processing 0 files
C:\Users\Administrator>ICACLS “%SystemDrive%\Windows\System32
\inetsrv\config\redirection.config” /grant “NETWORK SERVICE”:R
processed file: C:\Windows\System32\inetsrv\config\redirection.config
Successfully processed 1 files; Failed processing 0 files
I’m think the space in the phase NETWORK SERVICE is the problem, but I put quotes
around it. Any takers?
Note: I’m on Windows Server 2008 and I have F:\ setup just for web and ftp site
• Jason Says:
I ran:
it outputed:
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 28 of 36
I get this error after following thru these steps. Am able to bring up the ftp site and log in
but this comes up:
I forgot to mention that I setup the ftp folder on a d:\download and I ran this in the terminal:
Hi,
Can anyone tell me if this is also possible with active directory accounts and NTFS
security?
Thanks!
• sacheson Says:
Best writeup yet. Gave me exactly what I needed. Thanks for taking the time to compile an
accurate and thorough walk through.
• 7bpm Says:
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 29 of 36
How do you go about creating different Usernames and Passwords on the same FTP server
that have access to only to specific folders each one?
i.e. the FTP server is http://ftp.7bpm.com and User1 (with Pass1) when is logging in can
olny see and access folder c:/intepub/ftproot/user1folder but User2 (with Pass2) can only
see and access folder c:/intepub/ftproot/user2folder…
• skau Says:
C:\Users\Administrator>cd\
C:\>ftp 127.0.0.1
Connected to 127.0.0.1.
220 Microsoft FTP Service
User (127.0.0.1:(none)): user ftpmanager
331 Password required for user ftpmanager.
Password:
530-User cannot log in.
Win32 error: Logon failure: unknown user name or bad password.
Error details: An error occured during the authentication process.
530 End
Login failed.
ftp>
• Wael Says:
I succefully run the following command lines on Windows Server 2008 (x64) R2 + IIS7.5:
excelent thread
many thanks for all guys
• kjam Says:
I used Windows Users FTP Authentication and worked almost fine, i had some trouble
accessing to the folder assigned to the user (probably because i’m new in this) but i solved it
as follows:
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 30 of 36
With this you won’t have any problem to access with a FTP client.
Leave A Comment:
Submit Query
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 31 of 36
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 32 of 36
Popular Posts
1. How to Share Files between Mac and PC -- Leopard and Vista
2. How to Setup User Authentication in FTP 7 on IIS 7.0
3. HTTP Redirection in IIS 7 on Windows Server 2008
4. How to Configure a Static IP Address in Windows Vista
5. How to Setup iSCSI Drive Using FreeNAS
6. Networking Basics: TCP, UDP, TCP/IP & OSI models
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 33 of 36
Article Topics
• Cisco
◦ CCDP
◦ CCENT
◦ CCNA
◦ CCNA Security
◦ CCNA Voice
◦ CCNA Wireless
◦ CCNP
• CompTIA
◦ A+
◦ Linux+
◦ Network+
◦ Project+
◦ Security+
• CWNA
• ITIL
• Linux
• Microsoft
◦ Exchange Server 2007
◦ Exchange Server 2010
◦ IIS 7
◦ Office 2007
◦ Office 2010
◦ SharePoint
◦ Small Business Server 2003
◦ Small Business Server 2008
◦ SQL Server 2008
◦ Windows 7
◦ Windows Home Server
◦ Windows Server 2008
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 34 of 36
◦ Windows Vista
◦ Windows XP
• Miscellaneous
◦ Certification Help
◦ Cloud Computing
◦ Computer Training News
◦ Free
◦ IT Job Tips
◦ Train Signal Video Products
• Project-Management
• Virtualization
◦ VMware
◦ VMware ESX Server
◦ VMware vSphere
Popular Tags
Certifications Miscellaneous Network Security Office 2007 Operating Systems Security Server 2008
Train Signal Train Signal Video Products Train Signal Videos
Training SharePoint SQL Server
Virtualization Virtualization Training Vista VMware Windows Windows 7 Windows OS
Windows Server 2008 Windows Vista Windows XP
Read More
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 35 of 36
Links
• Born to Learn
• Cisco Certifications
• CompTIA Certifications
• Computer Training
• CWNP Wireless Networking Certifications
• Microsoft Certifications
• Microsoft Knowledgebase
• Microsoft TechNet
• Pearson VUE Testing Center
• Prometric Testing Center
• Train Signal Forums
• Train Signal YouTube Channel
• VMware Virtualization
• VMwareVideos.com
Free Training
• Windows 7 Training (49 videos)
• Cisco CCNA Training (53 videos)
• Network Fundamentals Training (9 videos)
• Network+ 2009 Training (14 videos)
• Intro to Server 2008 Training (10 videos)
Connect
• Facebook
• Twitter
• Flickr
• eNewsletter
contact us →
New Training
• Windows 7 Administration Training
• VMware vSphere Pro Series Vol. 2 Training
• VMware vSphere Training Package
• Exchange Server 2010 Training
• CompTIA Security+ Training
more training →
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010
How to Setup User Authentication in FTP 7 on IIS 7.0 | Train Signal Training - Fre... Page 36 of 36
Back To Top
http://www.trainsignaltraining.com/windows-server-2008-ftp-user-authentication/2008... 8/26/2010