Blind drop FTP in IIS 7/7.5


I saw this topic floating around for few days and since it’s very interesting I thought of blogging it for everybody’s benefit.


If you haven’t heard about Blind Drop FTP have a look at this blog Creating a Blind Drop FTP Server.


I thought of testing the same on IIS 7 and IIS 7.5. Here is a step by step of the same..


For IIS 7, you will have to install OOB (Out of Band) Microsoft FTP Publishing Service 7.5 for IIS 7.0 (x64) or Microsoft FTP Publishing Service 7.5 for IIS 7.0 (x86) depending on your platform.


I am using Windows Server 2008 R2 RC1 for this scenario.


Creating directory structure:


I have created FTPRoot on my D drive and it has Incoming directory


image1


Setting NTFS Permission on the directory


Right click on FTPRoot folder -> Properties -> Security


image5


Click on Advanced button -> Change Permissions…


image6


Uncheck the check box “Include inheritable permissions from this object’s parent” -> click Add


image7


Select SYSTEM, Authenticated Users and Users and click Remove


image8


Click OK and click OK again


image9


Click Add… and select IUSR of the local machine


image10


Click OK


Remove Read & execute and Read permission for IUSR as shown below. So IUSR group has only List folder contents permission of FTPRoot folder


image11


Click OK and click OK again


Go to the Incoming folder and right click on the Incoming folder and click Properties.


Click Advanced -> Change Permissions


Uncheck the check box “Include inheritable permissions from this object’s parent” -> click Add


Select IUSR and click Edit…


image12


Click on Apply to: and select “This folder only” -> click Clear All


Select Create files / write data, Create folders / append data, Write attributes, Write extended attributes and Read permissions as shown below


image13


Click OK and click Apply


Click Add… and select IUSR of the local machine, click OK


Select List folder / read data, Read attributes, Read extended attributes and Read permissions as shown below


image14


Click OK


Select the check box “Replace all child object permissions with inheritable permissions from this object” -> Click OK


Permissions on Incoming folder are as follows:


image15


Click OK and click OK again


Configuring FTP in IIS:


Creating the FTP Site Basic Settings


image2


Configuring FTP Authentication


image3


Configuring FTP Authorization


image4


Configuring FTP Request Filtering. Add Deny Command… LIST and NLST as shown below


image19


Click on Incoming and click FTP Authorization Rules and verify that you have Anonymous Users with Read, Write permissions.


image18


Now, let’s test the FTP site from a command prompt


image16


Nice.


Check the FTP logfile and we see the following:


image17


Wondering why we added that FTP Request Filtering setting above.


I tried “ls” command above to see if the files / folder are listed. I got the error 500 i.e. “internal server error” because the command is not allowed with a substatus 5 i.e. “Access is denied.” as per the FTP log above.


If you don’t add the above request filtering you will be able to see the Incoming folder but you won’t be able to change to the folder nor add file / folder in the FTPRoot folder. This looks like a neat workaround to what was default behavior in Windows Server 2003 IIS 6 FTP configuration.


HTH

Comments (2)

  1. CM says:

    Win2008 and IIS7.5 you can’t CD to the folder with your config above. I had to add list folder /read data, read attributes, and read extended attributes to even be able to cwd to the incoming folder. This is different than I recall on XP and IIS6 since I had set this same thing up there and had less frustration. If I missed something please let me know. (Like I thought NLST was NLIST so that part failed for a bit..)

  2. vivekkum says:

    Hi,

    I will certainly verify your settings and see if that’s the required setting.