03 September 2010

Configure and Publish a Secure IIS 7 FTP site

In a previous post Configure and Publish IIS7 Anonymous FTP site with TMG and ISA  I went through the basics of setting up and publishing IIS7 FPT sites with either ISA 2006 or TMG 2010.

The article was specifically about anonymous ftp. The reasons for using anonymous is based on historic FTP problems.

The first issue with FTP is that the data is not encrypted.  All data can be grabbed using a packet sniffer like wire shark.  More importantly the username and password would also be sent in plain text and can be read just as easily.

The second issue is user isolation.  You can't isolate users without authenticating them.

So how would we go about building a secure FTP solution where the credentials and data is encrypted during transit and where we have proper user isolation.

I will be stepping through configuring FTP-ES.  This is FTP over explicit TLS/SSL as the encryption method.
Secondly since you may have a mixed user base we will look at handling domain and non domain users.
Thirdly I will go through configuring User Isolation based on the username and physical directories.

STEP 1 : Configure Secure FTP Site

From the IIS management Console

  • Expand down to Sites
  • Click Add FTP site from the actions menu
  • Specify a Site name
  • Specify a physical path Secure_FTP
  • Select and ip address (this would be your internal one) leave the port on 21
  • (Do not specify a host name - it gets complicated and breaks the 100% compatibility goal)
  • Check Start FTP site automatically
  • Since I want 100% security here, I select Require SSL and select a pre-installed CA cert or self signed cert.
  • For Authentication I check basic
  • Authorisation allow access to Specified roles or user groups
  • Specify domain\domain users
  • With Read and Write Permissions

STEP 2: Configure your FTP client for FTP-ES Connection

I like to use the Filezilla FTP client because it is free.  And because it is full of really useful features like support for FTP-ES connections.  Since it is free you can also request your inbound connections to use it.

Up to now you could get away with just specifying the host and clicking the Quick Connect button. Now however we need to go into a little more configuration. Fortunately it is quite easy.

From the File Zilla Client
  • Select the File menu and Click Site Manager
  • Click New Site
  • Specify a name
  • Add the host IP address
  • on Server Type select FTP_ES form the drop down.
  • Logon type can be set to normal - just specify a username and password
  • (I normally include domain\username)
  • Click on OK
Your site has now been save and you can connect to it form the top left hand site drop down list

You should now be able to connect to your site from an internal test machine.  When you do you will get a certificate notification. The certificate may be from an unknown source but it does not change that the encryption is happening

You can suppress this notice by checking the  "Always Trust certificate in future sessions"

Step 3 : Providing for Domain and Non Domain Users

There is a great article about using IISManager Authentication but i am going to keep it short.

For a user to be able to access anything on the site they need to be granted access by the FTP Authorisation Rules

  • Create a local group on the FTP server and call it something like non_domain_FTP_users (you get the idea)
  • Then create users as and when they are required. and ensure they are added to this group
  •  Do the same for your domain users except you can use a domain group.

Form the IIS Management console
  • Open FTP Authorisation Rules
  • If not there already - click Add allow Rule form the action menu
  • Select specified roles or user groups and specify your local group
  • Select Read and Write permission
  • You need to do the same for your domain users.

  • Test using your domain account
  • and test using your local machine account

So up to this point users from your domain or for specifically created local users, can access your ftp site securely.  But right now they can all see all the content on the site,  This is where User Isolation comes in.

STEP 4 : User Isolation

I would like to be able to split users completely from each other. I also like the idea of being able to work with physical directories to make the same data available for non ftp client.  

From the IIS Management console select the secure FTP site
  • Open the FTP user Isolation
  • From the "Isolate users. Restrict users to the following directory:" section select
  • "User name physical directory (enable global virtual directories)
  • Click Apply in the Actions Menu
Connections attempts now will be denied with a  "530 User Cannot log in, home directory inaccessible"

This is because the directories do not exist yet and the user does not have access.

  • For local users you need to create the homedirectories in
  • C:\inetpub\ftproot\secureftp\LocalUser\<username>
  • For domain users you need to create the home directories in
  • C:\inetpub\ftproot\secureftp\<domainname>\<username>

Great, so by now I have:
Secure encrypted FTP channel
User and Data isolation
Cater for both domain and non domain users

Step 5 : Stick it on the Internet

You can follow the steps from Configure and Publish IIS7 Anonymous FTP site with TMG and ISA  This time round though you will have to remove the FTP application filter from your protocol definition.   It is now encrypted so not even ISA or TMG can't inspect it.

1 comment:

lala said...

Thanks for your post and welcome to check: here.

Post a Comment