Blind drop FTP in IIS 7/7.5

I saw this topic floating around for few days and since it’s very interesting I thought of blogging it for everybody’s benefit.

If you haven’t heard about Blind Drop FTP have a look at this blog Creating a Blind Drop FTP Server.

I thought of testing the same on IIS 7 and IIS 7.5. Here is a step by step of the same..

For IIS 7, you will have to install OOB (Out of Band) Microsoft FTP Publishing Service 7.5 for IIS 7.0 (x64) or Microsoft FTP Publishing Service 7.5 for IIS 7.0 (x86) depending on your platform.

I am using Windows Server 2008 R2 RC1 for this scenario.

Creating directory structure:

I have created FTPRoot on my D drive and it has Incoming directory

image1

Setting NTFS Permission on the directory

Right click on FTPRoot folder -> Properties -> Security

image5

Click on Advanced button -> Change Permissions...

image6

Uncheck the check box “Include inheritable permissions from this object’s parent” -> click Add

image7

Select SYSTEM, Authenticated Users and Users and click Remove

image8

Click OK and click OK again

image9

Click Add... and select IUSR of the local machine

image10

Click OK

Remove Read & execute and Read permission for IUSR as shown below. So IUSR group has only List folder contents permission of FTPRoot folder

image11

Click OK and click OK again

Go to the Incoming folder and right click on the Incoming folder and click Properties.

Click Advanced -> Change Permissions

Uncheck the check box “Include inheritable permissions from this object’s parent” -> click Add

Select IUSR and click Edit...

image12

Click on Apply to: and select “This folder only” -> click Clear All

Select Create files / write data, Create folders / append data, Write attributes, Write extended attributes and Read permissions as shown below

image13

Click OK and click Apply

Click Add... and select IUSR of the local machine, click OK

Select List folder / read data, Read attributes, Read extended attributes and Read permissions as shown below

image14

Click OK

Select the check box “Replace all child object permissions with inheritable permissions from this object” -> Click OK

Permissions on Incoming folder are as follows:

image15

Click OK and click OK again

Configuring FTP in IIS:

Creating the FTP Site Basic Settings

image2

Configuring FTP Authentication

image3

Configuring FTP Authorization

image4

Configuring FTP Request Filtering. Add Deny Command… LIST and NLST as shown below

image19

Click on Incoming and click FTP Authorization Rules and verify that you have Anonymous Users with Read, Write permissions.

image18

Now, let’s test the FTP site from a command prompt

image16

Nice.

Check the FTP logfile and we see the following:

image17

Wondering why we added that FTP Request Filtering setting above.

I tried “ls” command above to see if the files / folder are listed. I got the error 500 i.e. “internal server error” because the command is not allowed with a substatus 5 i.e. “Access is denied.” as per the FTP log above.

If you don’t add the above request filtering you will be able to see the Incoming folder but you won’t be able to change to the folder nor add file / folder in the FTPRoot folder. This looks like a neat workaround to what was default behavior in Windows Server 2003 IIS 6 FTP configuration.

HTH

Comments

  • Anonymous
    February 16, 2010
    Win2008 and IIS7.5 you can't CD to the folder with your config above. I had to add list folder /read data, read attributes, and read extended attributes to even be able to cwd to the incoming folder. This is different than I recall on XP and IIS6 since I had set this same thing up there and had less frustration. If I missed something please let me know. (Like I thought NLST was NLIST so that part failed for a bit..)

  • Anonymous
    February 23, 2010
    Hi, I will certainly verify your settings and see if that's the required setting.