FTP Problem

[Meekos]

I am using a two server setup. The first server (MARS) is being used a member server with FTP Server. The second server (JUPITER) is my primary domain controller. It contains a shares called \\JUPITER\Clients and \\JUPITER\ftp.

MARS FTP site is setup with a home directory the points to \\Jupiter\ftp using a username and password of ftp and 1234.
I have several virtual directories for each on my clients point to JUPITER. For example, client's abc network directory points to \\JUPITER\CLIENTS\ABC.

Everything works except if a client knows another clients username they can type it gain access to the other clients files. My goal is to prevent this and have a secure site.

Each user directory has permissions set with just the user and administrator having rights. And if I change my default home directory (\\JUPITER\FTP) to point to a local drive on MARS, my clients receive "home directory inaccessible" error message.

Anyone seen this before. Any ideas!

 

[jaselectricman]

Have you removed the Everyone group from the access list in Security Permissions?
Add the Administrators Group first then remove the Everyone Group. Don't allow inherited permissions to flow to this folder. Then make explicit assignments for permissions to each user folder.
Turn off Anonymous ftp access for your virtual ftp site.

 

[Meekos]

Yes I've removed Everyone and from the Security Permissions from the share. I've also turned off Anonymous FTP. And each user has explicit permission to their folder.

Any other thoughts.

 

[itsp1965]

At minimum all your users should be able to see the root FTP directory. Jasel is correct in that you should not allow permissions to trickle down. Assign your users access to each of their folders respectively. Assign an ID and password to each of your clients and do not use a generic ID/passwd combo.

 

[Meekos]

Each user already has their own login and password. They also have exclusive rights to their directory.

 

[jaselectricman]

Meekos,
I have faced this same problem in the past. As I recall, the problem lies with the way you authenticate to the ftp site.
Let me test this on my lab setup and I will give you a definitive response.

 

[jaselectricman]

Meekos,
I just tested this to confirm that it works as I expected.
Here is what happens when you authenticate to a Windows FTP site.
If you are using your browser to access the site, you will login as Anonymous by default. If you have set up permissions for each folder as I described in my original response, the anonymous user will see all of the subfolders of ftproot but will not be able to access them. Anonymous, will only have access to those folder below ftp root where you have given explicit permissions to IUSR_ServerName.
If you login as a user other than anonymous, and if a folder exists with the same name as the user, you will be dropped directly in that folder. In other words, If I login as UserOne and there is a folder under ftproot named UserOne where I have been granted appropriate permissions, I will end up in that folder when I login.

With your ftp directory on another server and a common login with a username and password of ftp and 1234, ALL USERS who connect to the ftp site on Jupiter are connecting with the same permissions. Those are the permissions you assigned to the user "ftp". If you want to keep this set up with the virtual ftp directory on Jupiter, create a separate virtual directory for each user on Jupiter. When you assign the virtual directory to a directory on Jupiter select the "connect As" button and assign it the user account who is associated with that directory. This should solve your dilema.

 

[Meekos]

I've create virtual directories for all my user accounts and "connect as" the user. I've given each user explicit rights to their directory on Jupiter. Presently each user is able to logon and goes directly into their directory. The problem is that if they know the name of another user, they can open the directory using the name and view the contents. This should be impossible because they don't have any permission set on another user's folder. I cannot figure out why this is happening.

 

[GlenJohnson]

Silly question, but in the folder above the problem folders, is there a box checked which says "Allow Inheritables." checked? It says more than that, but I don't have a server in front of me. What it does is allow security settings from the root folder to follow down the folders beneath it. Good luck.

Glen A. Johnson
"Give the laziest man the hardest job and he'll find the easiest way to do it."

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

 

[markdmac]

Reset the permissions on the user folders in NTFS. Be sure to check to apply the settings to all existing child objects. You will find this under the advanced menu.

Also make sure that you have not given all network users admin rights over the FTP server itself. Right click the FTP server and check permissions.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[Meekos]

After spending 4.5 hours on the phone with Microsoft, we found the solutions. Here is what we did:

IIsserver (MARS)
=============
1. Changed FTP root to UNC path from local Path
2, Removed uncusername and uncuserpassword per 247970

247970 How to Enable Pass-Through Authentication for FTP UNC Virtual Directories

http://support.microsoft.com/?id=247970

3. Removed Vdirs for FTP folders in IIS.

Remote Server (JUPITER)
=================
4. On remote Server gave FTPUsers Group FC to Sharing TAB . Read on Security Tab. ( ALL FTP accounts are members of the FTPUsers group)

5. Gave individual users FC to individual folders.

6. Gave users log on locally rights .

234237 Assign "Log On locally" Rights to Windows Domain Controller

http://support.microsoft.com/?id=234237

Thanks for all of your feedback. Hope this helps someone else.