Microsoft KB Archive/239120

= How to create a security-enhanced FTP directory that uses Password Authentication =

Article ID: 239120

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Services 6.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q239120



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx





SUMMARY
This step-by-step article discusses how to create a method for clients to upload files to their Web site content folder by using File Transfer Protocol (FTP). It also describes a method to authenticate these users.

Note Domain policies may override the rights of local policies. For more information about Group Policy settings and about local policies, see the "References" section.

Set up or add users in Microsoft Windows NT 4.0
Use User Manager to create a user who will use FTP either at the domain level or at the local level. To do this, follow these steps.

Note If the user already exists, go to "Grant the Log on Locally right in Windows NT 4.0."
 * 1) Click Start, point to Programs, click Administrative Tools, click User Manager for Domains, and then click to select the domain that you want to add the user to.
 * 2) On the User Manager menu, click User, click New User, and then type a user name in the Username box. The Full Name field and the Description field are not required. However, you may want to complete these fields now, also.
 * 3) In the Password box, type a password, and then type the same password in the Confirm Password box.
 * 4) Make sure that the check box for User Must Change Password at Next Logon is selected.
 * 5) Click Add.
 * 6) Close the New User window.

Note You can add more than one new user before you close this window.

Grant the Log on Locally right in Windows NT 4.0
Grant the Log on Locally right to this new FTP user or to an associated group that the new user belongs to. To do this, follow these steps:
 * 1) On the User Manager menu, click Policies, and then click User Rights.
 * 2) In the Right list, click to select Log on Locally.
 * 3) View the Grant To window. If the user is not listed, click Add.
 * 4) In the Add Users and Groups window, click either Group or Show Users to list the individual users. Click to select the user, and then double-click the user to give the user the Log on Locally right.
 * 5) Click OK.

Note You can give the Log on Locally right to more than one user or group before you click OK.
 * 1) In the Grant To box, locate the user or the group. You may have to scroll down to see the user or the group. After you verify that the user or the group is listed, click OK.
 * 2) Close User Manager.

Set up or add users in Microsoft Windows 2000
Use Computer Management to create a user who will use FTP at the local level. To do this, follow these steps.

Note If the user already exists, go to "Grant the Log on Locally right in Windows 2000."
 * 1) In Control Panel, click Administrative Tools, and then double-click Computer Management.
 * 2) Under System Tools, expand Local Users and Groups.
 * 3) Right-click Users, click New User, and then type a user name in the Username box. The Full Name field and the Description field are not required. However, you may want to complete these fields now, also.
 * 4) In the Password box, type a password, and then type the same password in the Confirm Password box.
 * 5) Make sure that the check box for User Must Change Password at Next Logon is selected.
 * 6) Click Create.
 * 7) Click Close.

Note You can add more than one new user before you close this window.
 * 1) Close the Computer Management window.

Grant the Log on Locally right in Windows 2000
Grant the Log on Locally right to this new FTP user or to an associated group that the new user belongs to. To do this, follow these steps:
 * 1) In Administrative Tools, double-click Local Security Policy, and then expand Local Policies in the left pane of the Local Security Settings window.
 * 2) Click to select User Rights Assignment. In the right pane, double-click the Log on Locally policy.
 * 3) Click Add. The Select Users or Groups window opens.
 * 4) Click to select the user or the group from the list, click Add, and then click OK.
 * 5) In the Assigned To box, locate the user or the group. You may have to scroll down to see the user or the group. After you verify that the user or the group is listed, click OK.
 * 6) Close the Local Security Settings window, and then close Administrative Tools.

Set up or add users in Microsoft Windows Server 2003
Use the Local Users and Groups Microsoft Management Console (MMC) snap-in to create a user who will use FTP at the local level.

Note If the user already exists, go to "Grant the Log on Locally right in Windows Server 2003."
 * 1) Click Start, click Run, type Lusrmgr.msc, and then click OK.
 * 2) Right-click Users, and then click New User.
 * 3) In the Username box, type a user name. The Full Name field and the Description field are not required. However, you may want to complete these fields now, also.
 * 4) In the Password box, type a password, and then type the same password in the Confirm Password box.
 * 5) Make sure that the check box for User Must Change Password at Next Logon is selected.
 * 6) Click Create.
 * 7) Click Close.

Note You can add more than one new user before you close this window.
 * 1) Close the Local Users and Groups window.

Grant the Log on Locally right in Windows Server 2003
The only time that the Log on Locally right is not granted by default to everyone is when Terminal Server is installed as a BDC. By default, the Everyone group is granted the Log on Locally right if Terminal Server is installed as a PDC or as a Member Server in a domain, or if it is installed as a stand-alone server in a workgroup.

For additional information about the Log on Locally right in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

187166 Users cannot connect without logon local permissions

Create virtual directories for the user
 Create a folder on a NTFS file system partition. This folder will contain all the files and the virtual directories that the user will have access to. Create a virtual directory in the FTP site by using the MMC snap-in. In the MMC snap-in, right-click the default FTP site, click New, click Virtual Directory, and then follow the steps in the wizard. If you want to put the user in his own or her own "root" directory, give the virtual directory the same name as the user account.

Note The virtual directory name is case-sensitive. If you are creating the virtual directory for uploading files, you must also grant the Write permission on the Virtual Directory tab. Grant NTFS permissions through Windows Explorer on the virtual directory for the Administrators (Full Control) account and for the user of the virtual directory. Make sure that you remove the Everyone group and any other user who may have rights but who does not require these rights. Optionally, you may grant Administrators control to this virtual directory. The user must have the minimum right that lets the user perform the requested action. For example, the user must have the Add/Read right or the Change right. On the Security Accounts tab for the FTP site, make sure that the Allow anonymous connections checkbox is not selected. This option lets the user log on to that virtual directory by using Clear Text authentication. When that user logs on to the FTP site, the virtual directory that is set up is the root directory for that user. Only that user has rights to the virtual directory.

Important When you use Clear Text authentication, passwords are sent in clear text and are not encrypted. This method may create a security vulnerability. For more information about security, visit the following Microsoft Web site:

http://www.microsoft.com/security



