Deji Akomolafe

 Search



Just Saying

 Just Saying Minimize
    

 We know IT Minimize
      
We've got the Proof

 Contact Us Minimize
      
General Inquiries
contact@readymaids.com
Sales
presales@readymaids.com
Technical Support
Support@readymaids.com
Emergency Support
911@readymaids.com  

 SPAM? What SPAM? Minimize
      

Get Commtouch Anti-Spam Enterprise Gateway evaluation software


   Minimize
      

 


 IIS6 User Isolation Mode using Active Directory Minimize
  
Location: BlogsTechnically Rambling    
Posted by: Deji Akomolafe 1/5/2006

FTP User Isolation using Active Directory

If you are big on buzz-words and marketnical-speak, you've probably noticed that FTP "User Isolation Mode" is one of the biggest and loudest refrains from the IIS world since the inception of IIS6. If you haven't, then, you (my dear friend) are one lucky bastard :)

Here's how Microsoft touts this new great invention in one of the technical papers covering this feature.

Abstract:
IIS 6.0 contains a new feature called FTP user isolation which prevents users from navigating to another user's home folder.

Without user isolation it's possible for a user to log on to an FTP site and go to another user's folder by using the cd.. command in the FTP tools.

Although the user won't be able to write in the other user's folder (at least, when security is set up right) , the user might be able to read the contents of the other user's folder.

Anywhoooo.... I've come to talk "Isolation", not to dis it. I just ranted so you don't get the wrong impression that I believe that "Isolation" is the next best invention since microwavable lunch :). I think anything that improves security is a good idea, but I take exception to the "this is gonna solve all our problems now" mentality that is now surrounding "User Isolation"

But ...... that's just me. For good or bad, I have seen a lot of postings on various lists and newsgroups I visit asking for information on HOW to actually get a taste of this "User Isolation" cool-aid. Apparently, in spite of the hoollaballoo surrounding "User Isolation", there is a dearth of simple, step-by-step "how-to" instructions on setting this up.

I took a dive into the isolated stratosphere and came up with the following. I hope it helps one or two lonely admins out there.

I have blocked out some irrelevant-but-distinctly-identifying pieces of the screen-shots here to protect the innocent :) 

If you want to read up on what "User Isolation" does for you, please get off your lazy butt and ask google (that would be www.google.com, not www.googoo.com)

This is the basic idea:

You have one FTP server running IIS, but you want to host FTP sites on that one server for multiple customers - if this is how you plan to buy that Ferrarri, please trust me when I say you are in the wrong business. Hey! what do I know :)

You are faced with the problem of figuring out how to ensure that FTPUserA always gets connected to his/her directory whenever he/she logs in. You also want to ensure that FTPUserA can not accidentally (or intentionally) navigate into FTPUserB's directory for any reason. In short, you want to confine each user to his/her allotted space. You could do this easily if you were as smart as me, but why would you be reading my rants if you were that smart, uh? So, you want to use the nifty IIS6 "User Isolation" to achieve these goals.

AD "User Isolation" mode leverages you AD infrastructure for authenticating users and locating their appropriate IIS Home directories.

The first thing we have to do, however, is to create the users home directories. Ideally, you'd want to allocate a common folder on your FTP server into which users will upload their files. Then you will create a sub-folder for EACH user underneath this top folder. You don't really have to create this common folder. You can just create users' folder all over the place on your FTP server. Things will still work, regardless of how you do it. But I am smart, so I will do the better option.

Here, I create a folder called "Femi-Sites". Then I share the folder. We will talk about why I shared this folder later.

The share-name does not really, except for the fact that you need to remember for later use.


 

For giggles, I created some other subfolders underneath Femi's folder. We are going to use this to demonstrate an experiment. Stay with me on this.

 

Now that we've created our common folder, a folder for a user called Femi and some sub-folders underneath Femi's folder, we are ready to work on IIS.

We are going to create an FTP site.

We name it whatever we want.

We give it its IP address.

Now, here's where we tell IIS that we are interested in using "AD Isolated Users" mode to control access to the FTP Site.

The next screen is where we pick the User who will own this FTP site. We browse through AD and pick the user. We could just as easily have typed in domainname\username, but picking it avoids the fat-finger syndrome.

Then we put in the user's password. This is one big beef I have with "AD User Isolated" mode. It requires that you know the user's password. That's horrible. I make it a point NEVER to know a user's password. I drill it into my admins and helpdesk people that sharing passwords is a fire-able offense. But, I digress ...... So, we type in the password, and then type in the domain. In case you are asking why you need to type in the domain name again even though you already had domain specified in the "user name" box, the answer simple: Sometimes, in a hosting environment, you may not want the users to know the domain name of your AD infrastructure, so you will tell them to use just their login without the "domain\" part. By specifying something in the "Enter the default Active Directory domain" field, you are telling IIS to append this domain name IF the user types in just username when accessing the FTP site.

On a side note, I'd encourage you to encourage your users to type in their UPN (user@domain.whatever) instead of loginname for credentials. UPNs are easier to remember, IMO.

IIS now prompt you to re-type the password once more just to take care of possible fat-finger.


Here, we check both boxes because we want the user to be able to write to the FTP site.

We are done - as far as IIS FTP configuration is concerned.

Here's what the site should look like.

 

Now, we hop over to AD. The trick to making "AD User Isolation" mode work in IIS FTP is by configuring a user's AD properties to include the path to the FTP directory. In Windows 2003 AD, Microsoft introduced 2 new user attributes to control the mapping. If you want to use Windows 2000 AD for this exercise, then you will have to extend your Schema to include this new attributes. On that point, you are on your own.

OK, since we are on Windows 2003, we don't mess with schema extension. We just need to populate the attributes of each user for whom we are setting up FTP Site. To do that, you need to call up adsiedit, like so:

When you get your ADsiedit up, navigate to the Domain partition and go through the structure until you locate the user that owns the FTP site (in our case, Femi Akomolafe). Now right-click on the User and click "Properties" That brings up the screen below. Scroll all the way down until you locate the msIIS-FTPDir attribute. Double-click on it and type in the name of the folder that you want this user to be directed to. Remember that we we created a folder called "femi" underneath our top-folder. This is the folder that correspond to our user "femi" and this is what we want him to be connected to every time he connects to our FTP server. Stay with me.

Click OK, and then locate the msIIS-FTPRoot attribute. Now, double-click to bring up the editor. Here is where it gets tricky. The mapping mechanism understands only UNC path. This is where we tell AD which server is hosting the FTP and which directory our FTP Sites are located in. Even if you have played dumb and installed FTP on your DC, you still have to use UNC to reference the path.

Now, if you were wondering why we shared the top-folder earlier, now you know. We want to be able to have an easily-referenceable and easily-accessible UNC path. we could have skipped the sharing part and just referenced our UNC with the default admin share (like \\servername\c$ or \\servername\admin$), but that would be double stupid and so dangerous that I would just advise you to give up your interest in "Isolation" or server administration entirely.

So, in the msIIS-FTPRoot attribute, we type in "\\FTP-Server-Name\Oursharename" as the value. Let's assume that "KuliKuli" is our FTP server in this exercise, the value for this attribute will be \\KuliKuli\Femi-Sites. Remember that "femi-sites" is the sharename of the topfolder.

Click OK. Now you are done. Finished. Finis. Fertig. O Pari.

Let's test our configuration.

Notice that we are logging in with UPN. Again, I like UPNs. Users tend to remember email addresses better than domain\username.

Now, notice that we successfully connected to the site.

Look at the result of our "ls". We see all the three subfolders underneath "Femi" folder. This is a useful configuration, especially in Hosting environment where you have one admin managing multiple FTP sites. You would not want to create multiple FTP sites for this admin, because that would require that you create multiple user objects for the same admin in AD - remember that the "msIIS-FTPRoot" and "msIIS-FTPDir" are user-object-specific single-value attributes. You can not have more than one of each for one user. So, what we do here is just create on FTP Site, create on folder and, under this folder, create one folder for each FTP site that we want the admin to manage. With one login credential, our admin gets access to all the folders, and he/she can manage everything underneath - of course with appropriate permissions.

See, we can "cd" to one of the folders under "femi" without any problem.

 

I hope this satisfy your "Isolation" curiosity. It's not a big deal really. We just need someone to spend time to put it all down, no?
Permalink |  Trackback

 Just Saying Minimize
      

 Just Saying Minimize