{"id":493,"date":"2012-02-23T01:12:16","date_gmt":"2012-02-23T01:12:16","guid":{"rendered":"http:\/\/microsoftgeek.com\/?p=493"},"modified":"2012-02-23T01:19:56","modified_gmt":"2012-02-23T01:19:56","slug":"creating-an-ftp-drop-site","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=493","title":{"rendered":"Creating an FTP Drop Site"},"content":{"rendered":"

I recently had to create an FTP Drop Site for a client. They had photographers that worked remote from home because the main office was either too far or they just did not have any time to stop by and transfer their digital images to the server.<\/p>\n

So I created this for them \ud83d\ude42<\/p>\n

This article walks you through creating an FTP site that users can anonymously upload files to, but can’t list or retrieve any files that have been uploaded.<\/p>\n

FTP is one of the oldest Internet protocols and still one of the most useful. In olden days, businesses would transfer information by couriers on horseback carrying leather pouches filled with documents. Now most business documents are electronic and are sent over the Internet instead, and while email is often a good way of doing this, some electronic documents are unsuitable for email such as documents too large to serve as attachments or documents that must be submitted anonymously such as surveys. As a result, many businesses still find need for running FTP servers for uploading and downloading large files.<\/p>\n

One interesting scenario is when you want customers, clients or business partners to be able to upload files anonymously to your server but not be able to see or download files that others may have uploaded. Such a scenario is often called a \u201cdrop box\u201d because it operates like those physical boxes with slots on top that customers can use to fill out satisfaction surveys and drop them in as they leave your store. It\u2019s fairly straightforward to set up such an environment using the FTP service component of Internet Information Services (IIS), and that\u2019s what this article is about.<\/p>\n

Preparing the Drop Box<\/h2>\n

My scenario will be using IIS 6 on a standalone Windows Server 2003 as the FTP server and standalone Windows XP as the client for testing purposes.<\/p>\n

We\u2019ll begin by setting up the FTP server. After installing IIS together with the optional FTP service component, I created a new FTP root folder called FTProot on E: drive, a second NTFS drive on the server. The reason for moving FTP content from the default location of C:\\Inetpub\\Ftproot to E:\\Ftproot is security\u2014data should generally be isolated on a different drive than where your operating system is found. This measure also makes it easier to recover from a disaster when you have to reinstall your operating system as that way your data won\u2019t get overwritten during the restore process should you have to reformat your boot volume.<\/p>\n

Within the E:\\Ftproot folder I next create a folder named drop which I will use as my FTP drop box. The default permissions for\u00a0my new Ftproot folder in Windows Server 2003 are shown in Figure 1.<\/p>\n

\"\"
\nFigure 1: <\/strong>Default permissions<\/p><\/blockquote>\n

Let\u2019s change the permissions on the Ftproot folder to make them more suitable for our purpose. Click the Advanced button to open the Advanced Security Settings dialog box. Then clear the checkbox labeled \u201cAllow inheritable permissions from the parent to propagate to this object\u2026\u201d and when a new dialog box asking you whether you want to copy or remove the existing inherited permissions on the folder, select Copy. The result is that the existing permissions on the Ftproot folder are the same as in Figure 1 but they are now explicit permissions rather than inherited.<\/p>\n

Now click OK to close the Advanced Security Settings box and return to the Properties for the Ftproot folder. Remove the ACEs for the following three groups: CREATOR OWNER, SYSTEM, and Users. At this point the only ACE on the Ftproot folder is Administrators have Full Control.<\/p>\n

Now click Add and add an ACE for the IIS anonymous user account, which by default is named IUSR_servername where servername is the name of your Windows Server 2003 machine. Then configure the ACE for IUSR_servername so that the account has only List Folder Contents permission allowed as shown in Figure 2.<\/p>\n

\"\"
\nFigure 2: <\/strong>Configuring the ACE for IUSR_servername<\/p><\/blockquote>\n

What we have at this point is an Ftproot folder that allows Administrators full access but anonymous users only the ability to list the folder\u2019s contents. These permissions by default are also inherited by the drop subfolder beneath Ftproot, and those permissions need some modification too so now open the Properties sheet for the drop folder, click Advanced, clear the \u201cAllow inheritable permissions\u2026\u201d checkbox, click Copy, and click OK so we can manually modify permissions on the drop folder.<\/p>\n

Click the Advanced button again to open the Advanced Security Settings for the drop folder, which should now look like Figure 3:<\/p>\n

\"\"
\nFigure 3: <\/strong>Advanced Security Settings for the drop folder<\/p><\/blockquote>\n

Note that although the standard permissions (ACE on the Properties page) for IUSR_servername was List Folder Contents, here these show up as Read & Execute. We need to tighten the permissions for IUSR_servername even further, so select this identity as shown in Figure 3 and click the Edit button to display the special NTFS permissions for IUSR_servernname. When the Permissions Entry dialog box appears, remove checkmarks beside everything except List Folder\/Read Data and Read Permissions, and change the Apply Onto dropdown listbox to Files Only as shown in Figure 4:<\/p>\n

\"\"
\nFigure 4: <\/strong>Changing the Apply Onto dropdown listbox to Files Only<\/p><\/blockquote>\n

Click OK to close the Permissions Entry box and modify the special permissions for IUSR_servername. Now we need to create another ACE for IUSR_servername, but this time it will apply to the drop folder itself and not to files within that folder as the ACE in Figure 4 did previously. To create this new ACE, click the Add button, specify IUSR_servername as the account you want to apply permissions to, and configure the permissions as shown in Figure 5:<\/p>\n

\n

\"\"
\nFigure 5: <\/strong>Creating the new ACE<\/p>\n<\/blockquote>\n

Click OK several times to close the permissions dialog boxes and you\u2019re done.<\/p>\n

Testing the Drop Box<\/h2>\n

To test our drop box, we\u2019ll first make E:\\Ftproot the root folder for the Default FTP Site in IIS. Open IIS Manager, select the FTP Sites node, and under this right-click on Default FTP Site and select Properties. Select the Home Directory tab on this Properties sheet and change the home folder for the site from C:\\Inetpub\\Ftproot to E:\\Ftproot as shown in Figure 6. Don\u2019t forget to also select the Write checkbox to enable uploads to the FTP site.<\/p>\n

\"\"
\nFigure 6: <\/strong>Changing the home folder for the site<\/p><\/blockquote>\n

Now let\u2019s test this setup. Using a Windows XP virtual machine running on Virtual PC, I open the My Pictures folder, which has some files I want to upload to the FTP drop box. I then open Internet Explorer and enter the URL for my drop box in the form ftp:\/\/servername\/drop as shown in Figure 7:<\/p>\n

\"\"
\nFigure 7: <\/strong>Uploading files\u00a0to the FTP drop box<\/p><\/blockquote>\n

Now I drag and drop some picture files from my local My Pictures folder to the drop folder on the remote FTP server. The files should transfer and will be displayed in the Internet Explorer window as residing in the drop folder on the remote machine. If I now refresh the view in Internet Explorer by pressing F5, the displayed files disappear. In other words, once files are uploaded they can\u2019t be seen anymore or by anyone else who accesses the drop folder using an FTP client. To double-check this, I can connect to my drop folder using the Windows command-line ftp.exe client and try to view the contents of the drop folder after uploading some files to it (see Figure 8). The result is that\u00a0I am denied access when I try\u00a0to list the contents of the drop folder.<\/p>\n

\"\"
\nFigure 8:<\/strong> Denied access when tring\u00a0to list the contents of the drop folder<\/p><\/blockquote>\n

Using Windows Explorer on my FTP server however, I can easily verify that the files have indeed been successfully uploaded from the XP client machine.<\/p>\n

Drop folders like the one I\u2019ve described here can be useful for businesses that need to allow anonymous users to upload large files to your company via FTP. By setting appropriate NTFS permissions on a drop folder on your FTP server, you can allow users to upload files without being able to view or even know about files uploaded by other users.<\/p>\n","protected":false},"excerpt":{"rendered":"

I recently had to create an FTP Drop Site for a client. They had photographers that worked remote from home because the main office was either too far or they just did not have any time to stop by and transfer their digital images to the server. So I created this for them \ud83d\ude42 This […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-493","post","type-post","status-publish","format-standard","hentry","category-general-2003-stuff"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=493"}],"version-history":[{"count":3,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/493\/revisions"}],"predecessor-version":[{"id":495,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/493\/revisions\/495"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}