Introduction
Microsoft has created a new FTP service that has been completely rewritten for Windows Server® 2008. This new FTP service incorporates many new features that enable Web authors to publish content better than before, and offers Web administrators more security and deployment options.
This document walks you through creating FTP sites from scratch using the new FTP user interface and by directly editing the IIS 7 configuration files. It contains:
Creating a New FTP Site Using the IIS 7 Manager
Creating a New FTP Site by Editing the IIS 7 Configuration Files
Note: This walk-through contains a series of steps in which you log in to your FTP site using the local administrator account. These steps should only be
followed on the server itself using the loopback address or over SSL from a remote server. If you prefer to use a separate user account instead of the administrator account, you will need to create the appropriate folders and set the correct permissions for that user account when necessary.
Prerequisites
The following items are required to complete the procedures in this article:
1. IIS 7 must be installed on your Windows 2008 Server, and the Internet Information Services Manager must be installed.
2. The new FTP service must be installed. You can download and install the FTP service from thehttp://www.iis.net/ Web site using one of the following links:
FTP 7.5 for IIS 7 (x64) FTP 7.5 for IIS 7 (x86)
3. You must create a root folder for FTP publishing.
Creating a New FTP Site Using IIS 7 Manager
The new FTP service makes it easy to create new FTP sites by providing you with a wizard that walks you through all of the required steps to create a new FTP site from scratch.
Step 1: Use the FTP Site Wizard to Create an FTP Site
In this first step you will create a new FTP site that anonymous users can open.
Note: The settings listed in this walkthrough specify "%SYSTEMDRIVE%\inetpub\ftproot" as the path to your FTP site. You are not required to use this path;
however, if you change the location for your site you will have to change the site-related paths that are used throughout this walkthrough. 1. Open IIS 7 Manager. In the Connections pane, click theSitesnode in the tree.
2. As shown in the image below, right-click theSitesnode in the tree and clickAdd FTP Site, or clickAdd FTP Sitein theActionspane. Create a folder at "%SystemDrive%\inetpub\ftproot"
1. Open a command prompt. 2. Type the following command:
ICACLS "%SystemDrive%\inetpub\ftproot" /Grant IUSR:R /T 3. Close the command prompt.
3. When theAdd FTP Sitewizard appears:
Enter "My New FTP Site" in theFTP site namebox, and then navigate to the %SystemDrive%\inetpub\ftproot folder that you created in the Prerequisites section. Note that if you choose to type in the path to your content folder, you can use environment variables in your paths. When you have completed these items, clicknext.
4. On the next page of the wizard:
Choose an IP address for your FTP site from theIP Addressdrop-down, or choose to accept the default selection of "All Unassigned." Because you will be using the administrator account later in this walk-through, you must ensure that you restrict access to the server and enter
the local loopback IP address for your computer by typing "127.0.0.1" in theIP Address box. (Note: If you are using IPv6, you should also add the IPv6 localhost binding of "::1".)
Enter the TCP/IP port for the FTP site in thePort box. For this walk-through, choose to accept the default port of 21. For this walk- through, do not use a host name, so make sure that theVirtual Host box is blank.
Make sure that theCertificates drop-down is set to "Not Selected" and that theAllow SSLoption is selected. When you have completed these items, clicknext.
5. On the next page of the wizard:
For the Authorizationsettings, choose "Anonymous users" from theAllow access to drop-down, and selectRead for thePermissionsoption.
When you have completed these items, clickFinish.
Summary
You have successfully created a new FTP site using the new FTP service. To recap the items that you completed in this step: 1. You created a new FTP site named "My New FTP Site", with the site's content root at "%SystemDrive%\inetpub\ftproot".
2. You bound the FTP site to the local loopback address for your computer on port 21, and you chose not to use Secure Sockets Layer (SSL) for the FTP site.
3. You created a default rule for the FTP site to allow anonymous users "Read" access to the files.
Step 2: Adding Additional FTP Security Settings
Creating a new FTP site that anonymous users can browse is useful for public download sites, but web authoring is equally important. In this step, you add additional authentication and authorization settings for the administrator account. To do so, follow these steps:
1. In IIS 7 Manager, click the node for the FTP site that you created earlier, then double-click FTP Authenticationto open the FTP authentication feature page.
4. You must add an authorization rule so that the administrator can log in. To do so, double-click theFTP Authorization Rulesicon to open the FTP authorization rules feature page.
6. When theAdd Allow Authorization Rule dialog box displays: Select Specified users, then type "administrator" in the box.
ForPermissions, select bothRead andWrite.
When you have completed these items, clickOK.
Summary
To recap the items that you completed in this step: 1. You added Basic authentication to the FTP site.
Step 3: Logging in to Your FTP Site
In Step 1, you created an FTP site that anonymous users can access, and in Step 2 you added additional security settings that allow an administrator to log in. In this step, you log in anonymously using your administrator account.
Note: In this step log in to your FTP site using the local administrator account. When creating the FTP site in Step 1 you bound the FTP site to the local
loopback IP address. If you did not use the local loopback address, use SSL to protect your account settings. If you prefer to use a separate user account instead of the administrator account, set the correct permissions for that user account for the appropriate folders.
Logging in to your FTP site anonymously
1. On your FTP server, open a command prompt session. 2. Type the following command to connect to your FTP server:
FTP localhost
3. When prompted for a user name, enter "anonymous". 4. When prompted for a password, enter your email address.
You should now be logged in to your FTP site anonymously. Based on the authorization rule that you added in Step 1, you should only have Read access to the content folder.
Logging in to your FTP site using your administrator account
1. On your FTP server, open a command prompt session.2. Type the following command to connect to your FTP server: FTP localhost
3. When prompted for a user name, enter "administrator".
4. When prompted for a password, enter your administrator password.
You should now be logged in to your FTP site as the local administrator. Based on the authorization rule that you added in Step 2 you should have both Read and Write access to the content folder.
Summary
To recap the items that you completed in this step: 1. You logged in to your FTP site anonymously.
Creating a New FTP Site by Editing the IIS 7 Configuration Files
You can also create FTP sites for the new FTP service by editing the IIS 7 configuration files.Note: Editing your ApplicationHost.config file requires full administrative permissions. This is best accomplished using one of two methods:
Log in to your computer using the local "administrator" account.
If you are logged in using an account with administrative permissions that is not the local "administrator" account, open Notepad using the "Run as Administrator" option.
Note: The above steps are required because the User Account Control (UAC) security component in the Windows Vista and Windows Server 2008 operating
systems prevent access to your ApplicationHost.config file. For more information about UAC, please see the following documentation: http://go.microsoft.com/fwlink/?LinkID=113664
The following steps walk you through all of the required settings to create a new FTP site from scratch.
1. Using a text editor such as Windows Notepad, open your ApplicationHost.config file, which is located in your %SystemRoot%\System32\inetsrv\config folder by default.
2. Locate the <sites> section. This section contains your Default Web Site and should begin with something like the following: <sites>
<site name="Default Web Site" id="1"> <application path="/">
<virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\wwwroot" /> </application>
<bindings>
<binding protocol="http" bindingInformation="*:80:" /> </bindings>
</site>
3. Copy the entire section for the Default Web Site and paste it on a new line just below the closing </site> tag. 4. Change the site's settings to create a unique FTP site:
Modify the name andidattributes for the new site to respectively contain "Default FTP Site" and "2".
Note: You may need to choose a different number than "2" for the site ID if any site is currently using that site identifier.
Change the value of the protocolattribute on the binding element to contain "ftp". Change thephysicalPath attribute to "%SystemDrive%\inetpub\ftproot".
Change theportvalue of thebindingInformation attribute to contain "21".
5. Add an <ftpServer> section beneath the closing bindings tag that will contain your authentication settings. <ftpServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" userName="IUSR" /> <basicAuthentication enabled="true" />
</authentication>
<ssl controlChannelPolicy="SslAllow" dataChannelPolicy="SslAllow" /> </security>
</ftpServer>
Note: The authentication settings for FTP sites are configured at the site-level, unlike authentication for Web sites, which can be configured per URL.
Your <sites> section should now contain something similar to the following example: <sites>
<site name="Default Web Site" id="1"> <application path="/">
<virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\wwwroot" /> </application>
<bindings>
<binding protocol="http" bindingInformation="*:80:" /> </bindings>
</site>
<site name="Default FTP Site" id="2"> <application path="/">
<virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\ftproot" /> </application>
<bindings>
<binding protocol="ftp" bindingInformation="*:21:" /> </bindings>
<ftpServer> <security>
<authentication>
<anonymousAuthentication enabled="true" userName="IUSR" /> <basicAuthentication enabled="true" /> </authentication> <ssl controlChannelPolicy="SslAllow" dataChannelPolicy="SslAllow" /> </security> </ftpServer> </site>
6. Scroll to the bottom of your ApplicationHost.config file and add a location section for your Default FTP Site that will contain your authorization settings.
<location path="Your FTP Site Name"> <system.ftpServer>
<security>
<add accessType="Allow" users="*" permissions="Read" />
<add accessType="Allow" users="administrator" permissions="Read, Write" /> </authorization>
</security> </system.ftpServer> </location>
Note: In this example, the authorization settings for FTP sites are configured per URL, and these settings specifically enable Read permissions for all
users, and Read/Write permissions for the administrator account. 7. Save your ApplicationHost.config file.
You should now be able to log in to your newly created FTP site using an FTP client. To use Internet Explorer anonymously on your IIS 7.0 server, enter ftp://localhost in the Internet Explorer address bar. You should be logged in and see your files anonymously; you should not be prompted for user credentials.
Summary
In this task you created an FTP site by editing the IIS 7 configuration files. To recap the items that you completed in this step: 1. You created a new FTP site by using the Default Web Site's settings as a template.
2. You configured the following authorization rules for the FTP site: All users have Read permissions.