I saw this topic floating around for few days and since it’s very interesting I thought of blogging it for everybody’s benefit.
If you haven’t heard about Blind Drop FTP have a look at this blog Creating a Blind Drop FTP Server.
I thought of testing the same on IIS 7 and IIS 7.5. Here is a step by step of the same..
For IIS 7, you will have to install OOB (Out of Band) Microsoft FTP Publishing Service 7.5 for IIS 7.0 (x64) or Microsoft FTP Publishing Service 7.5 for IIS 7.0 (x86) depending on your platform.
I am using Windows Server 2008 R2 RC1 for this scenario.
Creating directory structure:
I have created FTPRoot on my D drive and it has Incoming directory
Setting NTFS Permission on the directory
Right click on FTPRoot folder -> Properties -> Security
Click on Advanced button -> Change Permissions...
Uncheck the check box “Include inheritable permissions from this object’s parent” -> click Add
Select SYSTEM, Authenticated Users and Users and click Remove
Click OK and click OK again
Click Add... and select IUSR of the local machine
Remove Read & execute and Read permission for IUSR as shown below. So IUSR group has only List folder contents permission of FTPRoot folder
Go to the Incoming folder and right click on the Incoming folder and click Properties.
Click Advanced -> Change Permissions
Select IUSR and click Edit...
Click on Apply to: and select “This folder only” -> click Clear All
Select Create files / write data, Create folders / append data, Write attributes, Write extended attributes and Read permissions as shown below
Click OK and click Apply
Click Add... and select IUSR of the local machine, click OK
Select List folder / read data, Read attributes, Read extended attributes and Read permissions as shown below
Select the check box “Replace all child object permissions with inheritable permissions from this object” -> Click OK
Permissions on Incoming folder are as follows:
Configuring FTP in IIS:
Creating the FTP Site Basic Settings
Configuring FTP Authentication
Configuring FTP Authorization
Configuring FTP Request Filtering. Add Deny Command… LIST and NLST as shown below
Click on Incoming and click FTP Authorization Rules and verify that you have Anonymous Users with Read, Write permissions.
Now, let’s test the FTP site from a command prompt
Check the FTP logfile and we see the following:
Wondering why we added that FTP Request Filtering setting above.
I tried “ls” command above to see if the files / folder are listed. I got the error 500 i.e. “internal server error” because the command is not allowed with a substatus 5 i.e. “Access is denied.” as per the FTP log above.
If you don’t add the above request filtering you will be able to see the Incoming folder but you won’t be able to change to the folder nor add file / folder in the FTPRoot folder. This looks like a neat workaround to what was default behavior in Windows Server 2003 IIS 6 FTP configuration.
Win2008 and IIS7.5 you can't CD to the folder with your config above. I had to add list folder /read data, read attributes, and read extended attributes to even be able to cwd to the incoming folder. This is different than I recall on XP and IIS6 since I had set this same thing up there and had less frustration. If I missed something please let me know. (Like I thought NLST was NLIST so that part failed for a bit..)
I will certainly verify your settings and see if that's the required setting.