IIS FTP Server Tutorial

Install the FTP service

Control Panel > Add Remove Programs > Add Windows Component > IIS > Details | ensure that FTP checkbox
is checked. You will need the XP CD to install this.

Initial Configuration
Right-click My Computer > Manage > Services > IIS > FTP Sites. Right-click Default FTP Site and select
properties. Configure using the 4 tabs as follows:
 FTP Site
o Description: whatever you want to list this service as in MMC.
o TCP Port: change from 21 only if you want to avoid crap hackers.
o Limit Connections: 10 should be fine unless you are are Russian warez site. Or Microsoft.

 Security Accounts
o Uncheck anonymous login box. Unless you want casual drop-ins. You will need to configure
new users (see Restricting Entry, below).

 Home Directory
o Browse to the folder or drive that you want to use as your FTP root. This is managed as a
virtual root, i.e. a user will not be able to see anything above the FTP root when they login.

Restricting Entry
You will presumably not want to allow anonymous access. The solution is to create new users / passwords and
allow desired access levels to your chosen ftp folders. I recommend at least 2 user groups: one to give out to
friends, which allows read-only from all folders except Upload and write-only to upload, but does not allow
deletion or movement; the other is an administrative login for you with full folder permissions to remotely manage
the site over an FTP client.

Create Users
 Generic User: Create a new Limited user in the normal manner from Control Panel. Use a meaningful
login name for user management purposes. Run the MMC to adjust settings; Right-click My Computer >
Manage > System Tools > Local Users > Users. Right-click the new FTP Username and select properties.
Check ‘password never expires’ and ‘user cannot change password’ boxes.
 Admin User: repeat above for a new admin user, or use a current local admin user for your settings.

You may wish to prevent the new users from appearing on your XP login screen. To hide a user, create a reg
file containing the following text, where ftp_username is replaced with the user name you created (keep the
quotes):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"ftp_username"=dword:00000000

Save the text file as ftp_user.reg and run it. If you want to enable this user again on the Welcome Screen, edit
the reg file and change the last 0 to 1.
Apply Folder Permissions
You will need full security settings in XP. By default, only simple settings are displayed. Expand them with
Explorer > Folder > Tools > View Tab, then uncheck ‘Use simple file sharing’ at the bottom. Now when you
right-click a file in Explorer and select Properties, you will have access to the Security tab for precise
permissions allocation.

The generic user should have permissions as follows:

In Explorer, right-click the ftp root folder you have chosen and select properties. In the security tab, select the ftp
generic username. The lower box will display active permissions. I recommend that you allow Read/Execute,
List Folder Contents and Read. Deny Write. Click the Advanced button. Check ‘inherit from parent
permissions..’ . While you’re here, select the generic username again and click ‘Edit’ to see a full list of active
permissions. Deselect any additional permissions which you do not want the user to have (e.g. deletion /
movement). Click OK when happy.

All permissions should be permeated throughout the file structure from root now. The only exception will be an
Upload directory, should you chose to have one. Edit this upload folder and change permissions to allow write,
but deny delete (users should not be able to download from this folder). You may need to uncheck ‘inherits
permissions from parent’ in order to do this. Check the advanced permissions carefully and re-check all other
folder permissions after making alterations. This process can take a little iteration to get right.

Repeat the above for your chosen admin username, allowing the admin login full control (check allow all
advanced permissions on all folders).

Test the Baby

Fire up your favourite client and try to login to ftp://localhost. Try the following as a minimum:

 You should not be allowed anonymous access.

 Generic login should work and be able to allow read, but not delete or write to all download folders.
 Generic login should be able to write, but not download or delete from Upload folder.
 Admin login should work and be able to do what the fuck it likes. Try moving uploads from the upload to
other folders, deleting dross and adding / removing folders.
 Try a hack. You should not be able to get access to any system files or folders, or see anything outside the
FTP domain.

Now repeat all of the above from outside your firewall.

The Firewall
Yup. You’d better allow access to port 21 (or whatever you chose).

Check Your Logs