Adding FTP Authorization <add>
The <add>
element of the <authorization>
collection defines an authorization rule that will either allow or deny access to specified users, groups, anonymous users, or all users.
The accessType attribute specifies either of two types of authorization rules:
- Allow rules let you define the user accounts or user groups that can access a site, a URL, or all the sites on a server.
- Deny rules let you define the user accounts or user groups that cannot access a site, a URL, or all the sites on a server.
Version | Notes |
---|---|
IIS 10.0 | The <add> element was not modified in IIS 10.0. |
IIS 8.5 | The <add> element was not modified in IIS 8.5. |
IIS 8.0 | The <add> element was not modified in IIS 8.0. |
IIS 7.5 | The <add> element of the <authorization> element ships as a feature of IIS 7.5. |
IIS 7.0 | The <add> element of the <authorization> element was introduced in FTP 7.0, which was a separate download for IIS 7.0. |
IIS 6.0 | The <system.ftpServer> element and its child elements replace the IIS 6.0 FTP settings that were located in the LM/MSFTPSVC metabase path. |
Note
The FTP 7.0 and FTP 7.5 services shipped out-of-band for IIS 7.0, which required downloading and installing the modules from the following URL:
With Windows 7 and Windows Server 2008 R2, the FTP 7.5 service ships as a feature for IIS 7.5, so downloading the FTP service is no longer necessary.
To support FTP publishing for your Web server, you must install the FTP service. To do so, use the following steps.
On the taskbar, click Server Manager.
In Server Manager, click the Manage menu, and then click Add Roles and Features.
In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
On the Server Roles page, expand Web Server (IIS), and then select FTP Server.
Click Next, and then on the Select features page, click Next again.
On the Confirm installation selections page, click Install.
On the Results page, click Close.
On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel.
In Control Panel, click Programs and Features, and then click Turn Windows features on or off.
Expand Internet Information Services, and then select FTP Server.
Click OK.
Click Close.
On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
Select FTP Service.
Click Next.
On the Confirm Installation Selections page, click Install.
On the Results page, click Close.
On the taskbar, click Start, and then click Control Panel.
In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
Expand Internet Information Services, and then FTP Server.
Select FTP Service.
Click OK.
Download the installation package from the following URL:
Follow the instructions in the following walkthrough to install the FTP service:
Open Internet Information Services (IIS) Manager:
If you are using Windows Server 2012 or Windows Server 2012 R2:
- On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
If you are using Windows 8 or Windows 8.1:
- Hold down the Windows key, press the letter X, and then click Control Panel.
- Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
If you are using Windows Server 2008 or Windows Server 2008 R2:
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
If you are using Windows Vista or Windows 7:
- On the taskbar, click Start, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
In the Connections pane, expand the server name, expand Sites, and then navigate to the site or URL on which you want to configure authorization.
To add a new authorization rule, click Add Allow Rule... or Add Deny Rule... in the Actions pane.
Apply the authorization settings needed for your site or application. There are two sections that need to be considered:
Allow access to this content to: Use the radio buttons to specify that the access rule will apply to:
- All Users
- All Anonymous Users
- Specified roles or user groups (multiple groups/roles can be separated by a comma)
- Specified users (multiple users can be separated by a comma)
Permissions: Use the check box to specify Read or Write access for the rule.
Click OK.
The <add>
element is configured at the server, site, or URL level.
Attribute | Description | ||||||
---|---|---|---|---|---|---|---|
accessType |
Required enum attribute. The accessType attribute can be one of the following possible values.
|
||||||
roles |
Optional string attribute. Specifies roles or groups for an authorization rule. |
||||||
users |
Optional string attribute. Specifies users for an authorization rule. Multiple users can be added in a comma-separated list. In addition, the following special identifiers have been defined.
|
||||||
permissions |
Optional flags attribute. Specifies the access permissions for the rule.
|
None.
The following sample illustrates several security-related configuration settings in the <system.ftpServer>
element for an FTP site. More specifically, the <location>
settings in this example demonstrate how to:
- Specify an FTP authorization rule for read and write access for the administrators group.
- Specify FTP request filtering options that deny *.exe, *.bat, and *.cmd files.
- Specify FTP request limits for a maximum content length of 1000000 bytes and a maximum URL length of 1024 bytes.
- Block FTP access to the _vti_bin virtual directory, which is used with the FrontPage Server Extensions.
- Specify FTP IP filtering options that allow access from 127.0.0.1 and deny access from the 169.254.0.0/255.255.0.0 range of IP addresses.
<location path="ftp.example.com">
<system.ftpServer>
<security>
<authorization>
<add accessType="Allow" roles="administrators" permissions="Read, Write" />
</authorization>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<add fileExtension=".exe" allowed="false" />
<add fileExtension=".bat" allowed="false" />
<add fileExtension=".cmd" allowed="false" />
</fileExtensions>
<requestLimits maxAllowedContentLength="1000000" maxUrl="1024" />
<hiddenSegments>
<add segment="_vti_bin" />
</hiddenSegments>
</requestFiltering>
<ipSecurity enableReverseDns="false" allowUnlisted="true">
<add ipAddress="127.0.0.1" allowed="true" />
<add ipAddress="169.254.0.0" subnetMask="255.255.0.0" allowed="false" />
</ipSecurity>
</security>
</system.ftpServer>
</location>
The following examples add two FTP authorization rules for the Default Web Site. The first rule allows read and write access for the administrators group, and the second rule denies read and write access for the guest account.
appcmd.exe set config "Default Web Site" -section:system.ftpServer/security/authorization /+"[accessType='Allow',roles='administrators',permissions='Read, Write']" /commit:apphost
appcmd.exe set config "Default Web Site" -section:system.ftpServer/security/authorization /+"[accessType='Deny',users='guest',permissions='Read, Write']" /commit:apphost
Note
You must be sure to set the commit parameter to apphost
when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.
using System;
using System.Text;
using Microsoft.Web.Administration;
internal static class Sample
{
private static void Main()
{
using (ServerManager serverManager = new ServerManager())
{
Configuration config = serverManager.GetApplicationHostConfiguration();
ConfigurationSection authorizationSection = config.GetSection("system.ftpServer/security/authorization", "Default Web Site");
ConfigurationElementCollection authorizationCollection = authorizationSection.GetCollection();
ConfigurationElement addElement = authorizationCollection.CreateElement("add");
addElement["accessType"] = @"Allow";
addElement["roles"] = @"administrators";
addElement["permissions"] = @"Read, Write";
authorizationCollection.Add(addElement);
ConfigurationElement addElement1 = authorizationCollection.CreateElement("add");
addElement1["accessType"] = @"Deny";
addElement1["users"] = @"guest";
addElement1["permissions"] = @"Read, Write";
authorizationCollection.Add(addElement1);
serverManager.CommitChanges();
}
}
}
Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample
Sub Main()
Dim serverManager As ServerManager = New ServerManager
Dim config As Configuration = serverManager.GetApplicationHostConfiguration
Dim authorizationSection As ConfigurationSection = config.GetSection("system.ftpServer/security/authorization", "Default Web Site")
Dim authorizationCollection As ConfigurationElementCollection = authorizationSection.GetCollection
Dim addElement As ConfigurationElement = authorizationCollection.CreateElement("add")
addElement("accessType") = "Allow"
addElement("roles") = "administrators"
addElement("permissions") = "Read, Write"
authorizationCollection.Add(addElement)
Dim addElement1 As ConfigurationElement = authorizationCollection.CreateElement("add")
addElement1("accessType") = "Deny"
addElement1("users") = "guest"
addElement1("permissions") = "Read, Write"
authorizationCollection.Add(addElement1)
serverManager.CommitChanges()
End Sub
End Module
var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var authorizationSection = adminManager.GetAdminSection("system.ftpServer/security/authorization", "MACHINE/WEBROOT/APPHOST/Default Web Site");
var authorizationCollection = authorizationSection.Collection;
var addElement = authorizationCollection.CreateNewElement("add");
addElement.Properties.Item("accessType").Value = "Allow";
addElement.Properties.Item("roles").Value = "administrators";
addElement.Properties.Item("permissions").Value = "Read, Write";
authorizationCollection.AddElement(addElement);
var addElement1 = authorizationCollection.CreateNewElement("add");
addElement1.Properties.Item("accessType").Value = "Deny";
addElement1.Properties.Item("users").Value = "guest";
addElement1.Properties.Item("permissions").Value = "Read, Write";
authorizationCollection.AddElement(addElement1);
adminManager.CommitChanges();
Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set authorizationSection = adminManager.GetAdminSection("system.ftpServer/security/authorization", "MACHINE/WEBROOT/APPHOST/Default Web Site")
Set authorizationCollection = authorizationSection.Collection
Set addElement = authorizationCollection.CreateNewElement("add")
addElement.Properties.Item("accessType").Value = "Allow"
addElement.Properties.Item("roles").Value = "administrators"
addElement.Properties.Item("permissions").Value = "Read, Write"
authorizationCollection.AddElement(addElement)
Set addElement1 = authorizationCollection.CreateNewElement("add")
addElement1.Properties.Item("accessType").Value = "Deny"
addElement1.Properties.Item("users").Value = "guest"
addElement1.Properties.Item("permissions").Value = "Read, Write"
authorizationCollection.AddElement(addElement1)
adminManager.CommitChanges()