Saturday, November 22, 2008

FTP in Windows Server 2008 - isolating users

Apparently Windows 2003 has something called "FTP user isolation". You know, so lots of people use one FTP site and see only their own stuff? I never really needed this as a few years ago I accidentally discovered an apparently undocumented way of doing isolating FTP users:

  • Create a single FTP site with the default folder location, disallow anonymous access
  • For each FTP username you want, create Active Directory or local Windows users on the IIS box with damn good passwords
  • Create virtual directories in IIS with the same names as the usernames you just created. Point them to the home directories you want for your users
  • For each of these folders, make sure its relavent username has NTFS write permissions

Easy! You would not want to set up thousands of users like this but if only have a couple it works a treat. Each user logging into your FTP site with their AD or local username and password (use an AD account if your FTP server is also a domain controller - yikes!) and see only their own folder.

Now, I've just got my first Windows Server 2008 web and FTP server I just assumed all this would still work, but I have just found its a bit more complicated. Actually, its positively bonkers. This example is for domain users, it might be different for local users. Anyway, to achieve the same thing in Windows Server 2008...

  • Install IIS, Download the FTP server for Server 2008 (mutter mutter), set up an FTP site pointing at some empty folder - probably c:\inetpub\ftproot
  • In the IIS tools, select your FTP site so all the options are displayed on the right. Select "FTP User Isolation", and set it to Isolate Users, using "user name directory" (the first Isolated option)
  • In Windows Explorer, create a folder called the name of the domain (just the short version, no dots) in the ftp root folder (I really can't remember how I figured out this was needed!)
  • Back in the IIS tools expand the site so you can see the new folder. Right click, New Virtual Directory. Give it one of the usernames and point it to the folder that username should be restricted to. Create a virtual directory for each of the users you want to have access.

Not the most obvious process!

Friday, November 14, 2008

Anti Acrobat Reader Rant

[Warning - this is not a balenced or reasonable peice.]

Arrrggggggggghhhhhhh! I HATE Acrobat Reader! When looking at a server that had run out of space on the C: drive I just discovered that its installation of Acrobat Reader 9 was taking up 200mb of space. Doing bloody what? This application opens PDFs - that's it, everything else it might do or claim to do is fluff, you only install it to open PDF files. It certainly did this in version 5, presumably in version 1. Why exactly are we on version NINE?!

Do Adobe have a team of dedicated and talanted programmers who have been given the priorities of releasing a new version of Reader every year without fail, making sure that at every point it gets exponentially bigger and gains absolutely no noticable extra functionality? Is it a ploy to force constant machine upgrades to cope?

And why, while I am blithering, did I go to uninstall it to move it to another drive and find THREE applications in Add/Remove Programs - Reader, 'Acrobat.com' and something called 'Adobe Air'? Is Air some funny reference to how heavy their appplication is for a glorified file viewer? What is Acrobat.com, have they installed their website on my server?

Don't even get me started on the fact that my reinstall claimed to require a reboot and added back in the autoloading application to the startup apps. I might start foaming at the mouth.

Sorry, I feel better.

Thursday, November 13, 2008

Windows Server 2003 Event Log access

I've just spent about 2 hours messing about figuring out how to give non-admin users access over the network to the Event Logs on a Windows Server 2003 SP2 server. What fun hours they were too! Since I might never find this again, I thought I would report it...

This will allow Authenticated Users to read the Application and System logs - it is possible to put an AD SID instead of 'AU' to make it a lot more tied down.

Just enter the text '(A;;0x1;;;AU)' to the end of the string value 'CustomSD' in the following keys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System