How To Limit Access to a FTP Site in Windows Server 2003

This step-by-step article describes how to create a File Transfer Protocol (FTP) site, and then configure the site so that access to it is limited.

Note To perform the procedures in this article, Microsoft Internet Information Services (IIS) 6.0 and the FTP service must be installed on the computer.

To Create an FTP Site

When you install the FTP service, IIS creates a default FTP site. You can use the default FTP site or you can create a new FTP site. To create a new FTP site:

1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the console tree, expand ServerName, where ServerName is the name of the server, right-click FTP Sites, point to New, and then click FTP Site. The FTP Site Creation Wizard starts.
3. Click Next.
4. On the FTP Site Description page, type a description for the FTP site in the Description box, and then click Next.
5. On the IP Address and Port Settings page, specify the IP address to use for the FTP site, specify the TCP port to use (if it is different from the default TCP port 21), and then click Next.
6. On the FTP User Isolation page, specify the user isolation option that you want, and then click Next.
7. On the FTP Site Home Directory page, specify the path of your home directory in the Path box, and then click Next.
8. On the FTP Site Access Permissions page, specify the permissions that you want, and then click Next.
9. Click Finish.

To Limit the Number of Client Connections

To limit the number of simultaneous client connections to your FTP site:

1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the console tree, expand ServerName, where ServerName is the name of the server, expand FTP Site, right-click your FTP site, and then click Properties.
3. Click the FTP Site tab.
4. Under FTP site connections, click Connections limited to, and then type the maximum number of simultaneous connections that will be permitted to the server. When the limit is reached, IIS returns an error message to the client stating that the server is busy.
5. In the Connection timeout (in seconds) box, type the length of time before the server disconnects an inactive user. This makes sure that all connections are closed in the specified time period if the FTP protocol does not close a connection.
6. Click OK.
7. Quit Internet Information Services (IIS) Manager.

To Configure Anonymous or Domain User Access

You can configure the FTP site for anonymous access by using a predefined user name and password or you can configure the site to require a user name and password that corresponds to a valid Windows user account. When you configure the site to require a user name and password, credentials and data is sent across the network in plain text and are not encrypted in any way. Information is susceptible to interception.

If you intend to put sensitive data on your FTP site, or if secure communications is important, consider using FTP over an encrypted channel such as a virtual private network (VPN) that is secured with Point-to-Point Tunneling Protocol (PPTP) or Secure Internet Protocol (IPSec). Or, consider using Web Authoring with Web-based Distributed Authoring and Versioning (WebDAV). WebDAV uses Secure Sockets Layer (SSL).

To configure anonymous or domain user access:

1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the console tree, expand ServerName, where ServerName is the name of the server, expand FTP Site, right-click your FTP site, and then click Properties.
3. Click the Security Accounts tab, and then do one of the following:
   • To permit anonymous connections to the FTP site, click to select the Allow anonymous connections check box (if it is not already selected). If you want to use a Windows user account other than the default IUSER_ComputerName, specify the user name and password in the User name and Password boxes.
     
     If you want to permit only anonymous connections, click to select the Allow only anonymous connections check box.
   • To configure the FTP site to require a Windows user name and password, click to clear the Allow anonymous connections check box.
4. Click OK.
5. Quit Internet Information Services (IIS) Manager.

To Limit Access to Specific Computers

To limit access to only certain computers or groups of computers:

1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the console tree, expand ServerName, where ServerName is the name of the server, expand FTP Site, right-click your FTP site, and then click Properties.
3. Click the Directory Security tab.
4. Do one of the following:
   • To deny access, click Granted Access, and then click Add. In the Deny Access dialog box that appears, specify the option that you want, and then click OK.
     
     The computer or group of computers that you specified is added to the list.
   • To grant access, click Denied Access, and then click Add. In the Grant Access dialog box that appears, specify the option that you want, and then click OK.
     
     The computer, group of computers, or domain that you selected is added to the list.
5. Click OK.
6. Quit Internet Information Services (IIS) Manager.

For more information about how to administer FTP sites, see the "FTP Site Administration" topic in the Server Administration Guide of the IIS 6.0 Documentation. To view this documentation, visit the following Microsoft Web site: