Vol. 50, #8 - October 7, 2013 - Issue #950
Secure file transfer
- Editor's Corner
- Another free ebook! Introducing Windows Azure for IT Professionals
- An Isolated Approach to FTP
- Tip of the Week
- Recommended for Learning
- Quote of the Week
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- Events Calendar
- Webcast Calendar
- Featured Webinar: Data Management Strategies for MS Exchange
- Register for Webcasts
- Tech Briefing
- Windows Server
- SharePoint, Exchange and Office
- System Center
- Windows Azure
- Other Cloud Computing
- Windows Server News
- Maximize cloud benefits with five keys to private cloud automation
- Tips for VDI success: Tackling networking, security and app selection
- VirtIO, PCI pass-through offer better KVM network performance
- Click-to-Run and MSI provide Office 2013 installation options
- WServerNews FAVE Links
- This Week's Links We Like. Fun Stuff.
- WServerNews - Product of the Week
- 2X ApplicationServer XG - Simple and secure virtual desktop and application delivery.
- SAVE THIS NEWSLETTER so you can refer back to it later for helpful tips, tools and resources!
- FORWARD THIS NEWSLETTER to a colleague who you think might find it useful!
- SEND YOUR FEEDBACK to [email protected] if you have any comments or suggestions!
This week's newsletter is all about securely transferring files using the FTP Isolation functionality found in IIS 7.0 and later on the Windows Server platform. To walk us through how to configure and use this feature we have a guest editorial by Terri Donahue, a Microsoft Most Valuable Professional for ASP.NET/IIS. But while transferring a file is one thing, opening the file can be an altogether different experience as this classic Dilbert cartoon explains:
Another free ebook! Introducing Windows Azure to IT Professionals
Last week we announced a free ebook titled Microsoft System Center: Designing Orchestrator Runbooks by David Ziembicki, Aaron Cushner and Andreas Rynes with myself as series editor. This is the first in a series of free ebooks Microsoft Press will be publishing about different System Center 2012 products and you can download the ebook in PDF, MOBI or EPUB format here:
Guess what? This week we're announcing the availability of another free ebook! This one is titled Introducing Windows Azure for IT Professionals and is by myself together with experts from the Windows Azure team at Microsoft.
The PDF for this ebook can be downloaded today while MOBI and EPUB versions will be available soon. You can get it from here:
And now on to our guest editorial by Terri Donahue...
An Isolated Approach to FTP
Microsoft has made great progress with FTP in the later releases of the application. There are many new features that have been added to FTP starting with IIS 7.0. The IIS FTP server now supports SSL connections for data encryption. With IIS 8.0, Microsoft introduced an automated approach to FTP Logon restrictions as well. Both of these enhancements provide a more secure application and create a real argument for choosing IIS FTP for implementation in a multi-host/multi-use environment. I will be providing an overview of implementing the FTP role utilizing either user isolation with a single FTP instance or Virtual Host Names with multiple sites.
For this walkthrough, you will need to create four local users, their home directories, a named text file, and set NTFS permissions to modify for access. This configuration will make testing/verification easier because you should only see the user named file for each user when logging into the FTP site.
Text document in directory
For starters, you need to have the FTP Role Service installed. From Server Manager, click on the IIS entry to view the metrics associated with IIS. Scroll down through the information panel until you see Roles and Features. You can then check quickly to see if the FTP Service is installed. If it is not, click on Manage, Add Roles and Features. You will then click through the Wizard until you get to the Server Roles selection screen. Expand Web Server (IIS) and make sure that FTP Service under FTP Server is selected for install. Finish the Wizard to complete the install of the FTP Service.
FTP sites configured using User Isolation and/or Virtual Host Names (VHNs) can co-exist on the same server. In this walkthrough, we will cover configuring both types. This section will pertain to configuration of an FTP site using user isolation. To do this, open Internet Information Services (IIS) Manager. Right click on Sites and select Add FTP Site. Provide a site name (ex. MainFTP) and physical path (ex. c:\inetpub\ftproot) and proceed to the next page of the wizard. We will leave the defaults for the bindings and set the SSL configuration to No SSL for this implementation. Select Basic for the authentication type, change the authorization to Specified users or roles and enter Authenticated Users, and enable both Read and Write permissions. Click Finish to complete the configuration of this site. We will also need to configure the NTFS permissions on the root location to allow the selected users to authenticate. From IIS Manager, click on the MainFTP site and select Edit Permissions from the Actions pane. This will open the properties for the configured folder. Click on the Security Tab and click Edit. At this point, since we will only want authenticated users to be able to access the FTP site, we will add Authenticated Users with the default NTFS permissions. The next step is to enable user isolation. Click on MainFTP and open the FTP User Isolation feature in the GUI. Select User name directory under Isolate Users and click Apply. Next, open the FTP Authorization Rules feature, select the Allow rule and change the rule to Specified roles or user groups and enter Authenticated Users. The FTP site is now configured for user isolation. The next step will be to add the LocalUser and specific user virtual directories. Right click on MainFTP and then click on Add Virtual Directory. The alias name has to be LocalUser. Set the physical path to c:\inetpub\ftproot. This naming configuration is what IIS FTP expects for user isolation. Now right click on LocalUser and select Add Virtual Directory. The Alias will be the first user (test1) you created above and the physical path will be the home directory (c:\domains\test1) you created for the user. Repeat this step for your second user (test2). Your MainFTP configuration should now look like this:
Once the basic configuration is completed, additional users and the respective home directories can be added to this single FTP instance. Due to the configuration of user isolation, access is only granted to the folder designated in the physical path of each virtual directory and the NTFS permissions ensure that only the correct user is able to access the content.
We are now ready to test using the FTP client of your choice. If we perform the testing on your local server, you can use localhost to connect. If you are testing this externally, a local entry in the host file will need to be created or the IP can be used. We will now login to our FTP server using the test1 user and verify that the only file that you see is test1.txt. If you connect with the test2 user, you should only see the test2.txt file.
We will now convert this implementation to one that uses Virtual Host Name sites with one of the sites also using user isolation. VHN sites require a default FTP site to be setup. We will use the MainFTP site already created. This could be just a default site that is setup but not configured since it will not be accessible after the second FTP site has been created. For security sake, we will go ahead and set the FTP Authorization Rules to Deny all users. Select the MainFTP site and open the FTP Authorization Rules feature. Delete the existing Allow rule and create a Deny rule which is set to All Users.
Let's once again right click on Sites and choose Add FTP Site. Enter the site name (test3.localtest.me) and physical path (c:\domains\test3). On the next page of the wizard, check Enable Virtual Host Names and enter the site name (test3.localtest.me) and set SSL to No SSL once again. Check Basic for the authentication type, allow access to Specified users and enter test3, and check Read and Write for the permissions. Click Finish on the wizard. Repeat this step for the test4 user replacing test3 with test4 for each step. And finally, add another FTP site that is named ui.localtest.me. The specified users should be test1, test2 and the Virtual Host Names needs to be set to ui.localtest.me. Right click on ui.localtest.me and then click on Add Virtual Directory. The alias has to be LocalUser and the physical path can be set to c:\inetpub\ftproot. Since we set the NTFS permissions on this folder previously, you are ready to continue with creating the Virtual Directories for user isolation. Right click on LocalUser and select Add Virtual Directory. The Alias will be the first user (test1) you created above and the physical path will be the home directory (c:\domains\test1) you created for the user. Repeat this step for your second user (test2).
After this is completed, the configuration will look like this:
Although, you can use the IP address to test these FTP sites, we set these FTP sites up using a very special testing domain named localtest.me. All records, including a * record for this domain resolve to 127.0.0.1. I have gotten into the habit of creating sites with these hostnames so that testing does not require DNS updates or host file entries. When testing on your local server, your FTP host will be the name of the FTP site or localhost. If you are testing from another machine, you can use the IP address of the server as the hostname. When using VHNs, the name resolution is handled as part of the username. The username for each site has to be VHN|user. For example, to test the test3.localtest.me site, the username will be test3.localtest.me|test3.
About Terri Donahue
Terri Donahue is a Microsoft Most Valuable Professional ASP.NET/IIS. She currently works as a Support Specialist at OrcsWeb. She has worked with IIS since version 4.0. She has a passion for helping people solve technology related issues. For more info see her:
Twitter feed: http://www.wservernews.com/go/1380891679757
LinkedIn profile: http://www.wservernews.com/go/1380891681585
Send us feedback
Have you used FTP Isolation in IIS for secure file transfer? Are you using any other secure FTP solutions? Let us know at [email protected]
Tip of the Week
This week we have another PowerTip from our colleague Ed Wilson a.k.a. The Scripting Guy at Microsoft.
PowerTip: Find net adapter binding info using PowerShell
Here's a tip on how to use Windows PowerShell to find network adapter binding information.
Question: How can you use Windows PowerShell on Windows 8 or above to find network adapter binding information?
Answer: Use the Get-NetAdapterBinding function, specify the adapter name, and select the name, bindname and enabled properties. This appears here.
Get-NetAdapterBinding -Name ethernet | ft name, bindname, enabled
Ed Wilson is the bestselling author of eight books about Windows Scripting, including Windows PowerShell 3.0 Step by Step, and Windows PowerShell 3.0 First Steps. He writes a daily blog about Windows PowerShell call Hey, Scripting Guy! that is hosted on the Microsoft TechNet Script Center; for more PowerTips check out the Hey, Scripting Guy! blog.
GOT TIPS you'd like to share with other readers? Email us at [email protected]
Recommended for Learning
Here's an announcement about an exciting series of online events from Microsoft:
October 29: Attend Microsoft Insights 2013
Join the Microsoft Insights 2013 online event on October 29 for an interactive expert panel discussion on emerging opportunities in technology, the earning potential they represent, and the skills required to excel. Discover the training and resources available to prepare for the next step in your career and a rewarding future. Register now here:
Quote of the Week
"Everything you want is on the other side of fear." - Jack Canfield
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at [email protected] and we’ll try to troubleshoot things from our end.
Admin Tools We Think You Shouldn't Be Without
Download 2X ApplicationServer XG to deliver virtual desktops and applications from a central location, providing continuous availability, resource-based load balancing and complete end-to-end network transparency for administrators.
Make backing up Hyper-V VMs easy, fast and reliable. Free for WServerNews subscribers. Download now!
Server performance problems? Find out why with FactFinder Express. See whether the issue is a slow app, slow SQL requests, or a CPU/Memory/Disk bottleneck. 30 day free trial.
sFlowTrend is a free, graphical network and server monitoring tool:
FogBugz can help you track bugs, meet deadlines, and maintain control over team projects:
Project Conference, 2014 on February 2-5 in Anaheim, California
Lync Conference 2014 on February 18-20, 2014 at The Aria in Las Vegas, Nevada
SharePoint Conference 2014 on March 3-6, 2014 at The Venetian in Las Vegas, Nevada
Microsoft Worldwide Partner Conference (WPC 2014) coming in July, 2014 in Washington, D.C.
European SharePoint Conference on May 5-8, 2014 in Barcelona, Spain
Add your event
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 95,000 subscribers about? Contact [email protected]
Featured Webinar: Data Management Strategies for MS Exchange
MS ExchangeCon 2013 Keynote speaker Michael Osterman will beleading an interactive discussion on data management strategies in the era of diverse data.
And of all that data, what are you responsible for? What do you need to save, and for how long? Is all of it discoverable if it was created on personal devices or by non-company employees?
Join Michael Osterman of Osterman Research and Dominic Brown of HP Autonomy on October 8, 2013 at 2:00pm EDT / 11:00am PDT as they discuss information governance in an era of increasingly diverse data types. This Webinar will be recorded and the recording shared with all registrants.
This webinar will examine these issues and more as we look at the expanding pool of data types that all organizations are responsible for. We'll discuss the growing impact of new data types within organizations, and how to employ data governance policies and technologies to keep your organization in the clear if discovery becomes necessary. You’ll walk away with a new understanding of next steps for your organization in this changing landscape.
All registrants will be entered in a drawing to win an Apple iPad Mini or an Amazon.com gift certificate valued at $329.
Register for Webcasts
Add your Webcast
PLANNING A WEBCAST you'd like to tell our subscribers about? Contact [email protected]
This section is organized topically by platform/product and provides you with links to tips, tools, information and other resources that can help you in your job role whether you're an IT professional or an IT decision-maker.
Video: Change management for Active Directory - Part 2 (WindowSecurity.com)
Windows Server 2012 R2 is coming what does this add to RDS – VDI (VirtualizationAdmin.com)
Understanding IP Address Management (IPAM) (WindowsNetworking.com)
SharePoint, Exchange and Office
Product Review: NETsec’s GALsync (Version 5.0) (MSExchange.org)
Office 365 & SharePoint 2013 Online: Managing external users (Serge Luca's Blog)
Welcome to Hyper-V 2012 R2 (Part 1) (VirtualizationAdmin.com)
Choosing the Right Virtualization Platform (Part 1) (WindowsNetworking.com)
Converting Hyper-V .vhdx to .vhd file formats for use in Windows Azure (Countenay Bernier Infrastructure Blog)
Oracle Self-Service Kit : Provisioning Oracle Database components using the System Center stack
Automation–MVP Example Solution Spotlight–Orchestrator Integration with Office365 and SharePoint 2013
New Microsoft System Center 2012 Orchestrator Cookbook Now Available (System Center Orchestrator Engineering Blog)
Microsoft's Windows Azure deemed secure by the Feds (VentureBeat)
Try Oracle Software on Windows Azure (WindowsAzure.com)
Microsoft BizSpark - Unlimited possibilities for startups with the Windows Azure Platform (Blain Barton's Blog)
Other cloud computing
Cloud Server Performance: A Comparative Analysis of 5 Large Cloud IaaS Providers (Cloud Spectator)
Attackers turning to legit cloud services firms to plant malware (ComputerWorld)
Dot-cloud boom? IT hiring strongest since June 1998 (ZDNet)
Security Best Practices for IIS 8 (TechNet)
Administrator Account Security in Active Directory (WindowsITPro)
Panda Cloud Office Protection - Voted WindowSecurity.com Readers' Choice Award Winner - Firewall (WindowSecurity.com)
We'd like to thank the following individuals for contributing items for this section from time to time:
- Florian Klaffenbach, a Solution Expert in Microsoft & Cloud Computing working at Dell TechCenter Germany. Be sure to check out Flo's Datacenter Report:
- Yuri Diogenes, Senior Technical Writer in the Server and Cloud Division at Microsoft. You can find Yuri's blog on TechNet:
- Heather Witz of the Microsoft Customer, Architecture & Technologies (CAT) team for Windows Server & System Center. Check out their team blog Building Clouds on TechNet:
Maximize cloud benefits with five keys to private cloud automation
Private clouds can help mitigate some of the public cloud disadvantages, but only if the proper automation tools and processes are implemented. Uncover five private cloud implementation tips that will help limit unnecessary administration overhead.
Tips for VDI success: Tackling networking, security and app selection
There are a variety of factors that lead to VDI success: networking, security and application selection are three of the most crucial. Hear from our experts as they offer advice for networking considerations, keeping data secure and choosing the right applications for an effective VDI project.
VirtIO, PCI pass-through offer better KVM network performance
Every admin knows that even good doesn't cut it sometimes – and although KVMs generally offer acceptable network performance there are small improvements you can make to optimize performance. Discover two methods for enhancing KVM network performance inside.
Click-to-Run and MSI provide Office 2013 installation options
It's probably time to start thinking about how to deploy Microsoft's latest software suite to all your desktops – but what are your options? Gain insider advice for choosing between new Click-to-Run technology and the more traditional MSI when installing Office 2013.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]
When a movie or TV character can't get something to work, he or she just gives it a good whack. Voilà! It works.
Brilliant Mercedes suspension ad: 'Magic Body Control' scans the road 15 meters ahead of the car and adapts the suspension to the road conditions ahead.
A 1920s vintage Dodge Brothers sedan drives down muddy roads and across muddy fields to get to the gushing oil well.
What it was like to fly on the Concorde from New York to London in 3:15 hrs at twice the speed of sound.
Golfers at a course in Verbier, Switzerland have had an unusual interruption to their games.
Have you ever wondered why the full moon looks bigger on the horizon than high overhead?
WServerNews - Editors
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com