I think I'd bring up my problem again.
-
I encounter problems when seting up ftp services and web services with my newly installed win2000 server. what I want to do is:I have many users who want to publish their web applications,so I should create a respective directory for them,and each one get a user account to access their directory which others cannot access,in other words,they and only themselves can manage or control a server path,including upload,delete,mkdir etc. via ftp. That is one aspect,another aspect is when they are ready finish preparing their web applications,their web access is open to everyone using browsers through visual path in default website or a new website. I want your help.My english is not very good yet,but I really want your or others' help. :confused: this is my signature for forums quoted from shog*9: I can't help but feel, somewhere deep within that withered, bitter, scheming person, there is a small child, frightened, looking a way out.
-
I encounter problems when seting up ftp services and web services with my newly installed win2000 server. what I want to do is:I have many users who want to publish their web applications,so I should create a respective directory for them,and each one get a user account to access their directory which others cannot access,in other words,they and only themselves can manage or control a server path,including upload,delete,mkdir etc. via ftp. That is one aspect,another aspect is when they are ready finish preparing their web applications,their web access is open to everyone using browsers through visual path in default website or a new website. I want your help.My english is not very good yet,but I really want your or others' help. :confused: this is my signature for forums quoted from shog*9: I can't help but feel, somewhere deep within that withered, bitter, scheming person, there is a small child, frightened, looking a way out.
That's an entirely new and different problem than before... Very well stated, Zhoujun, and I'm having similar trouble myself. I can't find a thing in the documentation about how to do this. If you find out first, tell me, please! "When in danger, fear, or doubt, run in circles, scream and shout!" - Lorelei and Lapis Lazuli Long
-
I encounter problems when seting up ftp services and web services with my newly installed win2000 server. what I want to do is:I have many users who want to publish their web applications,so I should create a respective directory for them,and each one get a user account to access their directory which others cannot access,in other words,they and only themselves can manage or control a server path,including upload,delete,mkdir etc. via ftp. That is one aspect,another aspect is when they are ready finish preparing their web applications,their web access is open to everyone using browsers through visual path in default website or a new website. I want your help.My english is not very good yet,but I really want your or others' help. :confused: this is my signature for forums quoted from shog*9: I can't help but feel, somewhere deep within that withered, bitter, scheming person, there is a small child, frightened, looking a way out.
I'm going back many years in old Network theory to the time of G-net. And I wonder if the same theory holds. Make a User Directory, with a subdirectory. The individual users should only have the full permissions you want to give to their subdirectory. Next give each of the users view/read permissions to their own user directory. I always found mastering network stuff was easiset with several machines side by side, and a good swivel chair. Ouch !!! Regardz Colin J Davies
Sonork ID 100.9197:Colin
You are the intrepid one, always willing to leap into the fray! A serious character flaw, I might add, but entertaining. Said by Roger Wright about me.
-
That's an entirely new and different problem than before... Very well stated, Zhoujun, and I'm having similar trouble myself. I can't find a thing in the documentation about how to do this. If you find out first, tell me, please! "When in danger, fear, or doubt, run in circles, scream and shout!" - Lorelei and Lapis Lazuli Long
Thanks,you finally understand me. If I get the answer,I will tell you right away. :) this is my signature for forums quoted from shog*9: I can't help but feel, somewhere deep within that withered, bitter, scheming person, there is a small child, frightened, looking a way out.
-
I'm going back many years in old Network theory to the time of G-net. And I wonder if the same theory holds. Make a User Directory, with a subdirectory. The individual users should only have the full permissions you want to give to their subdirectory. Next give each of the users view/read permissions to their own user directory. I always found mastering network stuff was easiset with several machines side by side, and a good swivel chair. Ouch !!! Regardz Colin J Davies
Sonork ID 100.9197:Colin
You are the intrepid one, always willing to leap into the fray! A serious character flaw, I might add, but entertaining. Said by Roger Wright about me.
Been there, done that. It doesn't work, so I burned the t-shirt. "When in danger, fear, or doubt, run in circles, scream and shout!" - Lorelei and Lapis Lazuli Long
-
Thanks,you finally understand me. If I get the answer,I will tell you right away. :) this is my signature for forums quoted from shog*9: I can't help but feel, somewhere deep within that withered, bitter, scheming person, there is a small child, frightened, looking a way out.
zhoujun wrote: If I get the answer,I will tell you right away. Thanks, buddy! This is not a trivial problem, and the documentation is really bad. There's lots of it, but the content lacks any value. "When in danger, fear, or doubt, run in circles, scream and shout!" - Lorelei and Lapis Lazuli Long
-
I encounter problems when seting up ftp services and web services with my newly installed win2000 server. what I want to do is:I have many users who want to publish their web applications,so I should create a respective directory for them,and each one get a user account to access their directory which others cannot access,in other words,they and only themselves can manage or control a server path,including upload,delete,mkdir etc. via ftp. That is one aspect,another aspect is when they are ready finish preparing their web applications,their web access is open to everyone using browsers through visual path in default website or a new website. I want your help.My english is not very good yet,but I really want your or others' help. :confused: this is my signature for forums quoted from shog*9: I can't help but feel, somewhere deep within that withered, bitter, scheming person, there is a small child, frightened, looking a way out.
This is what I do, and it seems to work:
- First, prepare the default FTP site.
- Apply all security patches
- Install IISLockdown.
- Make sure that write access is disabled.
- If possible, turn off annonymous access, otherwise make sure the anonymous account is not the IUSR_MachineName account.
- Create a user account with "Log on locally" priveleges, which will be used to upload the site.
- Create a directory for the web application. Preferably, nowhere near the wwwroot, ftproot or inetpub directories. Set the following NTFS permissions:
- The Administrators group and the upload account should have full control
- The IUSR_MachineName account should have read access.
- Nobody else should have any permissions. Specifically, if anonymous FTP access is allowed, the anonymous FTP account should not be able to read this directory.
- In the default FTP site, create a virtual directory pointing to the web application directory. Give it the same name as the upload user, and enable write access.
- Once the site is ready, create a new web-site pointing to the web application directory.
When the upload user logs in, IIS will automatically move them to the virtual directory with the same name as their user name. Since the directory is a virtual directory, anonymous FTP users will not be able to see it. The NTFS permissions won't allow anyone other than the upload user to access the directory, so other users won't be able to read or change the contents, even if they could guess the name. By granting read access to the IUSR_MachineName account, anonymous users will be able to view the web site. Hope this helps!
- First, prepare the default FTP site.
-
This is what I do, and it seems to work:
- First, prepare the default FTP site.
- Apply all security patches
- Install IISLockdown.
- Make sure that write access is disabled.
- If possible, turn off annonymous access, otherwise make sure the anonymous account is not the IUSR_MachineName account.
- Create a user account with "Log on locally" priveleges, which will be used to upload the site.
- Create a directory for the web application. Preferably, nowhere near the wwwroot, ftproot or inetpub directories. Set the following NTFS permissions:
- The Administrators group and the upload account should have full control
- The IUSR_MachineName account should have read access.
- Nobody else should have any permissions. Specifically, if anonymous FTP access is allowed, the anonymous FTP account should not be able to read this directory.
- In the default FTP site, create a virtual directory pointing to the web application directory. Give it the same name as the upload user, and enable write access.
- Once the site is ready, create a new web-site pointing to the web application directory.
When the upload user logs in, IIS will automatically move them to the virtual directory with the same name as their user name. Since the directory is a virtual directory, anonymous FTP users will not be able to see it. The NTFS permissions won't allow anyone other than the upload user to access the directory, so other users won't be able to read or change the contents, even if they could guess the name. By granting read access to the IUSR_MachineName account, anonymous users will be able to view the web site. Hope this helps!
Thanks,Richard, I follow the directions you give, everything seems working well, and finally,the ftp part works as I want to, but when browsing to that website,I got error messages in IE browsers that said "access to directory is denied"? :confused: by the way,I did not install IISLockdown since I thought it's an option, and when setting the directory's NTFS permissions,I do like this:mouse right-click that directory,select the last item properties(R)(I don't know if I am right in translating the item name because what I am seeing is in chinese) from the pop-up menu,then select the security tab,then set permissions as you said,original it has everyone access rights,and I delete it. I want your further help. this is my signature for forums quoted from shog*9: I can't help but feel, somewhere deep within that withered, bitter, scheming person, there is a small child, frightened, looking a way out.
- First, prepare the default FTP site.
-
Thanks,Richard, I follow the directions you give, everything seems working well, and finally,the ftp part works as I want to, but when browsing to that website,I got error messages in IE browsers that said "access to directory is denied"? :confused: by the way,I did not install IISLockdown since I thought it's an option, and when setting the directory's NTFS permissions,I do like this:mouse right-click that directory,select the last item properties(R)(I don't know if I am right in translating the item name because what I am seeing is in chinese) from the pop-up menu,then select the security tab,then set permissions as you said,original it has everyone access rights,and I delete it. I want your further help. this is my signature for forums quoted from shog*9: I can't help but feel, somewhere deep within that withered, bitter, scheming person, there is a small child, frightened, looking a way out.
zhoujun wrote: "access to directory is denied" That usually means that the IUSR_MachineName account doesn't have enough permissions on the directory. Try giving it "Read", "Read & Execute" and "List Folder Contents" permissions. Also, click on the "Advanced" button on the security tab, and tick the box, "Replace permission entries on all child objects...". IISLockdown isn't required, but I like to put it on every IIS server connected to the Internet as an extra security measure. Anything that helps keep hackers and viruses out can't be bad! :-D
