I need to be able to restrict what accounts can logon to the FTP server
through the FTP service.

One of my Win2k3Std Server is setup as my FTP server; The user accounts
are created in the AD under a specific OU. IIS6 MSFTPSVC has the
DefaultLogonDomain metabase property set to the default active
directory domain (internal.global.ad) so an ftp user doesnt have to
enter internal\username in order to login.

My problem is that there are some service accounts in the domain that
must NOT be able to attempt a domain authentication login attempt via
the FTP service, but have to be allowed to login to the server via the
network.

Example: The file transfer service (runs on FTP1 and some of our other
back-end servers: copies incoming files from specific directories under
ftproot to other servers on the network, which get processed and
reports get put back onto FTP1 so the users can download them) runs as
internal\servicejob - which MUST NOT BE LOCKED OUT...

With the current setup, anyone could go to ftp.mycompany.com and
attempt to loginto our ftp site as USER servicejob and fail 3 times and
LOCK the servicejob account... which would cause the transfer service
to stop working on all the internal servers - which is completely
unacceptable.

I need to be able to restrict who can logon to the FTP1 server through
the FTP service.

I have tried to edit the local security settings on FTP1 to ONLY allow
local Administrators group and the domain FTPUSERS group on the "Access
this computer from the Network" local security policy; but this
prevents the transfer service on the networked systems from being abled
to copy files onto FTP1...

Any suggestions on how I can either
- Prevent authorization attempts for {user1, user2, user3, etc} ONLY
through the IIS FTP service
OR
-  Allow ONLY Internal\FTPUSERS group to authenticate via FTP, while
allowing all other users to attempt authenitcation as normal (except
via FTP protocol).

[ Post a follow-up to this message ]

This will be hard as Windows users and ftp users are actually same.
If the user is able to obtain the service account logon user credential, you
can't really prevent them from accessing the ftp.
As for the ftp service, it is just another logon request.

So, I'm thinking you need to make sure those services account detail for ftp
logon is only known by trusted personnel and they only thing you can prevent
from ftp site is that only GRANT required account access. E.g. if only
serviceacc1 need access, then configure NTFS access permission for
serviceacc1 + system + administrators (if needed). In this setup, although
other users still able to access ftp, but they will get access denied.

got it ?
--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/


<jgovednik@gmail.com> wrote in message
news:1131654679.630760.161750@g44g2000cwa.googlegroups.com...
>I need to be able to restrict what accounts can logon to the FTP server
> through the FTP service.
>
> One of my Win2k3Std Server is setup as my FTP server; The user accounts
> are created in the AD under a specific OU. IIS6 MSFTPSVC has the
> DefaultLogonDomain metabase property set to the default active
> directory domain (internal.global.ad) so an ftp user doesnt have to
> enter internal\username in order to login.
>
> My problem is that there are some service accounts in the domain that
> must NOT be able to attempt a domain authentication login attempt via
> the FTP service, but have to be allowed to login to the server via the
> network.
>
> Example: The file transfer service (runs on FTP1 and some of our other
> back-end servers: copies incoming files from specific directories under
> ftproot to other servers on the network, which get processed and
> reports get put back onto FTP1 so the users can download them) runs as
> internal\servicejob - which MUST NOT BE LOCKED OUT...
>
> With the current setup, anyone could go to ftp.mycompany.com and
> attempt to loginto our ftp site as USER servicejob and fail 3 times and
> LOCK the servicejob account... which would cause the transfer service
> to stop working on all the internal servers - which is completely
> unacceptable.
>
> I need to be able to restrict who can logon to the FTP1 server through
> the FTP service.
>
> I have tried to edit the local security settings on FTP1 to ONLY allow
> local Administrators group and the domain FTPUSERS group on the "Access
> this computer from the Network" local security policy; but this
> prevents the transfer service on the networked systems from being abled
> to copy files onto FTP1...
>
> Any suggestions on how I can either
> - Prevent authorization attempts for {user1, user2, user3, etc} ONLY
> through the IIS FTP service
> OR
> -  Allow ONLY Internal\FTPUSERS group to authenticate via FTP, while
> allowing all other users to attempt authenitcation as normal (except
> via FTP protocol).
>

[ Post a follow-up to this message ]