Windows Insider

FTP: Still Valuable After All These Years

File Transfer Protocol has been around a while, and it's still one of the most useful tools to have under your Windows 2000 belt.

• By Michael Chacon
• 10/01/2001

It's common these days for the focus of technical talk to be on the latest and greatest services coming down the pike. This is all well and good, but occasionally it's well worth the time to look at some of the tried-and-true technology that, while considered old, still provides useful service. One of the oldest, and also one that's intimately associated with the Internet and is still particularly useful, is the File Transfer Protocol or FTP.

For example, at this moment, I'm on holiday (supposedly) sitting on a pure, white-sand Maui beach sipping a Mai Tai and watching the waves lap onto the shore. Because my location and activities, or lack thereof, doesn't change deadlines (with editors being the way they are), I'm attempting to make mine. However, a mitigating factor is in play. In the pursuit of domestic harmony, I agreed to leave my laptop behind during the holiday. Knowing that I'd require some information, before I left, I placed all the files I might need in an FTP-accessible directory. Now all I have to do is visit the local cyber café to obtain and print anything I may require. Perhaps this doesn't fulfill the complete spirit of the domestic arrangement, but the legal requirement remains intact. This technology (and a gold bracelet) delivered a workable solution.

The Evolution of FTP
As one of the earlier Internet technologies, FTP is described in several RFCs that have been successively building as new needs arose during its implementation. One of the earliest was RFC 141, published in 1971, that simply states in the opening line, "A file transfer protocol is needed." Even earlier is RFC 133, which references ideas outlined in RFC 60. From these Paleolithic beginnings, RFC references build up to RFC 959, which is the basis for most FTP products today. The latest developments in FTP are outlined in RFC 2640, published in 1999, which focuses on the internationalization of FTP (for languages that can't be expressed in the 7-bit ASCII character set through the use of extended character sets). As you can see, based upon the sequential nature of RFCs, FTP reaches far back in the history of networking and continues to hold its own within the pace of contemporary developments.

As you'd expect, the general FTP architecture is based upon the TCP protocol. FTP takes advantage of the connection-oriented nature of TCP and rides on top of the sessions provided. As such, all data transferred between the client and the server is guaranteed for intact delivery. There is a UDP version of FTP called trivial FTP (also known as TFTP), that's not based on connections and authentication, but we're not going to cover that service here. So what about FTP and Windows 2000?

How Does FTP Play with Win2K?
In Win2K, an FTP server is implemented as a component of the Internet Information Service. This usually occurs as part of the default installation of IIS; however, it's possible that FTP hasn't been installed on a particular machine, even if IIS has been previously installed. If this is the case, it'll be apparent when you open the Internet Services Manager MMC snap-in. In the example of the IIS manager shown in Figure 1, the FTP service is missing. If it were installed, you'd expect to see a "Default FTP Site" listed.

Figure 1. In Windows 2000, FTP is implemented as a component of the Internet Information Service. However, it's possible that FTP hasn't been installed on a particular machine. If this is the case, FTP will not appear in the IIS snap-in. (Click image to view larger version.)

Figure 2. To add the FTP service, select the File Transfer Protocol Server by checking the box.

If you try to add a new FTP site, you'll receive a message stating that you don't have the service installed on the machine. This will send you to the Add/Remove programs applet in the Control Panel, where you'll select the change option for the IIS service. When you select the Details button, you're presented with the various options that are part of the overall IIS service. To add the FTP service, simply select the File Transfer Protocol Server by checking the appropriate box (Figure 2).

This will result in the proper files being added to the server and the basic FTP service installation. Regardless, if you reach this point or if you're dealing with a default IIS server, the real work of the FTP site is in the configuration.

Go Configure
When you return to the MMC IIS snap-in, you'll find the FTP service in its default state. To begin the configuration process, select the Default FTP site, right-click and select the Properties option to bring up Figure 3.

The description is used to identify the various sites you may choose to create on this particular server. TCP Port 21 is the well-known assignment for FTP. Most FTP clients will look for an FTP server on this port. If you change this number, the client will have to know what port number you're using in order to make a connection. Some people change this to build a rudimentary security barrier to protect resources on the FTP server. This can help with casual lurkers, but anyone serious about trying to discover if you're running an FTP server can use a port monitor to discover what port number you've chosen.

Figure 3. Right-clicking on the Default FTP site will bring up the Default FTP Site Properties box.

Figure 4. Checking the Enable Logging box, seen in Figure 3, allows you to keep a history of the FTP server session activity.

The "Limited To" connectivity option determines how many users can establish an FTP session concurrently. If you're not supporting a large site designed to allow access to many anonymous users, such as a major software vendor to using FTP to distribute software updates to the public, you can lower this number to roughly the number of people you plan to support. This isn't critical, but there's no reason to waste resources. A more useful configuration on this page is the "Enable Logging" checkbox. With this selected, you can keep a history of the FTP server session activity with some of the self-explanatory options shown in Figure 4.

Lock it Down
The next tab among the configuration screens is for determining your FTP server's security. This tab can be a bit confusing because of the potential for conflicting options. As you can see in Figure 5, Allow Anonymous Connections is selected and ready to use the same account that IIS uses for Web access. These two services are used in different ways, so it's very common and advisable to create a separate account for the FTP server if you plan to support anonymous connections. Because the anonymous users will be presented to the Win2K security subsystem through this account, you can limit and control the access they may have to the resources on the FTP server apart from the HTTP server.

The "Allow only anonymous connections" option prevents Win2K accounts from accessing the FTP server. This is useful because the passwords used to access the FTP site are passed across the Internet in clear text. If serious vandals wanted to breach your Win2K security, they could trap FTP traffic to your site and obtain the account and password information necessary to complete the task. If you remove the Allow Anonymous Connections check mark, you'll receive the message in Figure 6.

If you do opt to let individual Win2K accounts access the FTP resource, you'll have to allow the Log on Locally privilege for these accounts.

Figure 5. If Allow Anonymous Connections is selected, it'll use the same account that IIS uses for Web access. These two services are used in different ways, so it's very common and advisable to create a separate account for the FTP server.

Figure 6. If you remove the Allow Anonymous Connections check mark, you'll receive a message warning you of the security danger.

Figure 7. The next tab is the Messages tab, which is used to communicate with users, providing welcome and exit messages and warnings, as needed.

The "Allow IIS to control password" option disables the Password box and makes any changes in the Active Directory Users and Computers applet apply to the FTP server as well. Remember that even if you use Win2K accounts for authentication, anonymous connections will still be permitted to the FTP server if the Allow Anonymous Connections box is checked.

The next tab is the Messages tab (Figure 7), which is used—as you can imagine—to communicate with users during specific circumstances.

The welcome message can be used to present the requisite legal warning to unwelcome visitors or to simply instruct the visitors of what they expect to find on the site. The Exit message is self-explanatory, and the Maximum Connections message is what new potential visitors will see if the number of users currently connected is greater than the number configured for the site.

The Home Directory tab (Figure 8) allows you to choose the directory on the FTP server into which visitors will be dropped when they connect to the server. You can use a local location or you can even redirect the user to another server. If you redirect the user, you must configure the permissions on the other server to support either the anonymous account or the Win2K account credentials that the user presents.

This redirection is accomplished using the standard UNC that Win2K uses for file shares. The Directory Listing Style supports the 8.3 DOS names or the Unix style that's more common on the Web.

Figure 8. The Home Directory determines where your FTP site visitors will be dropped when they connect to the server.

Go "Virtual"
The Win2K FTP service allows you to generate what's called a "virtual server," which lets you create different FTP servers on the same box. For example, you can have one directory that allows uploads with one name, and another FTP server pointed to a different directory that only allows downloads. Each server can be configured to accept different users and provide different purposes. Figure 9 shows a site for my business information and another as a location where members of my extended family can upload and download digital photos. To do this, select the Action menu, then New | FTP Site. This launches a wizard that creates the new virtual FTP server. Alternatively, you can just right-click on the server and choose New | FTP Site.

Figure 9. The Windows 2000 FTP service allows you to create a "virtual server." Each server can be configured to accept different users and fulfill different needs. (Click image to view larger version.)

Figure 10. The Directory Security tab controls general access to the FTP site based upon the IP addresses of its clients.

The final tab, Directory Security (Figure 10), controls general access to the FTP site based upon the IP addresses of the clients. This is useful if you know the addresses of the clients that will use the server; but these days, with so much remote connectivity and dynamic addressing, it's not quite as useful.

However, if this option is useful for your situation, you can use it to control whether access is granted or denied based upon the IP address or a block of IP addresses.

After you've configured the FTP server to suit your needs, you're ready to start accepting clients. Of course, you should keep an eye on the server to make sure it's performing properly and providing the services in the intended manner. There are several other ways to remotely connect to a central machine, but FTP is one of the most simple and straightforward methods to provide a centralized repository of files for remote users across the Internet—including yourself.