A Few Issues With Web And Ftp

[garyohallo1]

Hi all,

We currently run a Windows 2000 server that hosts a number of websites and allows users to FTP to their website directories. We decided that it was about time for an upgrade and recently purchased Windows Server 2008. I understand that there are significant differences between the 2 versions of Windows, however I have attempted to set up the new server as much like the old server as I could.

It currently runs IIS7 and uses IIS6 for FTP. From what I can tell everything appears to be working correctly, however there are a few things that I am unsure of. First of all, the default website resides within the C:/inetpub/wwwroot/ directory and each seperate website has its own directory within wwwroot. This is the same as it had been set up on the previous server. The issue is that I am able to browse all websites through the default website. For example, if I go to http://defaultwebsite/site1/ I can access that website, whereas on the previous server I would just get a 404 error page. Is there a configuration option for the default website that I am missing or I should I move the websites to a seperate directory?

We set up FTP using virtual directories in IIS6, which works well, however this involves creating the user first in Computer Management. One thing I have noticed is that all users show up on the Windows login screen (well, as many as it can fit in). Is this the correct way for the FTP users to be set up? This also leads onto my concerns about permissions and security. We used the ASP lockdown tool to tighten security and sort our permissions on the Windows 2000 server. This created groups such as Web Anonymous Users, to which I would add each user after creating them. I have read that Windows Server 2008 is pretty secure out of the box, however I am wondering if there is something important that I am missing?

My final issue is regarding backups. We backup to a NAS, however it appears that Windows Server Backup on the 2008 server doesn't support this. Can anyone offer any advice on the best way to do this?

I apologise if these questions have been answered elsewhere on the forums. I have searched multiple times for answers to my queries and so far have had no luck, hence why i'm here!

Thanks in advance for your help.

Gary

 

[ICTCity]

Hi,

From what I know, it's normal that you can access http://defaultwebsite/site1/, you could check on folder's permission to prevent this.

Best practice say that you should have the wwwroot to another disk, not C:\, this is for security purpose (directory traversal). You can create FTP users and not local users. Usually you create a group and there you can put accounts. You don't need to create local users.

Regarding security, one of the most famous is: "never let a default installation". You should rename the Default Web Site, wwwroot, and so on.

For your backup:
Server 2k8 doesn't allow network backup (... maybe because you HAVE TO buy a 3rd part software??? thanks MS ), you can do a FULL backup in this way:

Wbadmin start backup -backupTarget:\\IP_NAS\SHARE -include:C: (or what you need) -vssFull -quiet

Save it as a batch file and schedule.

Hope this help.

 

[garyohallo1]

In IIS6, I can either create an FTP site or a virtual directory. From my understanding, using virtual directories for FTP is the easiest option in my case as I need to allow access to multiple sites on the one IP and port (21). When creating a virtual directory it asks for an alias, which is where I type in the username for the previously created user and then point it to the website directory, tick read/write permissions and that's it. It seems to work OK like this, providing that I also give the newly created user modify permissions on their website directory. If there is a better way that I should be doing this, could you please provide further information?

Thanks very much for the info regarding the backups. I should be able to do what I need to do with this. I miss NTBackup! Are there any advanced options for wbadmin to tell it to automatically clear out older backups or would I need to create a seperate task for doing this?

Regarding being able to view all of the sites through the default directory URL, it is more the fact that the old server doesn't display them in this way and yet it appears to be set up exactly the same. I can understand why it is doing it, but I don't understand why it isn't happening on the old server. I will have a look at the permissions and see if I can sort it out.

Thanks for your help.

 

[ICTCity]

Everything is fine by creating virtual directory. The only thing that your SHOULD do, is to physically move the wwwroot directory from C:\inetpub\... to another disk, example: D:\inetpub...

In the case that an attacker gain access to your system with directory traversal, he can only see (and modify) the directories and files in that disk, and he will not be able to access system's files because of they're located in C:\

Unlucky, you must create another script to delete older backup... as said, Microsoft wants that you BUY specific programs.