Monday, November 28, 2011

SFTP (SSL) via Filezilla Server and Client

Microsoft FTP 7.0 for Windows 2008 IIS 7.0 does not multi-homed directories for FTP users.  As such, my task was to find a product that had secure sessions and allowed setup for individual user home folders.  It was suggested I try Filezilla, an open source FTP (file transfer protocol) product.  It has both a Server (Windows-only) and Client (all platforms) component.  To help others who may be tasked with a similar scenario, I'm creating this blog entry on the steps needed to create the solution:

SERVER

1.  Download the Server component and install it on your Windows IIS web server.
2.  Add Port 21 and 990 to your firewall exception list.
3.  Add the FileZilla executable to your firewall exception list.
4.  From the FileZilla Server Options menu, click on Passive Mode settings and select custom port range and use Port 21 or 990.  If not, the firewall will balk at directory inquiries and transfers.
5.  From the FileZilla Server Options menu, click on Admin Interface settings and note the port used by the Admin Interface.  Add that port to your Firewall exception list if you'll be managing Filezilla by another computer.  By default it denies all server management access requests except 127.0.0.1.
6.  From the FileZilla Server Options menu, click on SSL/TLS settings and click on "Generate new certificate."  Complete the certificate and save it somewhere where the Filezilla server can see it.  Once saved, ensure it's in a place where your users can access it as they'll need to install it on their computers when using the FileZilla client.
7.  When you've saved the certificate, the Private key file and Certificate file fields should now be completed.
8.  Type in the strong password you used to create the certificate into the Key password section of the SSL/TSL page.
9.  From the main Filezilla Server menu bar, add groups and users.  This is pretty standard stuff, play with the folders and accounts until you customize it for what you need.  Setting a home directory will root that folder for the user.  They will NOT be able to browse up the file hierarchy.  Ensure to check "Force SSL for user login" as you'll want to ensure they don't connect in the clear.
10.  FileZilla can use existing domain users, local users, or create local users as you input their names and information.


(Note: Ensure you create a Passive Mode port range and open those ports in your firewall.  This enables the client and server to communicate when actually performing a file transfer.)

CLIENT

1.  Download the Client component and install it on your computer.
2.  From the main FileZilla Client window, input the FTP servers address, Username,  Password, and Port.  Click on Quickconnect.  You will be presented with the servers certificate.  Approve the certificate.
3.  Use a remote connection on the server to monitor the FTP servers log to ensure the user logged on correctly and successfully listed their home folder.
4.  From the FileZilla Client, click the folder in the Remote Site window and press F5 to update the contents.  If everything is working, it should give you the correct contents.
5.  Drag and drop a file from your local computer to the Remote site folder to ensure the connection is working.  

That's it, you now have a secured FTP server/client combination that would be very hard to hack since the hacker would not have direct access to your server certificate and password.  You also have a multiple user friendly FTP environment that should be easy for them to use.

Tuesday, November 22, 2011

NET LOCALGROUP To Find Group Members from All Local Groups

For those like myself who are working with Windows 2000 servers, there aren't many choices when it comes to extracting local user and group information.  There is no DS commands and if you're only using a member server then there's no AD-related tools either.  As such, I manipulated the FOR and NET LOCALGROUP commands to create an output file which I can feed into a text cleaning program like PowerShell.  Use this command (from CMD.EXE) to create a file with all local groups and members thereof:

c:>FOR /F "delims=*" %X IN ('NET LOCALGROUP') DO NET LOCALGROUP %X >>GROUPLIST.TXT

The NET command in the parentheses produces a list of all local groups on the server.  The FOR command grabs each group, strips the * from the front of the group name output, and processes it as a variable in another NET LOCALGROUP command.  The result is added to a GROUPLIST.TXT file.  If you accidentally use one > then only one list, the last processed list, will be in your file.  The double > allows the file to receive additions without overwriting the existing data.

OWSADM Reference Spreadsheet

It was a big struggle to find a document that completely overviews OWSADM.EXE  but I found one.  Parts of it are in French but it's worth it's (virtual) weight in gold as it gives all arguments and explanations thereof.  I'm going to place keywords in this blog post so those searching for this document will be able to find it.  Here goes the keywords:





AccountTracking, AllowExecutableScripts, Authoring, CacheMaxDocMeta, CacheMaxImage, CacheMaxInclude, CacheMaxIncludeSize, CacheMinDocMeta, CheckRolesConfig, CheckUserAccess, CompletionChar, ComplexPasswords, DatabaseServer, DBCacheAgingInSeconds, DBCacheListsMax, DBCacheProjectsMax, DBCacheUserInfoMax, Debug, DisableAutoImgSizeExts, DisableMetaTagStore, DiscussionsExpiry, DontAutoRestartTimer, EnableDiscussions, EnableNotifications, EnableRulesScript, EnableVTIDebug, FolderSubscriptions, GlobalRightsMask, ImageMapFormat, ImageMapURLPrefix, Job-doc-events, ListLockLatency, ListSystemDSNs, LocalDiscussionsOnly, LocalNTAccountsOnly, LogFileFormat, LogFileLocation. Logging, LogInitialSourceControlErrors, LogRollover, MailCharSet, MailEncoding, MailReplyTo, MailSender, MaxFormContentLength, MaxThreadsCount, MaxUploadContentLength, MinThreadsCount, NewItemDisplayCutoff, NoAbsoluteFileResults, NoClientImageMaps, NoExecutableCgiUpload, NoIndexServer, NoMachineGroups, NoMarkScriptable, NoRolesSupport, NoSaveResultsPipeTo, NoSaveResultsToAbsoluteFile, PreserveTagCase, PrivateBrowsable, PrivateDirUMask , PublishMetainfoKeys, ReformatHtml, RemoveAnonymousAuthoring, RepairDB, RequestQueueSize, RequireSSL, RestrictAccountVisibility , RestrictIISUsersAndGroups, RunTimeFileExtensions, ScriptLanguage, SendMailCommand, SMTPHost, TextMemory, ThreadTimeout, TightenSecurity, UpperCaseTags, UsageAnalysisLogExpiry, UsageFullDaysOnly , UsageSendMailTo, UsageServerURLs, ValidateServicesCnf, WECCtlFlags