FTP upload file overwrite

[rcpis]

MS server 2003 standard edition running IIS 6 being used as an FTP/Web server.

We have customers that send files via FTP (either using a FTP client or browser). They log on anonymously to upload files (we have several hundred customers so each having a login/password is just not possible). We do not, however, let them see what files are currently on the FTP site (write to, not read from access).

I cannot figure out how to prohibit file overwrite when someone sends a file via FTP with the same file name as one that already exists on that FTP site.

I did find a M$ KB article, 309634, pertaining to modifying the metabase property of AllowReplaceOnRename (the article pertains to renaming a file but it seemed relevant). I followed the steps in the KB and set the value of AllowReplaceOnRename to 0 because I do not want to allow it. No go. Customers are still able to upload files with the same name of one that is already there and overwrite the older file.

Any suggestions as to my next course of action?

Thanks in advance.

 

[mrdenny]

Change the NTFS permissions to not allow the action. You will want to remove the delete and append permissions. That should take care of it. The account you want to restrict is the NT account that IIS is using to run the FTP service.

Denny
MCSA (2003) / MCDBA (SQL 2000)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

(My very old site)

 

[JFBouchard]

Hi, first your setting of "blind put" server is good (no read, just write access) congrats for that.

I don't know any config or tool to do that for FTP.

What I can suggest is to run a batch file at regular intervals (scheduled tasks) to delete *.exe *.pif *.src etc from your ftproot folder.

In http, frontpage server extensions can prevent the upload of executables but it's not applicable here.



Hope this helps. Please let me know if this resolve your issue

Jeff

 

[rcpis]

mrdenny-

I'm finding that NTFS permissions do not play a part in this instance. The anonymous user can have absolutely no rights to the folder/files in question, and if "write access" is checked under the "home directory" tab of the FTP site properties, they can get connected and upload files. When I uncheck "write access" and try to go off permissions of the folder/files only, the anonymous user can't even get connected to the FTP site.

Other suggestions??

JFBouchard-

Thanks for the congrats!!

 

[mrdenny]

That's just down right annoying that NTFS is being bypassed like that. IIS FTP is very limited in what it can do security wise. At this point I'd have to recommend some crappy options.

1. Switch to another FTP server that give you better control.
2. Create a web based front end that allows the user to upload via a web interface.

Denny
MCSA (2003) / MCDBA (SQL 2000)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

(My very old site)

 

[mrdenny]

That's just down right annoying that NTFS is being bypassed like that. IIS FTP is very limited in what it can do security wise. At this point I'd have to recommend some crappy options.

1. Switch to another FTP server that give you better control.
2. Create a web based front end that allows the user to upload via a web interface.

Best of luck.

Denny
MCSA (2003) / MCDBA (SQL 2000)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

(My very old site)