Creating a Blind Drop FTP Server

by Steve Schofield

This article covers how-you setup an anonymous “blind drop” FTP server using Microsoft Windows 2003.   The concepts and NTFS permissions covered in the article are based on the KB article 314932HOW TO: Create an FTP Folder with Read Access but Not List Access.

You maybe wondering, what is a “blind drop” server?  A “blind drop” FTP server provides individuals or companies a method to anonymously transfer files using FTP files without having permission to list files or retrieve files on the FTP site.  In other words, you can “drop” files onto the server but not see what’s there or retrieve files if you did know what was there. There are benefits for both the end-user and FTP administrator.  The end-user doesn’t have to remember a user id and password.  The FTP administrator uses NTFS permissions so anonymous users can’t browse or retrieve files.  The biggest benefit for the FTP administrator is that they don’t have to maintain user ids and passwords for everyone needing FTP access. 

One reason for writing this article is I discovered through my testing that the Microsoft article doesn’t prevent people from retrieving files after they have been placed on the FTP site.   There are automated tools looking for ways to dump illegal files and do a “blind get” for later retrieval.  If you’re responsible for running an FTP server, I’m sure your logs are full of automated robots scanning for anonymous FTP sites.  The only benefit to the knowledge article is that if you follow the instructions, it prohibits people from having list access but still can retrieve the file if they know the filename and path 

The FTP protocol has been around since the Internet was introduced.  It’s an easy way for people to share files back in forth without having to know a user ID and password.   As the Internet has grown, FTP remains one of the most common ways to share files.  However this doesn’t come without security risks.   Traditional anonymous FTP sites allow anyone to drop any type of file without it being checked, this can offer free storage for all types of files including mp3’s, movies or illegal software.

When would it be applicable to use this type of setup?  This type of FTP setup isn’t for everyone, but it still has its place.   Some examples would be: Dealing with 100’s of individuals and/or businesses sending files and you do not need to authenticate users, “ready to print jobs” sent via FTP, technical support centers uploading logs, memory dumps, or sharing files with 3rd party vendors that are too large to send via email.

One thing to remember is FTP protocol is not secure by default.  There is no encryption of any kind unless you’re using some type of VPN or some other means to secure the connection across the internet.  Nothing can be guaranteed to be 100% secure.   This would also include any type of user credentials.  Before proceeding with this type of setup, carefully evaluate what types of data being sent via FTP.   Security is a necessary evil, and as administer, you have to be creative when providing solutions that are secure as possible and still provide services for the business.

How to setup your “Blind Drop” server

As this point, I’m assuming a few things are in-place.  The server is running is Windows 2003, web, standard or enterprise edition. You’re server has a C:\ drive with the Operating System and a D:\ drive for data.  The FTP Service has been installed and configured with the root directory to D:\FTPRoot.    If you’re not sure if FTP is t installed and need to know how to configure the FTP root directory, please refer to the Microsoft article 323384

The steps below have you create FTP root folder with one sub folders below the FTP root folder. For security reasons, I suggest these folders not to be hosted on the same drive as server OS is installed on.  

Create FTP folder structure

Create FTPRoot folder structure
Log into the machine as an administrative account,
Click the Start Menu, select Program Files, Accessories, and launch Windows Explorer, 

Create a subfolder
Create a folder called D:\FTPRoot\Incoming

Setting up NTFS Permissions
When you setup a folder, the default permissions might be similar to the picture listed below.   We are going to remove the CREATOR OWNER, SYSTEM, Users listed below.

Browse to D:\FTPRoot
Right click on FTPRoot directory,
Select Properties,

Select the Security Tab,

Click Advanced, and remove the checkmark from “Allow inheritable permissions from the parent to propagate to this object and all child objects, Include these with entries explicitly defined here.

You’ll receive a message box, similar to the one below.

Click COPY, this copies permissions that were on the folder. 

Click OK

Select and remove CREATOR OWNER, SYSTEM, Users Group from being listed. When you’re done this will look like this picture below.

Click Add, put the local machine’s Anonymous FTP user.  By default, the user id would be machineName\IUSR_MACHINENAME.   For this article, I’m going to use the default FTP anonymous user account.  You can customize the anonymous user Id.  You would have to create an account, set a password and configure inside the Internet Information Services MMC.

Click the Check Names button.  This will fill it in with the correct information.

 

Click OK

Remove Read & Execute and Read permissions

Click OK


When completed the following permissions will be on the FTPRoot folder

 Administrators (Full Control)
 Internet Guest Account (MachineName\IUSR_MachineName) List Folder Contents

Set Permissions on Incoming directory

Within Windows Explorer, navigate to D:\FTPRoot\Incoming
Right-Click, select
Properties
Select Security Tab. 
Click Advanced Tab.
Remove the checkmark
from “Allow inheritable permissions from the parent to propagate to this object and all child objects, Include these with entries explicitly defined here. 
Click
Copy on message box.  //This is same as picture mentioned above.
Make sure the
Internet Guest Account is highlighted like picture below.

Click Advanced

Note:
The Internet guest has Read and Execute listed on anonymous user
We’ll be removing these permissions in the following steps below while the Internet Guest Account is highlighted, 

Click Edit

Setting up FILES Permissions

In message box that appears, in the Apply onto dropdown box,
Select
the FILES ONLY listed
Make sure the
ONLY things that are checked are List Folder /Read Data and Read Permissions.  Verify everything else is unchecked.

Click ok

Click Add

Type IUSR_MACHINENAME, Click Check Names

Click OK

Select in the Apply onto dropdown box This Folder Only
Make sure the following items are checked

·         Create Files/Write Data,

·         Create Folders/Append Data,

·         Write Attributes,

·         Write Extended Attributes,

·        Read Permissions

 

This is what the advanced tab should look like when its done

Click OK
Click OK, again.
Click OK to return to Windows Explorer.

When completed the following permissions will be on the D:\FTPRoot\Incoming  folder
 Administrators (Full Control)

 Internet Guest Account (Files Only)
  List Folder/Read Data, Read Permissions Checked
 Internet Guest Account (This Folder Only)
  Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Read Permissions

In conclusion, this setup allows for an anonymous FTP user to create folders and files files on the remote FTP server.  The NTFS permissions put in place prevent anyone from listing or retrieving the files.  A couple of limitations I want to mention with this setup.  The permissions prevent the same file being written, this can be handy however because the automated scripts I’ve seen use files named 1kbtest.ptf, 1mbtest.ptf.  Once these are in the directory, other robots will bomb on these files and discontinue probing your FTP server.   The second drawback that I couldn’t around the creation of folders.  As I mentioned earlier in the article, automated robots looking for anonymous FTP servers create directories as tests, then try to remove them.  One thing I did to try to help with this was create a scheduled task that removed all files and folders on a timely basis.   Another option would be to implemented a “standardized” file name format, in the script monitoring the directory have it validate filename and copy to a different location then delete the FTPRoot/Incoming folder.  This is just a suggestion but this would be a method to track legitimate files.  This isn’t a perfect solution, but it has greatly reduced my user administration and provided a secure, as possible, anonymous FTP server.   In running this on the Internet for the last 4 months, no illegal files have been uploaded.  Your experience may vary.  In part an on-going series how to use the FTP service within Windows 2003, we’ll explore how to provide a “Blind Get” server.  Any questions or feedback please let me know at steve@iislogs.com