Creating a Blind Get FTP Server

by Steve Schofield

This article is a second in the series of how to setup a 'blind' FTP server.  The first article covers how to setup a 'blind drop' server.  Here is the link to the article.  This article covers how-to setup an anonymous “blind get” FTP server using Microsoft Windows 2003 built-in FTP server.   The concepts and NTFS permissions covered in the article are based on the KB article 314932.  HOW TO: Create an FTP Folder with Read Access but Not List Access.

You maybe wondering, what is a “blind get” server?  A “blind get” FTP server provides a method to anonymously transfer files using FTP without having permission to list files or add files on the FTP site.  In other words, you can “get” files but not see what’s there or retrieve files unless the absolute path is known.  There are benefits for both the end-user and FTP administrator.  The end-user doesn’t have to remember a user id and password.  The FTP administrator uses NTFS permissions so anonymous users can’t browse or add files. 

The biggest benefit for the FTP administrator is they don’t have to maintain user ids and passwords for everyone needing FTP access.   This could be useful for sending a link via email to people in the field yet no one can access the file without knowing the exact path to the files.

One reason for writing this article I discovered through my testing the Microsoft article doesn’t prevent people from retrieving files after they have been placed on the FTP site.   There are automated tools looking for ways to dump illegal files and do a “blind get” for later retrieval.  If you’re responsible for running an FTP server, I’m sure your logs are full of automated robots scanning for anonymous FTP sites.  The only benefit to the knowledge article is that if you follow the instructions, it prohibits people from having list access but still can retrieve the file if they know the filename and path . 

The FTP protocol has been around since the Internet was introduced.  It’s an easy way for people to share files back in forth without having to know a user ID and password.   As the Internet has grown, FTP remains one of the most common ways to share files.  However this doesn’t come without security risks.   Traditional anonymous FTP sites allow anyone to drop any type of file without it being checked, this can offer free storage for all types of files including mp3’s, movies or illegal software.

This type of FTP setup isn’t for everyone, but it still has its place.   Some examples would be: Dealing with 100’s of individuals and/or businesses sending files and you do not need to authenticate users, “ready to print jobs” sent via FTP, technical support centers uploading logs, memory dumps, or sharing files with 3^rd party vendors that are too large to send via email.

One thing to remember is FTP protocol is not secure.  There is no encryption of any kind unless you’re using VPN (virtual private network) or some other means to secure the connection.  Nothing can be guaranteed to be 100% secure.   This would also include any type of user credentials.  Before proceeding with this type of setup, carefully evaluate what types of data being sent via FTP.   Security is a necessary evil, you have to be creative when providing solutions that are secure as possible and still provide services for the business.

One last recommendation, if you distribute files using this method, it is a good idea to encrypt the file and also place a password on the file.  Using WinZIP can provide this type of security.  Here is an article that describes how-to do this.  http://www.winzip.com/aes_info.htm 

How to setup your “Blind Get” server

As this point, I’m assuming a few things are in-place.  The server is running is Windows 2003, web, standard or enterprise edition. You’re server has a C:\ drive with the Operating System and a D:\ drive for data.  The FTP Service has been installed and configured with the root directory to D:\FTPRoot.    If you’re not sure if FTP is installed and need to know how to configure the FTP root directory, please refer to the Microsoft article 323384

The steps below have you create FTP root folder with one sub folders below the FTP root folder. For security reasons, I suggest these folders not to be hosted on the same drive as server OS is installed on.  

Create FTPRoot folder structure

• Log into the machine as an Administrative account

• Click the Start Menu

• Select Program Files

• Select Accessories

• Launch Windows Explorer

• Create a subfolder

• Create a folder called D:\FTPRoot\blindget

Setting up NTFS Permissions

• When you setup a folder, the default permissions might be similar to the picture listed below.   We are going to remove the CREATOR OWNER, SYSTEM, Users listed below.

• Browse to D:\FTPRoot

• Right click on FTPRoot directory

• Select Properties

• Select the Security Tab,

• Click Advanced, and remove the checkmark from “Allow inheritable permissions from the parent to propagate to this object and all child objects, Include these with entries explicitly defined here.

• You’ll receive a message box, similar to the one below.

• Click COPY, this copies permissions that were on the folder. 

• Click OK

• Select and remove CREATOR OWNER, SYSTEM, Users Group from being listed. When you’re done this will look like this picture below.

• Click Add, put the local machine’s Anonymous FTP user.  By default, the user id would be machineName\IUSR_MACHINENAME.   For this article, I’m going to use the default FTP anonymous user account.  You can customize the anonymous user Id.  You would have to create an account, set a password and configure inside the Internet Information Services MMC.

• Click the Check Names button.  This will fill it in with the correct information.

• Click OK

• Remove Read & Execute and Read permissions

• Click OK

When completed the following permissions will be on the FTPRoot folder

 Administrators -- (Full Control)
 Internet Guest Account (MachineName\IUSR_MachineName) -- (List Folder Contents )

Set Permissions on blindget directory

• Within Windows Explorer, navigate to D:\FTPRoot\blindget

• Right-Click, select Properties

• Select Security Tab. 

• Click Advanced Tab.

• Remove the checkmark from “Allow inheritable permissions from the parent to propagate to this object and all child objects, Include these with entries explicitly defined here. 

• Click Copy on message box.  //This is same as picture mentioned above.  Make sure the Internet Guest Account is highlighted like picture below.

• Click Advanced
  
  

Note: The Internet guest has Read and Execute listed on anonymous user.  We’ll be removing these permissions in the following steps below while the Internet Guest Account is highlighted.

• Click Edit

Setting up FILES/FOLDER ONLY Permissions

• In message box that appears, in the Apply onto dropdown box,
  Select the FILES ONLY listed

• Make sure the ONLY things that are checked are Read Attributes and Read Permissions.  Verify everything else is unchecked.  These are the permissions that will be inherited when files are copied to this folder.

• Click Ok

Setting up 'This Folder Only' Permission

• Click Add

• Type IUSR_MACHINENAME, Click Check Names
  
  

• Click OK

• Select in the Apply onto dropdown box This Folder Only Make sure the following items are checked
   

1. Create Files / Write Data

2. Create Folders / Write Data

3. Write Attributes

4. Write Extended Attributes

5. Read Permissions

• This is what the advanced tab should look like when its done.  Note there are special permissions for 'Files only' and 'This folder only'

• Click OK

• Click OK, again.

• Click OK to return to Windows Explorer.

When completed the following permissions will be on the D:\FTPRoot\blindget  folder

Administrators (Full Control)

Internet Guest Account (Files Only)
     List Folder/Read Data, Read attributes, Read extended attributes, Read Permissions Checked

Internet Guest Account (This Folder Only)
   Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Read Permissions

One last step, setting up virtual directory to have FTP 'Read' permissions

You might wonder, "Why are there 'write' NTFS permissions on a 'blindget' folder?".  To be able to access files, from our testing these permissions are required without granting the 'list folder contents' permission.   The one thing we had to test around a bit to make a "true" blindget folder is use the FTP 'Read' option on this virtual directory.  This allows to have 'write' NTFS permissions but the FTP 'write' option is turned off to prevent files from being uploaded.  This protects the administrator to only have what files they want in this folder be accessed via an absolute link sent in email or another application.

Here are the steps to setup the virtual directory

• Open Internet Information Server MMC (Administrative Tools)

• Right Click on the Default FTP Site

• Select Virtual Directory

• Click Next

• Make sure the Alias is the same name as the folder.

• Click Next

• Enter the same path as the physical path to the blindget folder

• Click Next

• Ensure 'Read' permission is the only item checked

• Click Next

• Click Finish

• Note the virtual directory called 'blindget'.  This will ensure the folder only allows files to be 'Read' and no files will be 'written' to the folder.

In conclusion, this setup allows for an anonymous FTP user to retrieve files using a command line FTP client if the absolute path is known or files can be accessed via an Internet browser.  The benefit this setup prevents automated robots from writing new files or retrieving files because there are no 'list' permissions on the folder. 

This isn’t a perfect solution, but can greatly reduce user administration and provided a secure as possible, anonymous FTP server.  Any questions or feedback please let me know at steve@iislogs.com.

This article is copy written and can't be printed or republished without expression content.  If you would like to republish, please contact me.