FTP2Web - Administrator guide

FTP2Web v1.0 Administrator's Guide

Home page

Contact support

Contents

About
Installation and initial setup
Authentication modes
Interface and control
Folders
File locking (checkin-checkout)
Security and access control

About FTP2Web

Program purpose

FTP2Web is an ASP.NET application intended for creation of the automated file exchange solutions via Microsoft FTP service in the Internet and Intranet environments. The application provides a high-level model of shared FTP resource organizing, based on the management of logical folders and access to them of users and groups, thereby completely saving from any manual operation with virtual FTP directories.

Key features

Allow to create logical shared folders and set access on them certain users or groups, performing in an automatic mode all operations (creation, removal, moving, etc.) with virtual FTP directories.
Possibility to use both Web Forms based authentification model (with storage of users and groups in the own database), and Windows authentification model, which uses Windows accounts (stored on the local server or Active Directory).
Perform any operations with accounts (both own and Windows) from the application - creation, deletion, modification of users or groups, setting group membership of users.
Creation of the shared folders and access assignment for them by the server administrator or by users themselves (if appropriate option is enabled).
Possibility to assign physical data location for the FTP resources by default or make accessible through FTP existing directories (including using the template-based location with the current user name substitution).
Checkin-checkout feature through locking files and directories by the user in the common folders for realisation of exclusive work and prevent modification (then usage of Windows accounts).
Possibility to allow nonregistered users create new accounts themselves (for the organizing of automatic file exchange solutions).
Data access both from the application interface by a web browser, and by any FTP client without logging on the application each time.
Provide data security by NTFS permissions and access restrictions by IP address.

System requirements

Microsoft Windows Server 2003/2008.
Internet Information Services 6.0/7.0 (it is a part of Windows Server systems).
ASP.NET 3.5 (Microsoft .NET Framework 3.5 can be downloaded here).

Installation and initial setup

See Installation Guide for detailed step-by-step instructions.

Authentication modes

There are two possible modes of authentification which can be used in the application - Web Forms Authentication and Windows Authentication.

Forms Authentication

In this case the application uses own users and groups created by the administrator and stored in XML database. At the beginning of working with the application the user gets on login page where he should be authorised. Forms Authentication mode usage also gives an opportunity to use user self-registration providing automatic file exchange mechanism. This authentification mode rather approach for the organizing of the file exchange through the Internet.

Windows Authentication

This authentification mode uses Windows accounts for access the application, which can be already existing or specially created. Accounts can be stored on the local computer, or in certain Active Directory organizational unit in case the application is used in the domain environment. Usage NTFS permissions allow this mode to provide higher security and also data locking feature. Windows Authentication often is preferable for the organizing of the data exchange in the local network.

Interface and control

The application has two interface sections - User control panel and Administrator control panel.

User control panel

This section is intended for application users, they get here after logon and authorisation in the application. User control panel displays the list of all available folders to the current user, with possibility to open folder contents in the internal file browser (for view and locking) or to open an associated FTP directory in a separate browser window for uploading, downloadind and other operations with files. The user can create new folders (if the administrator allows this option), personal or common, specifying the user or group which will have access to this folder. The user can delete and modify only those folders which he has created himself.

Administrator control panel

This part is purposed for administrators and allows to execute any operations on the application management. Access to this section at Windows Authentication is allowed to all members of the Administrators group, at Forms Authentication it is necessary to specify an administrator's credentials on the login page. Administrator control panel is divided into three tabs. On the Accounts tab becomes account management such as creation, removal, renaming, change of group membership and other. On the Folders tab all folders created in the application are presented. The administrator can create new folders with setting up the detailed parameters (owner and location in the file system), and edit, delete and modify (including cnange name, owner and location) any of existing folders. On the Settings tab all settings of the application are presented.

Folders

The main concept used in the application, the folder is. To each folder there corresponds the virtual FTP directory and the location in the file system (except folders with templated location, see more later).

Folder properties

Name. Defines the folder name, and also the file system directory name and the FTP directory name if the folder has default location.
Description. Any explanatory folder description, can be left empty.
Owner. The user or group which has access to the folder. In case of group all its members have access to the folder data (but only the creator can modify and delete the folder). The folder can have only one owner. The administrator can reassign the owner on any existing account.
Location. Residence in the file system in which folder data will be stored. Can be default or two kinds of custom:
1. Default location. In this case data will be allocated on path like "<Root>\<OwnerName>\<FolderName>" ). When the folder is created by users, this choice is available to them only.
2. Fixed location. In this case the administrator should set the fixed path to the filesystem directory. It is usually used to make available through FTP existing directories. If the nonexistent directory is specified, it will be created.
3. Location containing %username% template in the path. Such folders creates during user log on the application, at that the current user name is substituted instead the %username% token.
FTP name. Can be default (matching the folder name) or concealed value. Consealed name (like "a172d31e-13a2-4be1-8341-9a1282190ba3") generates if the option "concealed FTP virtual directory name" was selected during folder creation).
Read/write permissions. According to these options the read/write permissions for created FTP folders are granted.

Operations at changes

For folders with default data location the application automatically provides integrity of structure in the file system and FTP directories at change of folder properties, such as a name or an owner. Automatic removal of filesystem and FTP directories after deletion of folders or owners also is possible, this feature can be enabled by check the options "Delete filesystem directories automatically" and "Delete FTP directories automatically" in the application settings. For folders with fixed or template location any operations with filesystem directories are never made (except directory creation).

File locking (checkin-checkout)

Overview

In the application there is a feature to lock files and directories in the common folders by current user to prevent file changes by other users (checkin-checkout feature). Locking is carried out in the internal file browser in User control panel. It is possible to lock both separate files, and directories entirely - in this case all files in all subdirectories will be locked. Locking is possible only at usage of Windows Authentication and realized by setting special NTFS permissions for current user on locked files.

Locking mechanism

When the user locks file or directory, there is change NTFS permissions on it. Instead of the existing permissions the permissions of full access to the current user and Administrators group are assigned (inheritance of the permissions also is cancelled). After an unlocking these rights are deleted and inheritance from the parent directory is restored. Because of such mechanism, file locking feature imposes some limitations, in particular that locked files should not have any permissions except inherited (differently they will be lost). In case of default folder location it is indeed, but in case of custom folder location it is necessary for meaning.

Security and access control

Control by IP address

It is the main means of the access restriction, by default provided by the application. At creation of a virtual FTP directory, the mode "Denied all access except specified address" assigned to it. Originally the list of exceptions is empty. When the user enters in User control panel - his IP address adds to the allowed address list of all available folders (if it isn't allowed yet). At the subsequent enters from other addresses they also will be added in the allowed lists. So note that before using a FTP folders through the FTP client, it is necessary to enter into User control panel once at least after new folder creation that the current address has been added in the alowed lists.

Control by NTFS permissions

At usage of Windows Authentication the access limitation by NTFS permissions of the owner account is added. At folder creation the full access permission only to its owner (user or group) is automatically added to the filesystem directory. Thus, if the minimum permissions are inherited from root directory, the data access will be exclusively reliably limited by the owner of the folder.