Thursday, September 10, 2009

Installing IIS7 with FTP Publishing Service on Windows Server Core 2008 R2

For the past couple of days, I’ve been struggling with getting IIS7 and the FTP Publishing Service up and running on Windows Server Core R2, Web Server edition. I’ve gotten a lot of help from blogs and official Microsoft documentation, but I had to do a lot of googling to get to the finish line. In this post I will try to combine all the stuff I learned and give you a complete A-Z installation guide from the clean Server Core installation to an up-and-running IIS7 site with FTP publishing, including configuration of network settings, users and passive mode.

Basic installation

I'll start off with the basic installation. In the table below you'll find the complete list of commands you need. Of course you’ll have to customize some settings, like your network configuration, username and password. These settings are highlighted in the script.
I’m assuming you have a Windows Server Core R2 server installed and have the administrator account password set.

netsh interface ipv4 set address name=IFINDEX source=static address=IP mask=MASK gateway=GW
netsh interface ipv4 add dnsserver name=IFINDEX address=DNS
cscript C:\Windows\System32\Scregedit.wsf /ar 0
netdom renamecomputer %COMPUTERNAME% /Force /NewName:COMPUTERNAME
netsh firewall set icmpsetting 8
start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel 
DISM /Online /Enable-Feature /FeatureName:NetFx2-ServerCore
DISM /Online /Enable-Feature /FeatureName:NetFx3-ServerCore
DISM /Online /Enable-Feature /FeatureName:IIS-ISAPIFilter
DISM /Online /Enable-Feature /FeatureName:IIS-ISAPIExtensions
DISM /Online /Enable-Feature /FeatureName:IIS-NetFxExtensibility
DISM /Online /Enable-Feature /FeatureName:IIS-ASPNET
start /w pkgmgr /iu:IIS-FTPSvc;IIS-FTPServer
c:\windows\system32\inetsrv\appcmd.exe set config "Default Web Site" /section:system.ftpserver/security/authorization /+[accessType='Allow',permissions='Read,Write',roles='',users='administrator'] /commit:apphost
c:\windows\system32\inetsrv\appcmd.exe set site /"Default Web Site" /+bindings.[protocol='ftp',bindingInformation='*:21:']
c:\windows\system32\inetsrv\appcmd.exe set site /"Default Web Site" /
c:\windows\system32\inetsrv\appcmd.exe set site /"Default Web Site" /
c:\windows\system32\inetsrv\appcmd.exe set site /"Default Web Site" / /commit:apphost
netsh advfirewall firewall add rule name="AllowFTP" protocol=TCP dir=in localport=21 action=allow

IFINDEX: The index of your network interface. You will find this by running netsh interface ipv4 show interfaces and reading the column named idx for the row of your network adapter. This is usually a number below 10.
IP: Your IP address, given that you want a static IP. For dynimic IP configuration see below
MASK: The network mask, i.e.
GW: The IP of your gateway DNS: IP of the DNS server
COMPUTERNAME: What you want to name your computer (Netbios name)

What it does, line by line

The scripts sets up the following:
  • IIS7 web server on port 80 with ASP.NET support
  • FTP server on port 21 with basic authentication
  • The Administrator account is granted access to the FTP
  • SSL is disabled on the FTP
Now for the warning: This is a pretty insecure setup! The user is entering the Administrator password in clear text in order to log on to the FTP. Anyone sniffing on the traffic might be able to gain full access of the computer. I will give details on how to set up an exclusive FTP account further down in this post, but this will do for now. Additionaly, I have not configured automatic updates for Windows Server.

Line 1 and 2: These two lines configures the networks settings for static IP address setup. If you want dynamic IP, switch line 1 with the following, and skip line 2: netsh interface ipv4 set address name=IFINDEX source=dhcp
Line 3: This opens the server for Remote Desktop Connections (RDP). From now on you are able to remotely administer this server from another machine by launching mstsc.exe and connecting to the IP specified for the server.
Line 4: This gives the server a name
Line 5: This tells the firewall to allow ICMP requests – Pings. Try pinging from a remote server and test. Of course, this setting is optional.
Line 6-12: These lines set up IIS7 with basic components and installs .NET framework 3.5 along with ASP.NET support in IIS7.
Line 13: This installs the FTP server for IIS7. It is configured to host c:\inetpub\wwwroot, but no users are granted access so far.
Line 14: The Administrator user is given access to log in to the FTP server
Line 15: The server is told to listen at port 21 for incoming FTP connections
Line 16-17: These two lines disable SSL for communication to the FTP. I did this because I basically don’t know how to set up SSL and don’t need that level of security on my test project. If anyone know how to make SSL work, I’d be glad to hear.
Line 18: This line tells the FTP service to use the Windows users as source for authentication. Now you’ll be able to log in with the Administrator account from a local shell.
Line 19: Finally, we open port 21 (FTP) in the firewall for incoming connections.

Setting up a dedicated FTP user

You might want to shut out the Administrator account from the FTP users and create a dedicated user for that purpose instead. These four lines should take care of that:

icacls c:\inetpub\wwwroot /grant FTPUSER:(OI)(CI)F
c:\windows\system32\inetsrv\appcmd.exe set config "Default Web Site" /section:system.ftpserver/security/authorization /+[accessType='Allow',permissions='Read,Write',roles='',users='FTPUSER'] /commit:apphost
c:\windows\system32\inetsrv\appcmd.exe set config "Default Web Site" /section:system.ftpserver/security/authorization /-[users='administrator'] /commit:apphost

Line 1:This creates a local user with the specified username (FTPUSER) and password (PASSWORD)
Line 2: This grants full access (read+write) to FTPUSER to c:\inetpub\wwwroot. Without this command, you would not be able to upload anything to the server
Line 3: User FTPUSER is added to the list of approved accounts for FTP login-
Line 4: User Adminstrator is removed from the same list

Enabling passive mode

Finally you would probably want to enable passive mode for the FTP server making it less troublesome to connect from clients behind firewalls. This is done with the following commands:

c:\windows\system32\inetsrv\appcmd.exe set config /section:system.ftpServer/firewallSupport /lowDataChannelPort:LOWPORT /highDataChannelPort:HIGHPORT
c:\windows\system32\inetsrv\appcmd.exe set config /section:system.applicationHost/sites /siteDefaults.ftpServer.firewallSupport.externalIp4Address:IP
netsh advfirewall set global StatefulFtp enable
sc stop ftpsvc
sc start ftpsvc

LOWPORT is the lower bound of the port range, eg. 50000
HIGHPORT is the upper bound of the port range, eg. 50100
IP is the external ip for your server, eg.

Line 1: This configures the lower and upper bounds of the port range for incoming data connections.
Line 2: Here you provide the external IP for your server.
Line 3: This tells the firewall to enable StatefulFtp. This is a mode where the firewall dynamically detects which ports the incoming FTP data connections come at.
Line 4-5: Restart the FTP service. You need to wait a couple of seconds for it to shut down before executing the start command.

Sources/Further reading:

In closing I’d like to provide som links I found useful writing this post. You should look into these sites if you want to dive deeper into the realm of Windows Server Core.

Configuring FTP Firewall settings (Robert McMurray,
Administer Windows Server 2008 Server Core from the Command Prompt, Microsoft TechNet
Administering FTP 7, Microsoft TechNet
Installing FTP with IIS7 on 2008 Server Core, Blog: joreko
Understanding Windows Server 2008 Server Core - Daniel Petri
How to Setup User Authentication in FTP 7 on IIS 7.0 - Trainsignaltraining. If you're running standard Windows Server 2008.

1 comment: