Latest posts by Sander Berkouwer (see all)
- Review: Softerra Adaxes - Automating Active Directory management - Thu, Jun 4 2015
- Azure Multi-Factor Authentication - Part 8: Delegating Administration - Tue, Apr 28 2015
- Azure Multi-Factor Authentication - Part 7: Securing AD FS - Thu, Apr 23 2015
One of the oldest standards still around today is the File Transfer Protocol (FTP). It dates all the way back to 1971, when it was first published as RFC 114. Today, it is still in use to transfer files over IPv4 and IPv6 networks, independent of the architecture, language, and operating system of both the sending party and the receiving party.
Because the File Transfer Protocol (FTP) is adjacent, today, in its use cases to web servers, Microsoft has shared the FTP Server Role Service under the Internet Information Services (IIS) Server Role, like the many web server Role Services I discussed in the previous part of this series.
Due to this grouping, you can use any Server Core installation as an FTP server, just as you can use any Server Core installation as a web server. Windows Server 2008, Windows Web Server 2008, Windows Server 2008 R2, and Windows Server 2012 all came with IIS, which is the main Server Role to turn Windows Server into an FTP server.
With that being said, you might not want to use Server Core installations of Windows Server 2008 or Windows Web Server 2008 as an FTP server, since these two Windows Server editions do not offer the ability to run an FTP server with SSL. Thus, the transfer of data with FTP on these platforms (as with all older Windows Server platforms with built-in FTP servers) is unencrypted and can be intercepted while in transit.
The ability to encrypt FTP traffic with SSL was first introduced in FTP 7.5 and called Secure Publishing. To this purpose, both the FTP data channel and the FTP control channel (for credentials and FTP commands) to transfer files come with an RFC-based implementation of FTPS (FTP over SSL), which allows you to encrypt data on the control channel, on the data channel, or on both channels. FTP 7.5 was released out of band for Windows Server 2008 R2. Besides Secure Publishing, it also featured IPv6 support, virtual host names, user isolation, improved directory browsing, and authentication for non-Windows accounts.
With Windows Server 2012, Microsoft sets the record straight and releases a full-featured FTP server, bundled with the operating system—ready to use, without the need to first bring (installation) files to your Server Core installation.
Overview of FTP Services on Server Core ^
As you saw in the previous post, the IIS Server Role on Server Core is the most elaborate and modular Server Role you will find on this platform.
Since we’ve got all the Role Services covered, today we’ll focus on the two FTP server-related IIS Role Services under the FTP Server Role Service:
- FTP Service (Web-FTP-Service)
FTP Service is the main service, handling all the authentication, authorization, and file transfers for the FTP server.
- FTP Extensibility (Web-FTP-Ext)
The FTP Extensibility Role Service gives you the ability to extend the built-in functionality that ships with the FTP Service. It allows you to create your own authentication, authorization, and auditing providers.
These two Role Services are part of the FTP Server IIS Role Service. As you might expect from reading the previous parts of this series, when you install the FTP server (Web-FTP-Server), FTP Service is installed and configured by default, whereas FTP Extensibility needs to be installed manually afterwards.
A checkmark will also be set in front of the Web Server IIS Server Role. Don’t worry, though—your Server Core FTP server won’t be hosting websites— just an FTP server.
Installing an FTP Server on Server Core ^
To install the FTP Server IIS Role Service with default options, run the following PowerShell command (type PowerShell at the command prompt if you haven’t done so):
Install FTP Server on Server Core
This PowerShell command will install the binaries, set up the folder structure and service, and enable the firewall rules to allow non-secured FTP traffic.
Managing an FTP Server on Server Core ^
On the console of your Server Core installation, there aren’t many management tools you can use to manage your FTP server. There’s one PowerShell cmdlet, named New-WebFTPSite, that allows you to create FTP sites, but it’s not very elaborate.
Your best bet would be to remotely manage your Server Core FTP server.
While I won’t bore you with the typical thick-finger problems when working with Notepad.exe, the antiquated interfaces of appcmd.exe, and the likes of iisvdir.vbs, iisweb.vbs and iisext.vbs, I will dive into the wonderful world of IIS PowerShell management.
Just as the other IIS Role Services, you can manage the FTP server remotely with the Internet Information Services (IIS) Manager.
To this purpose, you will need to meet the same requirements as for managing web servers:
- Install the IIS Management Console on the management server.
- Install the IIS Management Service on your Server Core FTP server.
You can manage your Server Core web server remotely, following the same steps I outlined in my last post of this series on turning Server Core installations of Windows Server 2012 into web servers. As you walk through these steps correctly, you would be able to manage your Server Core FTP server like any other Windows Server 2012–based web server:
Remote management of an FTP server
As you can see in the screenshot above, our Server Core installation, called SC4, is a vanilla FTP server, with its default website stopped. We can manage this FTP server by creating an FTP site (by right-clicking the Sites node in the left pane and selecting Add FTP Site… from the context menu). In the Add FTP Site wizard, name the FTP site and give it a location on the hard disk of the Server Core FTP server, such as C:\Inetpub\ftproot. In the second screen, define the binding(s) for the FTP site and also configure the SSL and startup settings. Next, select the type(s) of authentication (basic and/or anonymous) and authorization you would like to use.
Interacting with the FTP Server ^
From a client point of view, the FTP server is now ready for action. Your colleagues and/or users will have their own favorite FTP client program(s) to interact with your Server Core FTP server. Of course, you’d want to test the connection to make sure the server works the way you want it, before taking it into production.
On Windows clients, you can install the FTP client. It’s a Windows feature that is not enabled by default in Windows 7 or Windows 8, but it can easily be enabled through the Turn Windows features on or off functionality from the Configuration Panel. Searching for (parts of) the text of the functionality is the easiest way to engage it. After the telnet client feature is enabled, you can run telnet.exe at the command prompt and type:
open ServerCoreFTPServer 21
You can now interactively engage with your Server Core FTP server by typing commands such as user, pass, list, get, mget, put, mput, and quit. Ending telnet.exe itself can also be done by typing quit.
Another way to interact with the FTP server is with the PowerShell FTP Client Module by Michal Gajda.
Why waste any hardware resources on serving a protocol that was invented when there were no Graphical User Interfaces (GUIs) yet? FTP was invented long before Microsoft and does not need a GUI. Therefore, Server Core is the best choice for dedicated FTP servers.