Using Security with the FTP and Gopher Services

FTP and Gopher use anonymous access. In addition, FTP uses Basic authentication in conjunction with Windows NT groups for restricted administration of the files.

Anonymous FTP Access

MS-DOS clients and some UNIX clients do not have or cannot use an HTTP or Gopher browser such as Internet Explorer. These clients can use any FTP client to browse the files on HR. To accomplish this, the IUSR_CANTS40DIV01 user account was granted read-only access to the files.

Anonymous Gopher Access

The Human Resources department must provide information to the entire company, such as benefits summaries and company policies. All Gopher access is anonymous through the IUSR_HR user account. This local user account was added to the California domain database on CANTS40ENT03 and was granted the Log On Locally user right.

If Internet Information Server were installed on a primary domain controller (PDC) or a backup domain controller (BDC), the IUSR_computername account would automatically be added to the domain database it supports and the steps above would be unnecessary.

For more information about server roles and accounts used with Internet Information Server, see Chapter 3, "Server Security on the Internet."

FTP Site Administrative Access

You use Windows NT groups to provide selective access for remote division employees who must maintain (create and delete) files on the HR server.

The Gopher and FTP site primarily uses a single directory structure for simplicity, although some directories reside on network drives.

Only clear-text authentication is supported with the FTP server. Because it has been determined that there is low risk of an employee sniffing Terra Flora's private intranet for user names and passwords, FTP administrators can log on to the FTP server by using their network user name and password. After they are authenticated, the FTP administrators can use FTP commands to create, move, and delete files or directories.

Using groups for selective access in FTP is similar to the process described earlier in this chapter in the section, "Using Groups for Selective Access." See that section for more discussion about using groups with Internet Information Server.