FTP Clients - Part 9: Expression Web 4

For this installment in my series about FTP Clients I'm going to review the FTP features in Microsoft's Expression Web 4 (EW4). You can find out more about the Microsoft Expression series of products from the following URL:

http://www.microsoft.com/expression/

Note: There are a lot of really cool features that are built into EW4, like Search Engine Optimization (SEO) tools, rich extensibility APIs, previewing content side-by-side in multiple browser windows through SuperPreview, built-in support for programming languages like ASP/ASP.NET/PHP/etc. But that being said, in keeping with the main theme of my FTP client series, this review is focusing on just the FTP aspects of EW4 - not the entire product.

EW4 Splash Screen

At the time of this blog post, EW4 is a for-retail product that is available as part of the Expression Studio 4 Web Professional and Expression Studio 4 Ultimate suites.

Expression Web 4 Overview

The EW4 user interface follows the same design paradigm as earlier versions of Expression Web, albeit with the darker color scheme that Expression products have been using in recent versions. While EW4 contains many features that you would expect in a Microsoft Office application, it does not resemble the Office 2007/2010 user interface, so there is no ribbon-style toolbar. (This is a bad thing if you love the Office ribbon and a good thing if you hate the Office ribbon; but I'll leave that up to you to decide. <grin>)

Fig. 1 - EW4's built-in support for PHP Files

One minor personal issue that I have with Expression Web is that VBA was deprecated a while ago, so EW4 doesn't have a macro language that I can use to automate tasks like I would do with previous versions. It's possible to create "add-ins" for Expression Web, but there's a lot of overhead associated with that. From my perspective, that's pretty much like saying to someone, "I know that you would like to get across town and you already have a really nice car, but we're going to take that away. If you take 17 different buses and then walk three or four blocks, you will eventually wind up where you want to go. Of course, it will take you several hours longer and it's a really big hassle, but sooner or later you'll get there." (No comments about carbon footprint - please. <grin>)

That being said, EW4 is a great web site editor and is a good FTP client, and EW4 is much better than its predecessors. (Note: By "predecessors" I mean earlier versions of Expression Web and FrontPage.) I'll explain more in the following sections of this post.

Opening an FTP Site

Opening a site is straight-forward, and for the most part the user interface is the same whether you are opening a site over FTP/FTPS or over HTTP using WebDAV or FPSE.

Fig. 2 - Opening a Site in EW4

When you are opening an FTP or HTTP site for the first time, your list of managed sites will be empty. As you open sites, the list of sites will be populated for each site there you have the Add to managed sites check box selected.

Fig. 3 - EW4's Open Site Dialog Box

Once you have entered your site information, EW4 will prompt you for your remote editing options. This allows you to choose between editing the live site over FTP or editing a local copy and publishing your changes at a later date & time.

Fig. 4 - EW4's Remote Site Editing Options Dialog Box

The last dialog before opening the FTP site is the all-too-familiar prompt for your user credentials, albeit with a warning about FTP credentials being transmitted without encryption. (This is why you should use FTPS, but I'll discuss that later in this post.)

Fig. 5 - EW4's Remote Site Editing Options

Once the credentials have been verified by the FTP server, EW4 will display your site and you can begin editing your content.

Fig. 6 - An example phpBB site opened in EW4

EW4 has some basic site management functionality, which is accessed through the Site -> Manage Site List menu. From there you can add or remove sites from the list. Unfortunately you cannot modify the settings for sites in the list; you have to remove and re-add sites with different settings.

Fig. 7 - Opening the EW4 Site Manager
Fig. 8 - Viewing the list of managed sites

That's it for the simple stuff - now we'll take a look at the specific FTP topics that I've discussed in my other FTP client blog posts.

Using EW4 with FTP over SSL (FTPS)

EW4 supports both Implicit and Explicit FTPS, so the choice is up to you to decide which method to use. The FTPS method is specified by the port number that you choose when you are connecting.

I realize that I have posted the following information in almost all of my posts in this FTP client series, but in the interests of completeness it needs to be said again - the following rules apply for FTP7 when determining whether you are using Implicit or Explicit FTPS:

  • If you enable SSL in FTP7 and you assign the FTP site to port 990, you are using Implicit FTPS.
  • If you enable SSL in FTP7 and you assign the FTP site to any port other than port 990, you are using Explicit FTPS.

EW4 doesn't have a way of specifying Explicit or Implicit FTPS other than the port numbers listed above. That being said, more often than not you will probably be using Explicit FTPS on the default port (21) so you won't need to enter a port at all.

For example, if you are using EW4 with Explicit FTPS on the default port, you can skip adding a port number.

Fig. 9 - Opening a site using Explicit FTPS

However, if you are using Implicit FTPS, you need make sure that you configure EW4 to connect on port 990.

Fig. 10 - Opening a site using Implicit FTPS

Using EW4 with FTP Virtual Host Names

Because EW4's login dialog allows you to specify the virtual host name as part of the user credentials, EW4 works great with FTP7's virtual host names. All that you need to do is use the "ftp.example.com|username" or "ftp.example.com\username" syntax when specifying your username, and when you connect to the FTP7 server it will route your requests to the correct FTP virtual host site.

Fig. 11 - Specifying an FTP Virtual Host name

EW4 Does Not Support True FTP Hosts

Unfortunately EW4 does not have built-in for the HOST command, nor does it have support for entering commands that will be sent before the client has logged in, so you cannot use true FTP host names when using EW4 to connect to FTP7 sites that are configured with host names.

Scorecard for Expression Web 4

This concludes our quick look at some of the FTP features that are available with EW4, and here are the scorecard results:

Client NameDirectory
Browsing
Explicit
FTPS
Implicit
FTPS
Virtual
Hosts
True
HOSTs
Expression Web 4 Y Y Y Y N1
1 As noted earlier, EW4 has no way to send a HOST command, so true FTP HOSTs are not supported.

Note: I've included the following disclaimer in all of my posts, and this post is no exception - there are a great number of additional features that EW4 provides - once again I'm just keeping the focus on those topic areas that apply to FTP7. ;-]

Note: This blog was originally posted at http://blogs.msdn.com/robert_mcmurray/

Peace Sells, But Who's Buying?

I saw a video the other day for the song "Crying for John Lennon," which is a truly pathetic piece of hero worship about a boorish, drug addicted, womanizing narcissist. Putting aside the fact that John Lennon is no person to be admired, this video and song are another entry in a long line of juvenile visions of a world where nothing evil ever happens. The trouble with such a naïve approach to life is that it presupposes that everyone agrees with your interpretation of evil. How utterly immature.

Some cultures ignore their neighbors, some cultures fight their neighbors, while other cultures eat their neighbors. There is no common ground - there is no singular interpretation of what constitutes the concept of good or bad, much less a concept of "peace."

But for that matter, many a conquered people in western cultures have believed in peace at all costs. Crowds of angry youths who have been so sheltered by the blanket of freedoms which have been thanklessly provided for them are lulled into adolescent complacency and they form a misguided view of the world that ultimately leads to their destruction. I think that John Stuart Mill put it best when he said:

"War is an ugly thing, but not the ugliest of things. The decayed and degraded state of moral and patriotic feeling which thinks that nothing is worth war is much worse. The person who has nothing for which he is willing to fight, nothing which is more important than his personal safety, is a miserable creature and has no chance of being free unless made and kept so by the exertions of better men than himself."

For every person who dreams of pacifism no matter the cost, there are a dozen people who are willing to kill them simply for their shoes. I have travelled abroad - and I have met some of these types of people. It is difficult for simple minds to understand that there are some people in the world who hate you just because you exist. It's nothing that you have done, it's nothing that you believe, and there's nothing that you can do about it.

So while the songwriter who inspired me to write this post may be crying for John Lennon, I am weeping for our future - because if people like this songwriter continue to persist in their delusions, we are truly doomed.

Famous Amos is Out to Kill Me

Let there be no misunderstanding – I love Famous Amos cookies. But that being said, Famous Amos is out to kill me.

If I eat a small handful of Famous Amos cookies, I will pay for it with severe heartburn that lasts for several hours. But the following week, I’ll buy another package – I know that I'm going to be in pain, but I just can't help myself.

I know that one of the hardest experiences for mankind is trying to kick the smoking habit, but I have to be honest – trying to stay away from Famous Amos cookies is much harder. At least for me, anyway.

What’s even worse is when I have just enough pocket change to buy a little bag of cookies from the vending machine and the @#$% machine won’t take one of my coins. Those machines do that just to mess with me, I’m sure of it. All I can do is stare at the bag of cookies – just out of reach – and there’s nothing that I can do. There they sit – right in front of me – taunting me to resort to drastic measures.

[Deep Sigh.]

I have to go – the day is getting late and I feel like a snack.

I wonder how much change I have?

FTP Clients - Part 8: SmartFTP Client

For this installment in my series about FTP Clients I'm going to review the SmartFTP Client from SmartSoft Ltd. For this blog post I used the SmartFTP Client Ultimate Edition version 4.0.1105.0, and it is available from the following URL:

http://www.smartftp.com/

At the time of this blog post, SmartFTP is a for-retail product that is available in three editions: Home, Professional, and Ultimate. A description of the prices and features that are available in each edition is currently available from the following URL:

http://www.smartftp.com/features/editions.php

As for myself, I would use at least the Professional edition, and that statement is based on the features that I typically look for in an FTP client. (Although I would have loved to have had the Ultimate Edition several years ago when I used Telnet to connect to servers. <grin>)

The SmartFTP Client is pretty intuitive and it's easy to navigate within the application. If you are used to using typical Windows applications then you should find that the user interface follows most of the established paradigms that you would expect from a Microsoft application; it seemed to me that the design emulated the relevant parts of Windows Explorer, Visual Studio, and Office with an FTP focus.

For example, switching your directory listing views align with most Windows applications, and the site management functionality is managed through a hierarchical set of "Favorites."

Each "Favorite" has a variety of additional settings that you can edit by open the properties dialog for the favorite.

One of the great features in all editions of the SmartFTP client is a nicely-implemented Remote Edit functionality, which allows you to invoke your favorite editor from inside the client's GUI.

Command-Line Support versus Extensibility

The SmartFTP Client does not have a built-in command-line interface, although there is a script-based command-line interface that you can download separately from the SmartFTP web site. That being said, that script is not created by the folks at SmartSoft, and it's functionality is extremely limited.

For me personally, the SmartFTP Client's extensibility model more than makes up for the lack of command-line functionality. More often than not I'm simply using the command-line in order to script FTP operations, and the SmartFTP extensibility features provide a great deal more capabilities than I would have available to me when automating a command-line FTP client.

I haven't spent a great deal of time working with the extensibility features, but so far I am pretty impressed. I was able to take one of the samples and retool it into a simple FTP client pretty easily. (I will include that as an example in a later blog post.) In the meantime, you can download the SDK for the SmartFTP Client from the following URL:

http://www.smartftp.com/features/sdk/

Using FTP over SSL (FTPS)

The SmartFTP Client supports both Implicit and Explicit FTPS, so the choice is up to you to decide which method to use. The FTPS method is stored as the Protocol in a favorite's properties, which is easily located in the General settings for a favorite.

Once again, the following rules apply for FTP7 when determining whether to specify Implicit or Explicit FTPS:

  • If you enable SSL in FTP7 and you assign the FTP site to port 990, you are using Implicit FTPS - the SmartFTP Client refers to this as FTP over SSL (Implicit).
  • If you enable SSL in FTP7 and you assign the FTP site to any port other than port 990, you are using Explicit FTPS - the SmartFTP Client refers to this as FTP over SSL (Explicit).

If you are using Implicit FTPS, make sure that you configure your FTP client to connect on port 990.

Using FTP Virtual Hosts

Because the SmartFTP Client's properties for favorites allow you to specify the virtual host name as part of the user credentials, the SmartFTP Client works great with FTP7's virtual host names. All that you need to do is use the "ftp.example.com|username" syntax when specifying your username, and when you connect to the FTP7 server it will route your requests to the correct FTP virtual host site.

Using True FTP Hosts

The SmartFTP Client provides built-in support for the HOST command, which means that you can have real multi-homed FTP sites when using the SmartFTP Client to connect to FTP7 sites that are configured with host names. In order to use true HOSTs in the SmartFTP Client, you need to configure the client to send the FEAT command before logging in. This is configured in the Connection settings in the drop-down menu for "Send FEAT."

As an FYI - I had some discussions with Mat Berchtold from SmartSoft while I was writing this review, and Mat informed me that the SmartFTP Client doesn't automatically assume support for the HOST command; sending the FEAT command before logging in allows the client to discover if HOST is supported before continuing.

Host Names and Firewalls

Mat Berchtold from SmartSoft also mentioned that some firewalls do not yet recognize the HOST command, and therefore those firewalls may not pass the HOST command through the firewall. That's something to think about if you start to see connection failures related to hostnames not being found - you can check your FTP server's logs to see if the HOST command is arriving at the server.

Scorecard for the SmartFTP Client

This concludes our quick look at some of the features that are available with the SmartFTP Client, and here's the scorecard results:

Client NameDirectory
Browsing
Explicit
FTPS
Implicit
FTPS
Virtual
Hosts
True
HOSTs
SmartFTP Client Ultimate 4.0.1105.0 Y Y Y Y Y 1
1 As noted earlier, true FTP HOSTs are fully supported, but you need to configure the SmartFTP Client to send the FEAT command before logging in.

Note: I've included the following disclaimer in all of my posts, and this post is no exception. ;-] There are a great number of additional features that the SmartFTP Client provides - once again I'm just keeping the focus on those topic areas that apply to FTP7.

Note: This blog was originally posted at http://blogs.msdn.com/robert_mcmurray/

Windows 7 Hotkeys

I put together this list for my brother when Windows 7 launched. I got the information from a variety of sources, thereby living up to the old adage that "Copying from one person is plagiarism, copying from a hundred people is research." Some of these are new to Windows 7, while others have been around a little while. In any event, here are some notes that explain how to interpret the keystrokes:

  • A plus symbol (+) between keys means to press the keys at the same time, whereas a comma (,) between keys means to press the keys one after another.
  • [Right] text stands for the right cursor key, [Left] for the left cursor key, etc.

Taskbar Modifiers

Shift+Click Open a new instance of the program
Ctrl+Click Cycle between windows in a group
Middle Click Open a new instance of the program
Ctrl+Shift+Click Open a new instance of the program as Administrator
Shift+Right-Click Show window menu

Managing Windows

Alt+F4 Close the active window
Alt+Tab Switch to previous active window
Alt+Esc Cycle through all open windows
Win+Tab Flip 3D
Ctrl+Win+Tab Persistent Flip 3D
Win+T Cycle through applications on taskbar (showing its live preview)
Win+M Minimize all open windows
Win+Shift+M Undo all window minimization
Win+D Toggle showing the desktop
Win+P Open the projection menu (generally used for laptops connected to projectors)
Win+[Up] Maximize the current window
Win+[Down] If the current window is maximized, restore it; if the current window is restored, minimize it
Win+[Left] Dock the current window to the left half of the screen
• If it is already docked left, it is moved to the right half of the screen
• If it is already docked right, it is restored to its original size
Win+[Right] Dock the current window to the right half of the screen
• If it is already docked right, it is moved to the left half of the screen
• If it is already docked left, it is restored to its original size
Win+Shift+[Left] Move current window to the left monitor (with dual monitors)
Win+Shift+[Right] Move current window to the right monitor (with dual monitors)
Win+Home Minimize all but the current window
Win+Space Peek at the desktop
Win+[Plus sign] Zoom in
Win+[Minus sign] Zoom out

Starting Programs

Win+1 Open the first program on your Quick Launch bar
Win+2 Open the second program on your Quick Launch bar
Win+n Open the nth program on your Quick Launch bar
Win+U Open the ease of access center
Win+F Open the search window
Win+X Open the Mobility Center
Win+E Open Explorer
Win+R Open the Run window
Win+B Move focus to notification tray (the right-most portion of the taskbar)
Win+Pause Open the System Properties portion from the Control Panel
Ctrl+Shift+Esc Open Windows Task Manager

Logging In And Out

Win, [Right], Enter Shutdown
Win, [Right], [Right], R Restart
Win, [Right], [Right], S Sleep
Win, [Right], [Right], H Hibernate
Win, [Right], [Right], W Switch Users
Win+L Locks computer

Viewing Folders With Explorer

Alt+[Left] Go back
Alt+[Right] Go forward
Alt+[Up] Go up a directory
Alt+D Move focus to address bar
Alt+D, Tab Move focus to search bar
Alt+Enter Open the Properties window of the current selection
Ctrl+Mousewheel Change the view type (extra large, small, list view, detail, etc.)
Alt+P Show/hide the preview pane

FrontPage Server Extensions and UNC Content

How to get the FPSE2002 AllowUNC feature to work with Windows Server 2008

I've had a few questions about getting the FrontPage 2002 Server Extensions (FPSE2002) AllowUNC feature to work with Windows Server 2008, so I thought that I would put together a blog from some of the information that I had been giving out whenever someone was having problems.

As a little bit of background information, Windows 2003 Server shipped with a later version of FPSE2002 than had previously been released, and that version of FPSE2002 was used as the code base for the version of FPSE2002 that was later shipped for Windows Server 2008. One the great features of this release was the ability to host your content on a remote server using a UNC share, which is something that web administrators had been requesting for years. Microsoft wrote a full whitepaper that details all of the possible configurations and steps to configure FPSE2002 with this feature at the following URL:

http://technet.microsoft.com/en-us/library/cc768023.aspx

That being said, that whitepaper is quite large, and not all of it is necessary if you simply want to host FPSE2002-based content on a UNC path. With that in mind, I have come up with an abbreviated set of steps that uses the whitepaper as a base for enabling this feature. To be more specific, I was able to implement this feature by using only the following sections of that whitepaper:

  1. "Configuring the File Server"
  2. "To Share the Folder"
  3. "Creating and Configuring a Virtual Server in IIS"
  4. "Configuring Security Settings for the Virtual Server"
  5. "To Configure the Registry for the Web server"
  6. "To Enable FrontPage Server Extensions 2002"

The body of this blog post is an excerpt from the whitepaper, and contains only the steps that I used to get my test scenario up and running. For my test, I set up a domain controller, a file server, and a web server; all running Windows Server 2008 or Windows Server 2003. I include notes when necessary to highlight issues that I ran into.

Additional Notes:

  • I cannot stress enough that setting up this configuration is not an easy task to perform, if you skip any steps that I have listed - the functionality will not work.
  • Some of the AllowUNC functionality is not implemented through the UI; you have to make changes to your registry to enable it.
  • All servers must be Windows 2008 Servers or Windows 2003 Servers in an Active Directory domain.
  • In the "To Share the Folder" steps I added the domain-level IUSR account to the permissions on the shared folder so that anonymous would work.
  • In the "Configuring Security Settings for the Virtual Server" steps I used Basic Authentication as this is the most common Internet-based method.
  • I only tested this with a UNC share on a Windows-based server, I did not test with SAN or NAS devices so I am not sure if they would work.

CONFIGURING THE FILE SERVER

You must configure a shared folder on the file server and grant the Web server access to the contents of that folder. Note that you must set the permissions for the folder itself, not a parent folder. It is recommended that you also implement IP Security on the file server, so that only the Web server, the domain controller, and other administrator computers can access the file server over TCP/IP. For more information about configuring IP Security, see Setting Up IPsec Domain and Server Isolation in a Test Lab.

To create a folder and set the folder ACLs
  1. In My Computer, create or locate the folder that will contain the Web site content.
  2. Right-click the folder, and click Properties.
  3. In the Properties dialog box, click the Security tab.
  4. Click Advanced. If you are using Windows Server 2008, click Edit.
  5. Click Add.
  6. Type Administrators, and then click OK.
  7. Select Full Control, and then click OK.
  8. Click Add.
  9. Click Object Types, and then in the Object Types box, select the Computers check box, and then click OK.
  10. In the Enter the object names to select box, type the Web server computer name, followed by a dollar sign ($) and then click OK.
  11. Select Full Control, and then click OK.
  12. Clear the check box for allowing inheritable permissions to propagate to the folder.
    • On Windows Server 2008 this check box is labeled "Include inheritable permissions from this object's parent".
    • On Windows Server 2003 this check box is labeled "Allow inheritable permissions from the parent object to propagate to this object and all child objects".
  13. Click Remove to clear the inherited permissions for the folder.
  14. Click OK, and then click OK again to close the Properties dialog box.
  15. The folder now only allows file access to the Administrators group and the Web server computer you specified. When you extend the virtual server on the Web server computer, the access control list (ACL) will be automatically updated with any additional required users or security principals.
To share the folder
  • On Windows Server 2008:
    1. Right-click the folder, and click Properties.
    2. On the Sharing tab, click Advanced Sharing.
    3. Check the Share this folder check box.
    4. In the Share name box, type the name to use for the share. Be sure to use the format sharename$ for the share name to make the folder hidden when users browse the machine.
    5. Click Permissions.
    6. Select Everyone, and then click Full Control.
    7. Click OK, and then click OK again, and then click Close to close the Properties dialog box.
  • On Windows Server 2003:
    1. Right-click the folder, and click Properties.
    2. On the Sharing tab, select Share this folder.
    3. In the Share name box, type the name to use for the share. Be sure to use the format sharename$ for the share name to make the folder hidden when users browse the machine.
    4. Click Permissions.
    5. Select Everyone, and then click Full Control.
    6. Click OK, and then click OK again to close the Properties dialog box.
About File System Security

Giving Everyone full control to your server share is necessary so that all users of your Web site can view the Web site information and run the ASP pages required to use FrontPage 2002 Server Extensions. However, you do not want to allow other computers or other servers access to the file share and those ASP pages. It is recommended that you implement Internet Protocol (IP) Security to help prevent users and computers from circumventing the FrontPage 2002 Server Extensions and Internet Information Services security for the file share and ASP pages.

Note - The separate user management feature for FrontPage 2002 Server Extensions also helps secure the process for accessing ASP pages through the file system. It is recommended that you implement this feature if you are connecting Web sites to UNC shares. For more information about managing users separately, see Authenticating Users Separately For Each Virtual Server.


CREATING AND CONFIGURING A VIRTUAL SERVER IN IIS

You use Internet Information Services (IIS) to create your new virtual server. You must also decide how to configure the security settings for your virtual server.

To create a virtual server on Windows Server 2008
  1. Click Start, point to Administration Tools, and then click Internet Information Services (IIS) Manager.
  2. Click the plus sign (+) next to the server name in the Connections pane that you want to add the virtual server to.
  3. Right-click Sites, and then click Add Web Site.
  4. In the Site name box, enter the name of the Web site.
  5. In the Physical path box, type the path to the network share where the site content will go. Note that if you used the format name$ for the share, you cannot browse to the share. You must type the path exactly.
  6. In the Type box, choose HTTP or HTTPS.
  7. In the IP address box, select the IP address you want to use.
  8. In the Port box, type the port number to assign to the virtual server.
  9. In the Host name box, type the host name that you want to use (if any).
  10. Click OK.
  11. Highlight the Web site you just created in the Connection pane.
  12. Double-click the Authentication feature in the Web site's Home pane.
  13. Highlight Anonymous Authentication in the Authentication pane.
  14. Click Edit... in the Actions pane.
  15. Click Specific user, and then click Set.
    • Enter the domain and user name of your domain-level IUSR account in the User name box.
    • Enter the password of your domain-level IUSR account in the Password and Confirm Password boxes.
    • Click OK.
  16. Click OK.
  17. Verify that the application pool for the new Web site is running as Network Service:
    1. Highlight the web site that you just created in the Connections pane.
    2. Click Basic Settings... in the Actions pane.
    3. Make a note of the application pool name, and then click OK.
    4. Click Application Pools in the Connections pane.
    5. Highlight the application pool from the step that you completed previously.
    6. Click Advanced Settings... in the Actions pane.
    7. Verify that IIS lists NetworkServicein the Identity field. If it does not, use the following steps:
      1. Click the ellipsis (...) to the right of the Identity field.
      2. Click Built-in account, and then select NetworkService from the drop-down menu.
      3. Click OK to close the Application Pool Identity dialog box.
    8. Click OK to close the Advanced Settings dialog box.
To create a virtual server on Windows Server 2003
  1. Click Start, point to Administration Tools, and then click Internet Information Services (IIS) Manager.
  2. Click the plus sign (+) next to the server name that you want to add the virtual server to.
  3. Right-click Web Sites, click New, and then click Web site.
  4. Click Next.
  5. In the Description box, type the description of your virtual server, and then click Next.
  6. In the Enter the IP address to use for this Web site box, select the IP address you want to use.
  7. In the TCP port this web site should use (Default: 80) box, type the port number to assign to the virtual server.
  8. In the Host Header for this site (Default: None) box, type the host name that you want to use (if any), and then click Next.
  9. In the Path box, type the path to the network share where the site content will go. Note that if you used the format name$ for the share, you cannot browse to the share. You must type the path exactly.
  10. If you do not want to allow anonymous access to your virtual server, clear the Allow anonymous access to this Web site check box.
  11. Click Next.
  12. On the Web Site Security Credentials panel, verify that the Always use the authenticated users credentials when validating access to the network directory check box is selected, and then click Next.
  13. On the Permissions panel, select the permissions to use, and then click Next. If your virtual server allows scripts to be run, you must also select the Run scripts (such as ASP) check box. If you want to allow ISAPI applications or CGI scripts to be used on your virtual server, you must also select the Execute (such as ISAPI applications or CGI) check box.
  14. Click Next, and then click Finish.

Note - If you chose to allow anonymous access for the virtual server, you must specify the domain account to use for anonymous users. When you use a local folder, you can use the default anonymous user (usually IUSR or IUSR_Machinename). To connect to a shared resource on a domain, however, you must specify an account with rights to the domain. Be sure to use an account with limited rights to the computers and resources in your domain. Do not unintentionally give anonymous users the ability to administer your server or print to your network printers.

Note from me:

As stated by me earlier, this entire article does not appear to work unless you specify a domain-level IUSR account in IIS, even if you are going to not allow anonymous access. In my testing, it seems to fail when anonymous is disabled and the anonymous user had been local, whereas it succeeded when the anonymous user is a domain-account with rights to the share, even though anonymous is disabled for the site.


CONFIGURING SECURITY SETTINGS FOR THE VIRTUAL SERVER

After you have created the virtual server, you must configure the security settings. When a Web site user requests a file that actually resides on a network share, there are two methods that FrontPage Server Extensions can use to provide the required authentication information:

  • Basic Authentication - Forwards the Web site requestor's username and password to the file server. If the user doesn't have access to the file server, he or she will not have access to the UNC-based files on the Web site. This method is best used for intranet Web sites.
  • Another authentication method used with Kerberos delegation If you want to use another authentication method, it is more secure to use it in conjunction with Kerberos delegation. For more information about configuring Kerberos, see the Help systems for Windows Server 2003 and Internet Information Services (IIS) 6.0.

Warning - Basic authentication forwards the requestor's username and password over the network. This means that usernames and passwords can be captured using a network packet analyzer. Only use basic authentication if you are sure that potential hackers don't have access to your network cabling or wireless media.

To configure the new virtual server to use basic authentication on Windows Server 2008
  1. In Internet Information Services (IIS) Manager, highlight the Web site you just created in the Connection pane.
  2. Double-click the Authentication feature in the Web site's Home pane.
  3. Highlight Basic Authentication in the Authentication pane.
  4. Click Enable in the Actions pane.
To configure the new virtual server to use basic authentication on Windows Server 2003
  1. In Internet Information Services (IIS) Manager, right-click the Web site you just created, and then click Properties.
  2. On the Directory Security tab, under Authentication and Access Control, click Edit.
  3. Check the Enable anonymous access check box.
  4. In the User name box for the anonymous user, type a domain user account to use for anonymous access. Note that because you are allowing access across computers, the default anonymous account (which is specific to each server) will not work. You must use a domain account for anonymous access.
  5. In the Password box, type the password that corresponds to the user account.
  6. In the Authenticated Access section, clear the Integrated Windows authentication check box, and check the Basic authentication (password is sent in clear text) check box.
  7. Click Yes to verify that you want to enable Basic authentication, and then click OK.
  8. Type the password again to confirm it, and then click OK.
  9. Click OK again to close the Properties dialog box.

Note from me:

As stated by me earlier, I only tested with Basic Authentication; I did not try Kerberos. Since we are making a single hop to another server, I would expect simple NTLM to fail. See KB 315673 for a description of single versus double hop setups when working with IIS configurations. But that being said, Windows Authentication in an Internet environment is impractical, so in most scenarios this point is moot.

After you create the virtual server, and before you can extend it with FrontPage 2002 Server Extensions, you must set the following registry entries to enable your Web server to work with a shared UNC folder:

  • NoMachineGroups: determines whether or not FrontPage 2002 Server Extensions can create local machine accounts for new users. Because local machine accounts on one server have no rights on another server, you must disable local machine accounts and use only domain accounts to work with a shared UNC folder. Set NoMachineGroups to "1" to disable local machine accounts. Note that because this is a global setting, you should only change it before you have extended your virtual servers. If you change this setting after a virtual server has been extended, the administration pages may not work.
  • AllowUNC: specifies whether or not to allow shared UNC folders. You must set this entry to "1" to enable UNC folder sharing.

Both subkeys are under the following path in the registry depending on your version of Windows:

  • On a 32-bit server:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\All Ports
  • On a 64-bit server:
    • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Shared Tools\Web Server Extensions\All Ports

If these subkeys do not exist yet, you can add them as new string values, and then set them to 1.

To configure the registry for the Web server
  1. Open the Registry Editor on your Web server computer. To do so, click Start, click Run, and then type regedit.
  2. Open the correct subkey for your version of Windows:
    • On a 32-bit server:
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\All Ports
    • On a 64-bit server:
      • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Shared Tools\Web Server Extensions\All Ports
  3. If you see the NoMachineGroups and AllowUNCkeys, skip to step 4. If not, you must create these keys as described in the next step.
    1. Right-click in the right pane of the Registry Editor Window, click New, and then click String value.
    2. Type the name for the new entry: NoMachineGroups
    3. Right-click in the right pane of the Registry Editor Window, click New, and then click String value.
    4. Type the name for the new entry: AllowUNC
  4. In the right pane, right-click NoMachineGroups, and then click Modify.
  5. In the Value data box, type 1, and then click OK.
  6. In the right pane, right-click AllowUNC, and then click Modify.
  7. In the Value data box, type 1, and then click OK.

EXTENDING THE VIRTUAL SERVER

After the virtual server has been created and configured, you are ready to extend it with FrontPage 2002 Server Extensions. You must extend the virtual server before you can publish Web site content to it.

To enable the FrontPage Server Extensions 2002 Web Server Extension on Windows Server 2003
  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS).
  2. In the console tree, click the name of the computer where you will create the virtual server, and then click Web Server Extensions.
  3. In Web Server Extensions, click FrontPage Server Extensions 2002, and then click Allow.
To extend the new virtual server and create a Web site
  1. Click Start, point to Administrative Tools, and then click Microsoft SharePoint Administrator.
  2. Click Extend next to the virtual server you just created in IIS.
  3. In the Administrator user name box, type the user name, and then click Submit.

After you extend the site, it is recommended that you run server health to make sure the permissions are set correctly and do not allow unauthorized access. To run server health, use the following command-line operations:

cd /d "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\50\bin"

owsadm.exe -o check -p 80 -w /


As I mentioned in the beginning of this post, there are a lot of steps to get this working, but it's possible to do so.

I hope this helps. ;-]

IIS 6.0 WebDAV and Compound Document Format Files

We recently ran into a situation where a customer thought that they were seeing file corruption when they were transferring files from a Windows 7 client to their IIS 6.0 server using WebDAV. More specifically, the file sizes were increasing for several specific file types, and for obvious reasons the checksums for these files would not match for verification. Needless to say this situation caused a great deal of alarm on the WebDAV team when we heard about it - file corruption issues are simply unacceptable.

To alleviate any fears, I should tell you right up front that no corruption was actually taking place, and the increase in file size was easily explained once we discovered what was really going on. All of that being said, I thought that a detailed explanation of the scenario would make a great blog entry in case anyone else runs into the situation.

The Customer Scenario

First of all, the customer was copying installation files using a batch file over WebDAV; more specifically the batch file was copying a collection of MSI and MST files. After the batch file copied the files to the destination server it would call the command-line comp utility to compare the files. Each MSI and MST file that was copied would increase by a small number of bytes so the comparison would fail. The customer computed checksums for the files to troubleshoot the issue and found that the checksums for the files on the source and destination did not match. Armed with this knowledge the customer contacted Microsoft for support, and eventually I got involved and I explained what the situation was.

The Architecture Explanation

Windows has a type of file format called a Compound Document, and many Windows applications make use of this file format. For example, several Microsoft Office file formats prior to Office 2007 used a compound document format to store information.

A compound document file is somewhat analogous to a file-based database, or in some situations like a mini file system that is hosted inside another file system. In the case of an MST or MSI file these are both true: MST and MSI files store information in various database-style tables with rows and columns, and they also store files for installation.

With that in mind, here's a behind-the-scenes view of WebDAV in IIS 6.0:

The WebDAV protocol extension allows you to store information in "properties", and copying files over the WebDAV redirector stores several properties about a file when it sends the file to the server. If you were to examine a protocol trace for the WebDAV traffic between a Windows 7 client and an IIS server, you will see the PUT command for the document followed by several PROPPATCH commands for the properties.

IIS needs a way to store the properties for a file in a way where they will remain associated with the file in question, so the big question is - where do you store properties?

In IIS 7 we have a simple property provider that stores the properties in a file named "properties.dav," but for IIS 5.0 and IIS 6.0 WebDAV code we chose to write the properties in the compound document file format because there are lots of APIs for doing so. Here's the way that it works in IIS 5 and IIS 6.0:

  • If the file is already in the compound document file format, IIS simply adds the WebDAV properties to the existing file. This data will not be used by the application that created the file - it will only be used by WebDAV. This is exactly what the customer was seeing - the file size was increasing because the WebDAV properties were being added to the compound document.
  • For other files, WebDAV stores a compound document in an NTFS alternate data stream that is attached to the file. You will never see this additional data from any directory listing, and the file size doesn't change because it's in an alternate data stream.

So believe it or not, no harm is done by modifying a compound document file to store the WebDAV properties. Each application that wants to pull information from a compound document file simply asks for the data that it wants, so adding additional data to a compound document file in this scenario was essentially expected behavior. I know that this may seem counter-intuitive, but it's actually by design. ;-]

The Resolution

Once I was able to explain what was actually taking place, the customer was able to verify that their MST and MSI files still worked exactly as expected. Once again, no harm was done by adding the WebDAV properties to the compound document files.

You needn't take my word for this, you can easily verify this yourself. Here's a simple test: Word 2003 documents (*.DOC not *.DOCX) are in the compound document file format. So if you were to create a Word 2003 document and then copy that document to an IIS 6.0 server over WebDAV, you'll notice that the file size increases by several bytes. That being said, if you open the document in Word, you will see no corruption - the file contains the same data that you had originally entered.

I hope this helps. ;-]

Why I love my job...

I had originally written the following for a Facebook note, but I think that it's better as a blog post:

Let's face it, if you have known me for any period of time during the past two decades you would quickly realize that outside of church, family, and music, working with computers is my next biggest passion. Being been hired by Microsoft in late 1995 was one of those moments where I smacked myself on the head and questioned why I hadn’t thought of that before. It’s just great when it turns out that you can actually make a living doing one of your hobbies. (Making a living making music would be great, too, but I work with a large number of people who have all realized that having a normal day job means that you can actually afford your music hobby. Whereas trying to make a living at music often means wondering where your next meal is coming from. But I digress...)

Anyway, I’ve had several different jobs since I joined Microsoft, which always leads to the following question from friends and family: "So, what do you do for Microsoft?"

Over the past few years I have worked on a team with several gifted people that create several technologies that perform a lot of the behind-the-scenes work for the Internet, and these days I spend my time writing about these products and telling people how they can use them. With that in mind, I thought that I’d answer a little bit of the "What do you do for Microsoft?" question by way of illustration.

The following blog post that I wrote recently branches off into several links where I discuss writing a bunch of code to do a variety of things that many people would probably find... well... less than exciting:

MSDN Blog: Merging FTP Extensibility Walkthroughs

As I said, you might not find it exciting - but for me, this why I get up in the morning, and at the end of the day it’s why I still love my job.

;-)

FTP Clients - Part 7: Kermit FTP Client

Since I started reviewing FTP clients I've had a few requests to look at a few different FTP clients, and I've managed to analyze a few of those clients in my blog. A few weeks ago I had a request from one of my readers that really caught my interest - Shabbir Talib contacted me through my blog and asked me to review the Kermit FTP Client. I found his request especially appealing because I used to use Kermit before the public learned about the Internet; back then I was using Kermit to access dial-up Bulletin Board Systems (BBS's) and to connect to my college's VAX system. That being said, I hadn't used Kermit in years so I couldn't resist taking a look.

To start things off, the Kermit Project is developed and distributed by Columbia University in New York City. More information about the project, downloadable installation packages, and software licenses for purchase are available from:

http://www.columbia.edu/kermit/

I need to stress here the Kermit is actually a full suite of connectivity applications, the Kermit FTP Client is only one part of that communications suite. So from the outset the Kermit is more than overkill if you're just looking to transfer some files to and from your FTP site. The Kermit Dialer takes the place of what most FTP clients would have as a Site Manager, and opening that application will display a large number of templates for various connection types.

Rephrasing my earlier statement, saying that Kermit is overkill is really an unfair assessment when you consider the sheer number of options that Kermit gives you. If you are used to creating and configuring FTP site connections in most FTP clients, you generally have a small handful of options that you can specify. This is not true for Kermit 2.1.3 - the wizard for creating a new FTP connection in the Kermit GUI led me through eleven wizard-based pages of options before the connection was created.

Once you connect, however, the Kermit GUI is just a wrapper for command-line FTP functionality - so you have to know what you're doing in FTP to get around, and there is no explorer-style functionality like you get with graphical FTP clients like Core FTP or FileZilla.

Command-Line and Scripting Support

Since the Kermit GUI is just a wrapper for the command-line, you may have already guessed correctly that the Kermit FTP Client (ftp.exe) works just fine from a command prompt. What's more, Kermit has a built-in scripting language that far surpasses the scripting capabilities for the built-in Windows command-line ftp client (also named ftp.exe.) For example, you can script what action to take if something goes wrong - like retrying a failed upload. More information about scripting the Kermit FTP Client is available at the following URL:

http://www.columbia.edu/kermit/ftpscripts.html

From what I've seen of Kermit's scripting support, this appears to be an extremely rich feature for people that need more options for scripting an FTP client.

Using FTP over SSL (FTPS)

The Kermit FTP Client supports FTPS, and it allows you to configure options such as separate protection levels for the command and data channels for a connection.

Once you have the security options specified for the connection, connecting to an FTP site using FTPS is pretty straightforward.

No Implicit FTPS Support

I could find nothing in the Kermit FTP Client documentation that referenced support for implicit FTPS, and when I configured one of my FTP sites to use implicit FTPS I could not connect to it using Kermit. (But in all fairness, you may recall from some of my earlier blog posts that Implicit FTPS is often considered deprecated.)

Using FTP Virtual Hosts

Like the MOVEit Freely FTP client, everything is happening from a command-line, so you can use both FTP7's Virtual Hosts and the actual FTP HOST command. (As I have mentioned in previous blog posts, you should take a look at my Virtual Hosts and Host Names in FTP7 blog post for more information about FTP Virtual Host Names and FTP True Host Names, and see https://datatracker.ietf.org/drafts/draft-hethmon-mcmurray-ftp-hosts/ for more information about status of the FTP HOST command.)

That being said, FTP7 virtual hosts are supported by using the "ftp.example.com|username" syntax when specifying your username, and when you connect to the FTP7 server it will route your requests to the correct FTP virtual host site.

True FTP hosts can be used by specifying the FTP HOST command using the Kermit FTP Client's support for custom commands. The syntax for this command is listed below:

ftp quote host ftp.example.com

Note: You need to send the HOST command before sending USER and PASS.

Scorecard for the Kermit FTP Client

This concludes our quick look at some of the features that are available with the Kermit FTP Client, and here's the scorecard results:

Client NameDirectory
Browsing
Explicit
FTPS
Implicit
FTPS
Virtual
Hosts
True
HOSTs
Kermit FTP Client 2.1.3 N Y N Y Y 1
1 As noted earlier, true FTP HOSTs are available when using the "ftp quote HOST ftp.example.com" syntax.

Note: Keeping with my standard disclaimer, there are a great number of additional features that the Kermit FTP Client provides - I'm just keeping the focus on those topic areas that apply to FTP7.

Note: This blog was originally posted at http://blogs.msdn.com/robert_mcmurray/

Blog SPAM

This blog isn't that old, I only created the site a few months ago, but it's amazing how much spam I get. It seems like every other day I have another spammer that is pretending to post comments, when they are actually just posting links to their (often bogus) business web sites.

Fortunately I have comment moderation turned on so their posts are never actually posted to the web site, but spammers are never deterred – they continue to post new comments to my site in the hopes that maybe something will get through. So I fully expect that some spammer is going to post so innocuous piece of worthlessness to this blog post within the week.

[Heavy sigh.]

Spammers suck.