How to set up War FTP Daemon 1.81 to use network shares


After a normal installation on Windows NT/2000/XP, War FTP Daemon 1.81 runs as a systems service under the local "System" user account. This is a special and privileged Windows user assigned to the task of running windows services. It is privileged to do almost anything on the local machine, but is has no rights on other machines on the Windows network. That means that the FTP server will be unable to access shares on other machines on the LAN. This is done so by design to limit the damages if the server is misconfigured, or if someone manages to break into the server. 

In order to use network shares, War FTP Daemon must run as a user that have special privileges (to run as a system service) and privileges to access the network share. This can be done in several ways. One is to create a new domain user on your Windows Domain/Active Directory server with guest privileges. (You must be a network administrator to do this). 

We now have a user with limited privileges on the domain. (Well, if the Domain is set up in a sane manner, the user should have limited rights!). Now we have to give it some special privileges on the computer running War FTP Daemon. Open the control panel and enter the Services applet and open WARSVR.

 

Set our new warsvr-user domainuser as the login account.

I don't know why, but the user must also be added to the local Administrator account (if not, the service simply won't start). Open the Computer Management applet in the Control Panel and add the user to the Local Administrators group.

Now you can restart warftpd. When it starts up as a service, it can access any network share on the local Domain, withthe rights as warftpd-user domaun user. In the example below I mount the share \\combat2\utveksling as /share.

And that's it. Your users can access /share just as any other path ;)

 


Hi and thanks for the great ftp server. I just thought I'd tell you about something you overlooked on this page: http://www.warftp.org/guides/netshare.html

With Win2K/XP they have enhanced the user functionality so that the computer accounts are just like user accounts. You can add a computer to the permissions on a share/drive and even the system account access from that machine will have access.

For example, I needed to map a directory in WarFTPD to a remote share but I wanted to do so securely. I didn't want to create another user because with MS stuff, you never know how that will be exploited. So, I shared a directory on the remote box as stuff$ (dollar sign to disable browsing of course). Then I swept the permissions only allowing domain admins and the account of the WarFTP server's host machine. You just add the computer name to the permissions list (ntfs obviously). By default the share will allow all users access, but I limit by file permissions only to keep things simple and standard.

Once all this is done, you can just add the share name as your help page instructs and the server can access the share with whatever permissions you assigned the computer account for that directory. It also just slightly adds to the access the computer would normally have and lessens any damage a potential hijacking of the a WarFTPD session could allow.

As far as I know, this added user functionality is only available when using Active Directory as the user database as opposed to NT's SAM, regardless of what the host is running. It will even work for NT4 machines running in a mixed mode AD network. Just as long as the destination resource computer is Win2K/XP and can validate that the requesting machine has the proper permissions.

Thanks again,
John