Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Serv-U File Server Administrator Guide > Server overview > Directory access rules

Directory access rules

Created by Anthony.Rinaldi_ret, last modified by Anthony.Rinaldi_ret on Jul 20, 2016

Views: 57 Votes: 0 Revisions: 3

Directory access rules define the areas of the system which are accessible to user accounts. While traditionally restricted to the user and group levels, in Serv-U, the usage of directory access rules is extended to both the domain and the server levels through the creation of global directory access rules. Directory access rules specified at the server level are inherited by all users of the file server. If they are specified at the domain level, they are only inherited by users who belong to the particular domain. The traditional rules of inheritance apply where rules specified at a lower level (for example, the user level) override conflicting or duplicate rules specified at a higher level (for example, the server level).

When you set the directory access path, you can use the %USER%, %HOME%, %USER_FULL_NAME%, and %DOMAIN_HOME% variables to simplify the process. For example, use %HOME%/ftproot/ to create a directory access rule that specifies the ftproot folder in the home directory of the user. Directory access rules specified in this manner are portable if the actual home directory changes while maintaining the same subdirectory structure. This leads to less maintenance for the file server administrator. If you specify the %USER% variable in the path, it is replaced with the user's login ID. This variable is useful in specifying a group's home directory to ensure that users inherit a logical and unique home directory. You can use the %USER_FULL_NAME% variable to insert the Full Name value into the path (the user must have a Full Name specified for this to function). For example, the user "Tom Smith" could use D:\ftproot\%USER_FULL_NAME% for D:\ftproot\Tom Smith. You can also use the %DOMAIN_HOME% macro to identify the user's home directory. For example, to place a user and their home directory into a common directory, use %DOMAIN_HOME%\%USER%.

Directory access rules are applied in the order they are listed. The first rule in the list that matches the path of a client's request is the one that is applied for that rule. In other words, if a rule exists that denies access to a particular subdirectory but is listed below the rule that grants access to the parent directory, then a user still has access to the particular subdirectory. Use the arrows on the right of the directory access list to rearrange the order in which the rules are applied.

Serv-U allows to list and open the parent directory of the directory the user is granted access to, even if no explicit access rules are defined for the parent directory. However, the parent directory accessed this way will only display the content to which the user has access.

File permissions

Permission Description
Read Allows users to read (download) files. This permission does not allow users to list the contents of a directory, which is granted by the List permission.
Write Allows users to write (upload) files. This permission does not allow users to modify existing files, which is granted by the Append permission.
Append Allows users to append data to existing files. This permission is typically used to enable users to resume transferring partially uploaded files.
Rename Allows users to rename files.
Delete Allows users to delete files.
Execute Allows users to remotely execute files. The execute access is meant for remotely starting programs and usually applies to specific files. This is a powerful permission and great care should be used in granting it to users. Users with Write and Execute permissions can install any program on the system.

Directory permissions

Permission Description
List Allows users to list the files and subdirectories contained in the directory. Also allows users to list this folder when listing the contents of a parent directory.
Create Allows users to create new directories within the directory.
Rename Allows users to rename directories within the directory.
Remove

Allows users to delete existing directories within the directory.


If the directory contains files, the user also must have the Delete files permission to remove the directory.

Subdirectory permissions

Permission Description
Inherit Allows all subdirectories to inherit the same permissions as the parent directory. The Inherit permission is appropriate for most circumstances, but if access must be restricted to subfolders (for example, when implementing mandatory access control), clear the Inherit check box and grant permissions specifically by folder.

Advanced: Access as Windows user (Windows only)

Files and folders may be kept on external servers in order to centralize file storage or provide additional layers of security. In this environment, files can be accessed by the UNC path (\\servername\folder\) instead of the traditional C:\ftproot\folder path. However, accessing folders stored across the network poses an additional challenge, because Windows services are run under the Local System account by default, which has no access to network resources.

To mitigate this problem for all of Serv-U, you can configure the Serv-U File Server service to run under a network account. The alternative, preferred when many servers exist, or if the Serv-U File Server service has to run under Local System for security reasons, is to configure a directory access rule to use a specific Windows user for file access. Click Advanced to specify a specific Windows user for each directory access rule. As in Windows authentication, directory access is subject to NTFS permissions, and in this case also to the configured permissions in Serv-U.

When you use Windows authentication, the NTFS permissions of the Windows user take priority over the directory access rules. This means that when a Windows user tries to access a folder, the security permissions of the user are applied instead of the credentials specified in the directory access rule.

Quota permissions

Maximum size of directory contents

Setting the maximum size actively restricts the size of the directory contents to the specified value. Any attempted file transfers that cause the directory contents to exceed this value are rejected. This feature serves as an alternative to the traditional quota feature that relies upon tracking all file transfers (uploads and deletions) to calculate directory sizes and is not able to consider changes made to the directory contents outside of a user's file server activity.

Mandatory access control

You can use mandatory access control (MAC) in cases where users need to be granted access to the same home directory but should not necessarily be able to access the subdirectories below it. To implement mandatory access control at a directory level, disable the Inherit permission as shown below.

In the following example, the rule applies to C:\ftproot\.

File:Success_Center/New_Articles/Serv-U-File-Server-MT/030/080/help-dir-access1.jpg

Now, the user has access to the ftproot folder but to no folders below it. Permissions must individually be granted to subfolders that the user needs access to, providing the security of mandatory access control in Serv-U File Server.

Restrict file types

If users are using storage space on the Serv-U File Server to store non-work-related files, such as .mp3 files, you can prevent this by configuring a directory access rule placed above the main directory access rule to prevent .mp3 files from being transferred as shown below.

In the text entry for the rule, type *.mp3, and use the permissions shown beolw:

File:Success_Center/New_Articles/Serv-U-File-Server-MT/030/080/help-dir-access2.jpg

The rule denies permission to any transfer of files with the .mp3 extension and can be modified to reflect any file extension. Similarly, if accounting employees only need to transfer files with the .mdb extension, configure a pair of rules that grants permissions for .mdb files but denies access to all other files, as shown below.

In the first rule, enter the path that should be the user's home directory or the directory to which they need access.

File:Success_Center/New_Articles/Serv-U-File-Server-MT/030/080/help-dir-access4.jpg

In the second rule, enter the extension of the file that should be accessed, such as *.mdb.

File:Success_Center/New_Articles/Serv-U-File-Server-MT/030/080/help-dir-access3.jpg

These rules only allow users to access .mdb files within the specified directories. You can adapt these rules to any file extension or set of file extensions.

File:Success_Center/New_Articles/Serv-U-File-Server-MT/030/080/help-dir-access5_550x164.jpg

Last modified
08:51, 20 Jul 2016

Tags

Classifications

Public