2

Often we need to have clients send large backup sets to us. We currently use ftp, however we run in to the issue of the ftp client being closed on the client's computer before the the transfer is completed.

We would like to use the Background Intelligent Transfer Service (BITS), however I am having trouble creating that same "UploadOnly" style account as I have on the FTP.

So far I have it using NTLM authentication over SSL and it works great for the normal use case of being able to both upload and download. However, if I remove the "Modify" permissions (specifically removing "List folder / read data", "Read Extended Attributes", or "Delete" permissions) to the virtual directory for the upload account I get the following error when I try to perform the upload from the client side:

Start-BitsTransfer : Access is denied.
At line:1 char:19
+ Start-BitsTransfer <<<<  -TransferType Upload -Source E:\test.bin -Destination https://www.example.com/BitsUpload/test.bin -Credential $c -Authentication NTLM
    + CategoryInfo          : InvalidOperation: (:) [Start-BitsTransfer], Exception
    + FullyQualifiedErrorId : StartBitsTransferCOMException,Microsoft.BackgroundIntelligentTransfer.Management.NewBits
   TransferCommand

Also, if the "Delete" permission is not checked, it leaves behind a 0KB file in the upload folder with the name bitssrv_{RANDOM_GUID}_statefile where RANDOM_GUID is a different guid per file.

What do I need to do to set up BITS so I can upload data to the server, but not download it? If that is not possible to do what I want let me know that too, I may just make a script that moves it out of the upload folder when the transfer completes.

Scott Chamberlain
  • 1,445
  • 2
  • 21
  • 37

2 Answers2

1

A bit of a late answer, but this might be helpful for others: BITS does all upload work using verb BITS_POST. (Downloading uses HEAD and GET as expected).

You can use Request Filtering on the upload directory to block all unlisted verbs, and list only BITS_POST. I have also found it useful to disallow anonymous access, and set SSL settings to require SSL and require a client certificate, and attach a certificate to upload requests.

user570855
  • 11
  • 1
1

using a shared login account, this isn't possible. part of BITS is the ability to restart interrupted file transfers, which it does by reading the end of the file to know where to restart at. so the ability to put a file will always require the ability to read the file.

an option might be to instead of using one account to login as, create a group of all of the machines that will be sending files. give the group modify access to the folder (but not the subfolders and files). also give CREATOR OWNER full access for files and subfolders. use the machine credentials to log in. with these permissions, only the machine that uploads a file will be able to read the file.

longneck
  • 22,793
  • 4
  • 50
  • 84
  • Unfortunately the client computers are not on part of the domain so I can not set up permissions for them, however you have answered my question about is it possible. I think I will just have a script that moves it out of the output folder once the transfer completes using the "Send message when complete" feature to trigger it. – Scott Chamberlain Aug 15 '12 at 19:42