Often we need to have clients send large backup sets to us. We currently use ftp, however we run in to the issue of the ftp client being closed on the client's computer before the the transfer is completed.
We would like to use the Background Intelligent Transfer Service (BITS), however I am having trouble creating that same "UploadOnly" style account as I have on the FTP.
So far I have it using NTLM authentication over SSL and it works great for the normal use case of being able to both upload and download. However, if I remove the "Modify" permissions (specifically removing "List folder / read data", "Read Extended Attributes", or "Delete" permissions) to the virtual directory for the upload account I get the following error when I try to perform the upload from the client side:
Start-BitsTransfer : Access is denied.
At line:1 char:19
+ Start-BitsTransfer <<<< -TransferType Upload -Source E:\test.bin -Destination https://www.example.com/BitsUpload/test.bin -Credential $c -Authentication NTLM
+ CategoryInfo : InvalidOperation: (:) [Start-BitsTransfer], Exception
+ FullyQualifiedErrorId : StartBitsTransferCOMException,Microsoft.BackgroundIntelligentTransfer.Management.NewBits
TransferCommand
Also, if the "Delete" permission is not checked, it leaves behind a 0KB file in the upload folder with the name bitssrv_{RANDOM_GUID}_statefile where RANDOM_GUID is a different guid per file.
What do I need to do to set up BITS so I can upload data to the server, but not download it? If that is not possible to do what I want let me know that too, I may just make a script that moves it out of the upload folder when the transfer completes.
Best Answer
using a shared login account, this isn't possible. part of BITS is the ability to restart interrupted file transfers, which it does by reading the end of the file to know where to restart at. so the ability to put a file will always require the ability to read the file.
an option might be to instead of using one account to login as, create a group of all of the machines that will be sending files. give the group modify access to the folder (but not the subfolders and files). also give CREATOR OWNER full access for files and subfolders. use the machine credentials to log in. with these permissions, only the machine that uploads a file will be able to read the file.