//Karthik Srinivasan
Product Engineer, CTO & a Beer Enthusiast
Experiments, thoughts and scripts documented for posterity.
Quirky Personal Projects
LinkedIn
Email meSecure FTP User Isolation in IIS
Jan 26, 2018
Leveraging FTP user isolation will provide an additional layer of security over the standard authentication and authorization. This is especially helpful for web servers that only have a single IP address and have multiple users who require FTP access. In this scenario, you would create one main FTP site with multiple virtual directories for the various users. Even if your web server has additional IP addresses for multiple FTP sites, you can still implement it. FTP User Isolation can be leveraged anytime you want to restrict users to specific content folders within a site.
Getting Started
As shown in IIS Manager below, I have set up 3 websites and 1 FTP site. The root folder of the FTP site points to c:\inetpub\ftproot.
Click on FTP Authentication and confirm that Anonymous Authentication is disabled and Basic Authentication is enabled.
Create Local Users and FTP Group
Using the Computer Management Snap-In, I have created 3 local users that will be used for logging in to the FTP site. They are called ftpuser1, ftpuser2, and ftpuser3.
Next I create a local user group called FTPUsers and add the 3 user accounts. Then I add this group to the folder permissions of c:\inetpub\ftproot.
Configure FTP Authorization Rules
In the Features view of the FTP site in IIS Manager, click on the FTP Authorization icon. In the settings, select Specified roles or user groups and enter the FTPUsers local group that was just created in the previous step. Storing all the FTP users in one local group will make the FTP site considerably easier to maintain in the future if new users are added. Next click the checkboxes for Read and Write permissions. Click OK to close the window.
Configure the LocalUser Virtual Directory
The next step is to create a virtual directory on the FTP site called LocalUser. This is a special directory that is needed to make user isolation work as expected. In IIS Manager, right-click on the FTP site and select Add Virtual Directory.
On the Add Virtual Directory properties, enter the name LocalUser for the Alias. For the Physical path, specify the root folder of the FTP site.
Create FTP User Virtual Directories
After creating the LocalUser virtual directory, we need to create an additional virtual directory under it for each FTP user that will be accessing the FTP site. On the Add Virtual Directory properties, enter the FTP user name and specify the destination path of the folder where their files are located. In the example below, ftpuser1 will have access to c:\domains\domain1.com. Repeat this step for the other FTP users.
In the picture below we can see the FTP site has been set up with the LocalUser virtual directory and below it, the virtual directories for the 3 FTP users.
Configure FTP User Isolation
On the Features view of the FTP site, click on FTP User Isolation. Under Isolate users, select User name directory (disable global virtual directories) as shown below. If your FTP site will only have 1 admin user you do not need to configure isolation; in that case just select the option FTP Root directory.
Secure FTP User Isolation in IIS
Jan 26, 2018
Leveraging FTP user isolation will provide an additional layer of security over the standard authentication and authorization. This is especially helpful for web servers that only have a single IP address and have multiple users who require FTP access. In this scenario, you would create one main FTP site with multiple virtual directories for the various users. Even if your web server has additional IP addresses for multiple FTP sites, you can still implement it. FTP User Isolation can be leveraged anytime you want to restrict users to specific content folders within a site.
Getting Started
As shown in IIS Manager below, I have set up 3 websites and 1 FTP site. The root folder of the FTP site points to c:\inetpub\ftproot.
Click on FTP Authentication and confirm that Anonymous Authentication is disabled and Basic Authentication is enabled.
Create Local Users and FTP Group
Using the Computer Management Snap-In, I have created 3 local users that will be used for logging in to the FTP site. They are called ftpuser1, ftpuser2, and ftpuser3.
Next I create a local user group called FTPUsers and add the 3 user accounts. Then I add this group to the NTFS permissions of c:\inetpub\ftproot.
Configure FTP Authorization Rules
In the Features view of the FTP site in IIS Manager, click on the FTP Authorization icon. In the settings, select Specified roles or user groups and enter the FTPUsers local group that was just created in the previous step. Storing all the FTP users in one local group will make the FTP site considerably easier to maintain in the future if new users are added. Next click the checkboxes for Read and Write permissions. Click OK to close the window.
Configure the LocalUser Virtual Directory
The next step is to create a virtual directory on the FTP site called LocalUser. This is a special directory that is needed to make user isolation work as expected. In IIS Manager, right-click on the FTP site and select Add Virtual Directory.
On the Add Virtual Directory properties, enter the name LocalUser for the Alias. For the Physical path, specify the root folder of the FTP site.
Create FTP User Virtual Directories
After creating the LocalUser virtual directory, we need to create an additional virtual directory under it for each FTP user that will be accessing the FTP site. On the Add Virtual Directory properties, enter the FTP user name and specify the destination path of the folder where their files are located. In the example below, ftpuser1 will have access to c:\domains\domain1.com. Repeat this step for the other FTP users.
In the picture below we can see the FTP site has been set up with the LocalUser virtual directory and below it, the virtual directories for the 3 FTP users.
Configure FTP User Isolation
On the Features view of the FTP site, click on FTP User Isolation. Under Isolate users, select User name directory (disable global virtual directories) as shown below. If your FTP site will only have 1 admin user you do not need to configure isolation; in that case just select the option FTP Root directory.
Done!