How to Configure FTP User Isolation in IIS 7.5 on Windows 2008 Server R2

This guide shows how to use the FTP User Isolation feature of IIS to control access privileges of FTP users. This guide also shows how to create and control access of two user types: domain user and local user.

Requirements:

IIS 7 must be installed on the Windows 2008 Server, and the Internet Information Services Manager must be installed.
The new FTP service must be installed.

Creating an FTP user

First create a user account. It is important to establish what type account to use: domain user account or local user account. There will be differences in the (1) physical folder structure, (2) IIS folder structure, and (3) user isolation configuration based on the account that will be used. It is preferable to use a local account for an FTP user who is outside of your organization.

For a domain user account,
1. Log in to the AD server.
2. Create the user account on the active directory server using Start Menu -> Control Panel -> Administrative Tools -> Active Directory Users and Groups.
2. For a local user account,
1. Log in to the local web server.
2. Create the user by account by going to the Start Menu -> Control Panel -> Administrative Tools -> Server Manager.
3. Expand Configuration, then expand Local Users and Groups.
4. Right-click on Users, and then click Add New User.
5. Fill up the form. Choose the options “User cannot change password”, and “Password never expires”.
6. Click Create.

Creating a new FTP folder

Open Explorer and navigate to “%SystemDrive%\inetpub”.
1. If the FTP user is a domain user,
  1. create a folder named “%SystemDrive%\inetpub\ftproot\WebsiteClientName\LocalNetworkName”.
    Granting that the WebsiteClientName is xyz, and the LocalNetworkName is abc, the folder to be created is “c:\inetpub\ftproot\xyz\abc”.
2. If it is a local user,
  1. create a folder named “%SystemDrive%\inetpub\ftproot\WebsiteClientName.
  2. also, create a sub-folder “LocalUser” under this folder.
  3. also, you can create a sub-folder “Public”, where you can place all your public FTP files.
We will set the permissions to allow anonymous access to the public documents of our FTP site. Open a command prompt, and type the following command:
ICACLS “%SystemDrive%\inetpub\ftproot\WebsiteClientName” /Grant IUSR:R /T”
Open IIS Manager, click to collapse the Sites node and show the existing websites.
Right click the target website – in this case the xyz.com – and click Add FTP Site, or click the Add FTP Site in the Actions pane.
When the Add FTP Site wizard appears,
1. enter a site name (e.g. ftp.xyz.com);
2. then navigate to the %SystemDrive%\inetpub\ftproot\WebsiteClientName you created in step #1. Note that the LocalNetworkName (for domain users) is not part of the physical path; and
3. click Next.
On the next page,
1. enter the IP address of the website in the IP Address box, and “21” on the Port box;
2. do not enable the Enable Virtual Host Names, and leave the box blank;
3. check the Start FTP Site Automatically;
4. click the Allow SSL option;
5. keep the Not Selected option under SSL Certificate, and
6. click Next.
On the next page,
1. select “Anonymous” for the Authentication settings. This will allow anonymous users to access your public folder. User folders will be secured separately (instructions later);
2. under Authorization, choose “Anonymous users” from the Allow Access To dropdown; and
3. check the “Read” under Permissions.
Click Finish.

Adding administrator access to the FTP site

In the IIS Manager, click the FTP site you created, then double-click the FTP Authentication on the main window.
When the FTP Authentication page opens, highlight Basic Authentication and then click Enable in the Actions page.
In the IIS Manager, again click the FTP site to re-display all FTP features.
To enable the administrator to log-in, double-click FTP Authentication Rules to open this page.
When this page opens, click Add Allow Rule in the Actions page.
When the Add Allow Authorization Rulebox displays,
1. Select Specified users, then type “administrator” in the box.
2. Under Permissions, select both Read and Write.
3. Click OK.

Adding user using FTP User Isolation configuration

In the IIS Manager, click the FTP site you created.
On the main window, double click the FTP User Isolation.
When this page opens, under Isolate users, choose the User name directory (disable global virtual directories). Click Apply. (To understand what these options mean, see Notes at the bottom.)
Click to expand your FTP site.
Depending on your user type,
1. If domain user, right click on the “abc” folder, then click Add Virtual Directory.
2. If local user, right click on the “LocalUser” folder, then click Add Virtual Directory.
When this page appears,
1. Enter the user’s username in the Alias box (e.g., ftpguest);
2. On Physical Path, navigate to the FTP root of the website (e.g., c:\inetpub\ftproot\xyz), or to a sub-folder folder you created specifically for this user;
3. If for the website admin, navigate to the root of your website (e.g., c:\inetpub\wwwroot);
4. Click OK when finished.
Click on the newly created virtual folder, then click FTP Authorization Rules on the main window.
When this page appears,
1. Remove all users, especially “Anonymous”. To this by clicking on the users in the main window, then click Remove on the Actions pane;
2. Click Add Allow Rule on the Actions page;
3. Choose Specified users, then enter the user’s username (e.g., ftpguest);
4. Under Permissions, check Read and/or Write, depending on the permission you will grant this user.
5. Click OK when finished.
Depending on the user type:
1. If it is a domain user, proceed to the next step.
2. If it is a local user, you need to add NTFS folder permissions for this user:
  1. Click the newly created virtual folder, then click the Edit Permissions on the Actions pane;
  2. On the Permissions window, Click the Security tab, then click Edit;
  3. Click Add;
  4. Under Enter the object…, type the username as “ServerName\username” (e.g., xyzWebServer\ftpguest), then click Check Names to validate the username;
  5. Click OK.
  6. Choose appropriate permissions. For the administrator account, also check the “Modify” option. (For further info on NTFS folder permissions, see Notes below.)
  7. When finished, click Apply, then click OK.
Test your new FTP connection.

Notes:

The five FTP User Isolationoptions are defined as:
- Do not isolate users. Start users in:
  - FTP root directory
    - This option specifies that all FTP sessions will start in the root directory for the FTP site.
    - Note: This option is new in this FTP server, and simply disables all user isolation or starting folder logic.
  - User name directory
    - This option specifies that all FTP sessions will start in the physical or virtual directory with the same name of the currently logged on user if the folder exists; otherwise, the FTP session will start in the root directory for the FTP site.
    - Note: This option is the same as choosing no user isolation in the IIS 6.0 FTP server. For additional information about using this option, see the “Do Not Isolate Users Mode” section in the Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0) topic.
- Isolate users. Restrict users to the following directory:
  - User name directory (disable global virtual directories)
    - This option specifies that you want to isolate FTP user sessions to the physical or virtual directory with the same name of the FTP user account. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the physical or virtual directory tree. Any global virtual directories that are created will be ignored.
    - Note: This option is new in this FTP server.
  - User name physical directory (enable global virtual directories)
    - This option specifies that you want to isolate FTP user sessions to the physical directory with the same name of the FTP user account. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the physical directory tree. Any global virtual directories that are created will apply to all users.
    - Note: This option is the same as choosing user isolation in the IIS 6.0 FTP server.
  - FTP home directory configured in Active Directory
    - This option specifies that you want to isolate FTP user sessions to the home directory that is configured in the Active Directory account settings for each FTP user.
    - Note: This option is the same as choosing Active Directory user isolation in the IIS 6.0 FTP server. For additional information about using this option, see the “Isolate Users Using Active Directory Mode” section in the Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0) topic.
NTFS Folder Permissions
- Full Control – This is meant for administrators and system users, never use this for a FTP user.
- Modify – Checking this box will automatically give all the correct permissions for read and write access.
- Read & Execute – Read access with ability to execute programs.
- List folder contents – Ability to list out folders.
- Read – Simple read access to files only, remember to check list folder contents as well for read access.
- Write – Ability to upload and create folders.
- Special Permissions – Never used for FTP users, these are custom permissions.

Resources:

Creating a new FTP site in IIS 7 – http://www.iis.net/learn/publish/using-the-ftp-service/creating-a-new-ftp-site-in-iis-7
Configuring FTP User Isolation in IIS 7 – http://www.iis.net/learn/publish/using-the-ftp-service/configuring-ftp-user-isolation-in-iis-7#002
Gearhost’s versions – http://support.gearhost.com/KB/a546/create-a-ftp-site-on-your-cloudserver.aspx
https://support.gearhost.com/KB/a382/add-ftp-user-to-ftp-7-windows-2008.aspx
Using ProcMon to identify the specific folders used by IIS: http://www.iislogs.com/steveschofield/530-user-cannot-log-in-home-directory-inaccessible-ftp-7-0-user-isolation-and-process-monitor