15th October 2007

How To Configure FTP User Isolation in IIS 5.0

posted in IIS 5.0 |

In this tutorial we are going to look at how to create an FTP site which enforces ‘User Isolation’ in IIS 5.0

User Isolation is implemented as an option in the FTP service in IIS 6.0 when you create a new FTP site and it allows you to host multiple FTP sites on one server – it is particularly useful in an ISP shared server hosting situation as it prevents users from accessing or even viewing other users’ folders on the server. The FTP user’s top level folder appears as the root of the FTP site.

Implementing user isolation in IIS 5.0 is possible but it requires the server administrator to do some additional configuration in order to set it up it both successfully and securely.

For this tutorial I will be using Windows 2000 Server with SP4 and the post-SP4 Rollup installed. As this tutorial is aimed at an ISP shared server hosting solution we will not be allowing anonymous FTP access

First we create a local FTP Users group, into which we will place all of our FTP users. Authenticated FTP users in IIS 5.0 require the Log On Locally user right and it is much simpler to group all the users together and grant the relevant user rights to the group rather than to individual users. Create a new user group called FTP Users as shown here.

Fig.1

Next we need to create a few FTP users in order to test the user isolation we want to achieve. In Computer Management create two user accounts – ftpuser1 and ftpuser2 as shown here

Fig.2

Add the user accounts the FTP Users group we created earlier and remove them from the built-in Windows Users group as shown here

Fig.3

In our example the user account ftpuser1 is now a member only of the FTP Users group

Fig.4

Next we need to grant the log on locally right to the FTP Users group. In Administrative Tools click Local Security Policy and then navigate to Local Policies, User Rights Assignment and open the properties of Log on locally. Click Add and select the FTP Users group

Fig.5

Pages: 1 2 3

This entry was posted on Monday, October 15th, 2007 at 12:32 pm and is filed under IIS 5.0. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

There are currently 5 responses to “How To Configure FTP User Isolation in IIS 5.0”

Why not let us know what you think by adding your own comment! Your opinion is as valid as anyone elses, so come on... let us know what you think.

  1. 1 On November 12th, 2008, newbie said:

    can you at least complete the tutorial??

    how can i add a new group?? by saying abrakadabra??

  2. 2 On November 12th, 2008, Paul Lynch said:

    @newbie,

    You don’t need to say ‘abrakadabra’ or anything else in fact – you simply need to read pages 2 and 3 of the article. The links to the 2nd and 3rd pages are at the bottom of the first page.

    Regards,

    Paul Lynch

  3. 3 On December 19th, 2008, Nick Tan said:

    Thanks for the help! I managed to create a secure FTP server for my w2k machine. However, when using fileZilla FTP client, I found out if i navgiate out of my virtual directory folder (example ftpuser1’s folder), I am not able to navigate back. I will be stuck at the ‘ftp content’ folder. I need to disconnect and reconnect to the FTP server which will again bring me to the default virtual directory.

  4. 4 On March 21st, 2010, Paul said:

    Thanks for this, I have followed your instructions and it works beautifully when access from Windows explorer and from the command prompt, however when accessing our ftp site remotely via a web browser it still defaults to the root. Am I missing something?

  5. 5 On March 22nd, 2010, Paul Lynch said:

    @Paul,

    This is probably due a change in the way Internet Explorer works which was introduced in IE7 :

    You cannot log on to an FTP site or you are redirected to the root folder of the FTP site in Internet Explorer 7
    http://support.microsoft.com/Default.aspx?kbid=941896

    I would suggest using a ‘proper’ FTP client instead wherever possible.

    Regards,

    Paul Lynch

Leave a Reply

You must be logged in to post a comment.

  • Calendar

  • December 2017
    M T W T F S S
    « Sep    
     123
    45678910
    11121314151617
    18192021222324
    25262728293031