15th October 2007

How To Configure FTP User Isolation in IIS 5.0

posted in IIS 5.0 |

Now that we have created the FTP user accounts and assigned the necessary rights to them we are going to create the actual physical folders for our FTP site. To achieve our aim of FTP user isolation we are going to create two main folders which our FTP site will use – the FTP Root and the FTP Content folders. Start by creating a folder called FTP Root which will be used as the root of our FTP site and then create a folder called FTP Content which will be used as the placeholder for the users’ directories.

Effective FTP User Isolation in IIS 5.0 is achieved by enforcing strict NTFS permissions which prevent users from either seeing or navigating to other user’s content folders.

First we need to secure the root folder of the FTP site to prevent unwanted or unauthorized uploads. However, the root folder does still need to be accessible to the FTP Users group so we also apply the minimum permission required to that particular group.

Right-click the FTP Root folder, click Properties and then click the Security tab. Untick the ‘Allow Inheritable permissions from parent…’ check-box and then click Copy when you see the Security dialog box shown here

Fig.6

Then click Add and click the System account and the Administrators and FTP Users groups. Click OK. Then click the Everyone group and click Remove and then grant the System account and Administrators group Full Control permission. Click Apply. Next, click the FTP Users group and grant only the Allow List Folder Contents and the Deny Write permissions as shown here

Fig.7

Click Yes when you see the Security warning dialog box then click OK.

Fig.8

So now we have created a ‘locked-down’ folder with minimal permissions which will serve as the root of our FTP site. Next we need to apply the appropriate NTFS permissions to the FTP Content folder we created earlier which will actually enforce the ‘user isolation’ we want to achieve.

Follow the steps we completed previously to secure the FTP Root folder but this time only grant permissions to the Local System account and Administrators group; don’t grant any permissions on this folder to the FTP Users group.

You should now have an FTP Content folder which has the Full Control NTFS permission granted to just the Local System account and Administrators group as shown here

Fig.9

Now we need to create the FTP users’ individual folders and grant the appropriate NTFS permissions on them. Under the FTP Content folder create two sub-directories named ‘ftpuser1’ and ‘ftpuser2’

Fig.10

Pages: 1 2 3

This entry was posted on Monday, October 15th, 2007 at 12:32 pm and is filed under IIS 5.0. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

There are currently 5 responses to “How To Configure FTP User Isolation in IIS 5.0”

Why not let us know what you think by adding your own comment! Your opinion is as valid as anyone elses, so come on... let us know what you think.

  1. 1 On November 12th, 2008, newbie said:

    can you at least complete the tutorial??

    how can i add a new group?? by saying abrakadabra??

  2. 2 On November 12th, 2008, Paul Lynch said:

    @newbie,

    You don’t need to say ‘abrakadabra’ or anything else in fact – you simply need to read pages 2 and 3 of the article. The links to the 2nd and 3rd pages are at the bottom of the first page.

    Regards,

    Paul Lynch

  3. 3 On December 19th, 2008, Nick Tan said:

    Thanks for the help! I managed to create a secure FTP server for my w2k machine. However, when using fileZilla FTP client, I found out if i navgiate out of my virtual directory folder (example ftpuser1’s folder), I am not able to navigate back. I will be stuck at the ‘ftp content’ folder. I need to disconnect and reconnect to the FTP server which will again bring me to the default virtual directory.

  4. 4 On March 21st, 2010, Paul said:

    Thanks for this, I have followed your instructions and it works beautifully when access from Windows explorer and from the command prompt, however when accessing our ftp site remotely via a web browser it still defaults to the root. Am I missing something?

  5. 5 On March 22nd, 2010, Paul Lynch said:

    @Paul,

    This is probably due a change in the way Internet Explorer works which was introduced in IE7 :

    You cannot log on to an FTP site or you are redirected to the root folder of the FTP site in Internet Explorer 7
    http://support.microsoft.com/Default.aspx?kbid=941896

    I would suggest using a ‘proper’ FTP client instead wherever possible.

    Regards,

    Paul Lynch

Leave a Reply

You must be logged in to post a comment.

  • Calendar

  • December 2017
    M T W T F S S
    « Sep    
     123
    45678910
    11121314151617
    18192021222324
    25262728293031