Configure IIS FTP User Isolation using an IIS Managed User Account


FTP 7.5 has a feature that allows you to create a managed user account without requiring you to add a domain user. This user can be used as part of FTP access and also allow user isolation among directories.The purpose of this blog is to show you the steps of how to achieve this with a test user account and test certificate.

 

Creating a brand new FTP site

 

1.       Open the IIS Manager > Right click the Websites root > Add ftp site

 

2.       In the “Add FTP site” dialog box enter the FTP Site name and the physical path of the directory. In this example we will call the site “FTP” and the physical path will point to C:\Inetpub\Ftproot (not very creative J) > Next

 

3.       In the next screen assign a static IP address, port number and a Virtual host name depending on preference.  In this case we will leave the default settings and select “Allow SSL”. Note: For production use you will need to request an authentication type certificate from the certification authority.

 

4.       Select Anonymous authentication and set the Authorization to all “All users” access to this ftp directory. Set both read/write properties. 

 

5.       Test access to your newly created ftp site using MS FTP using the command line or any third party FTP software. In our example we will be using FileZilla.

 

Create an IIS managed user and ftp user isolation

 

6.       Create two directories as follows:

  • C:\inetpub\ftproot\LocalUser\rez (name of the user that will have access to their folder.

 

  • C:\inetpub\adminfiles (this is for administrative access)

 

7.       In the IIS manager, select the webserver > click on “management service” under the “management” subheading (if it’s missing, add it in via a role service).

 

8.       Under the connections sub group select an SSL certificate, in my case I am using a self-signed certificate called FTPS. Note: in production obtain a valid certificate from a certificate authority. Under the identity sub group select “Windows credentials or IIS Manager credentials” radio button. Specify any restrictions if you like under the IPv4 address restrictions to reject requests from certain machines. We will leave this out for now. 

 

9.       Start the management service from the actions pane and you should see the following:

10.   Select the server name in IIS again and double click IIS manager users under the management sub group > add user from the actions pane and create a new user. In this example we will create a user named “rez”. Make sure this user is enabled.

 

 

11.   Click on the ftp site and select authentication > from there click custom providers from the actions pane and add the “IISAuthMan Custom provider”. Make sure it’s enabled and disable all other authentication protocols.

 

12.   Click on the IIS Manager permissions under the ftp site and make sure your user is allowed. In my example “rez” has been set to the “allow user”. You can also specify this user access to the ftp site under the FTP authorisation.

 

13.   Now create a new virtual directory under your ftp site pointing to C:\inetpub\adminfiles

 

14.   Click on “FTP User Isolation” and select “User name directory (disable global virtual directories)”. This will restrict user’s access to their own directories only. They will not be able to view any newly created virtual directories at the ftproot level. The result will be the following:

 

As you can see Rest.txt is within this “rez” directory.

So to summarise we:

1. created a brand new test ftp site

2. created a folder structure to allow administrative access as well as specific directory access to an ftp user

3. created a new IIS managed user account

4. tested user ftp isolation

Hope that helps.

 

Rezwan Rahman

Comments (1)
  1. Raen says:

    Hi,

    I tried to follow your tutorial, but encountered a problem. In "authentication", there is no "IIS AuthMan" under custom. There is only "IisManagerAuth" and "AspNetAuth". Whatever I try here, when I try to connect to the FTP with the manager account, I always get "530 User cannot log in". The log says "An error occured during the authentication process". Help?

Comments are closed.

Skip to main content