Configuring FTP 7.5 User Isolation

  • Author: Robert McMurray
  • Published on January 15, 2008 by iisteam
  • Updated on December 08, 2009 by iisteam
  • Tags: FTP

Introduction

Microsoft has created a new FTP service that has been completely rewritten for Windows Server 2008. This new FTP service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.

This document will walk you through the various FTP user isolation settings using the new FTP user interface and by directly editing the IIS configuration files.

Note: This walk-through contains a series of steps where you will be logging in to your FTP site using the local administrator account. These steps should only be followed on the server itself using the loopback address or over SSL from a remote server. If you prefer to use a separate user account instead of the administrator account, you will need to create the appropriate folders and set the correct permissions for that user account when necessary.

In this walkthrough

Prerequisites

The following items are required to complete the procedures in this article:

  1. IIS 7 must be installed on your Windows Server 2008 RC0 server, and the Internet Information Services Manager must be installed.
  2. The new FTP service must be installed. You can download and install the FTP service from the http://www.iis.net/ web site using one of the following links:
  3. You will need to create a root folder for FTP publishing:
    • Create a folder at "%SystemDrive%\inetpub\ftproot"
    • Set the permissions to allow anonymous access:
      • Open a command prompt.
      • Type the following command:
        ICACLS "%SystemDrive%\inetpub\ftproot" /G IUSR:R /T /E
      • Close the command prompt.
  4. You will need to create additional content folders:
    • Create a folder at "%SystemDrive%\inetpub\ftproot\LocalUser\Public"
    • Create a folder at "%SystemDrive%\inetpub\adminfiles"

Using the FTP Site Wizard to Create an FTP site

In this first section we will create a new FTP site that can be opened for Read-only access by anonymous users and Read/Write access by the administrator account.
  1. In IIS Manager, in the Connections pane, click the Sites node in the tree.
  2. As shown in the image below, right-click the Sites node in the tree and click Add FTP Site, or click Add FTP Site in the Actions pane.
  3. When the Add FTP Site wizard appears:
    • Enter "My New FTP Site" in the FTP site name box, then navigate to the "%SystemDrive%\inetpub\ftproot" folder that you created in the Prerequisites section. Note that if you choose to type in the path to your content folder, you can use environment variables in your paths.
    • When you have completed these items, click Next.
  4. On the next page of the wizard:
    • You would normally choose an IP address for your FTP site from the IP Address drop-down, or you could choose to accept the default selection of "All Unassigned." Because you will be using the administrator account later in this walk-through, you want to make sure that you restrict access to the server and enter the local loopback IP address for your computer by typing "127.0.0.1" in the IP Address box.
    • You would normally enter the TCP/IP port for the FTP site in the Port box. For this walk-through, you will choose to accept the default port of 21.
    • For this walk- through, you will not use a host name, so make sure that the Virtual Host box is blank.
    • Make sure that the Certificates drop-down is set to "Not Selected" and that the Allow SSL option is selected.
    • When you have completed these items, click Next.
  5. On the next page of the wizard:
    • Select Anonymous for the Authentication settings.
    • For the Authorization settings, choose "Anonymous users" from the Allow access to drop-down, and select Read for the Permissions option.
    • When you have completed these items, click Finish.
  6. In IIS Manager, click the node for the FTP site that you created; this will display the icons for all of the FTP features.
  7. We need to add Basic Authentication so that users can log in. To do so, double-click the FTP Authentication icon to open the FTP authentication feature page.
  8. When the FTP Authentication page is displayed, highlight Basic Authentication and then click Enable in the Actions pane.
  9. In IIS Manager, click the node for the FTP site to re-display the icons for all of the FTP features.
  10. We need to add an authorization rule so that the administrator can log in. To do so, double-click the FTP Authorization Rules icon to open the FTP authorization rules feature page.
  11. When the FTP Authorization Rules page is displayed, click Add Allow Rule in the Actions pane.
  12. When the Add Allow Authorization Rule dialog box is displayed
    • Select Specified users, then type "administrator" in the box.
    • For Permissions, select both Read and Write.
    • When you have completed these items, click OK.

Summary

To recap the items that you completed in this section:

  1. You created a new FTP site named "My New FTP Site", with the site's content root at "%SystemDrive%\inetpub\ftproot".
  2. You bound the FTP site to the local loopback address for your computer on port 21, and we chose not to use Secure Sockets Layer (SSL) for the FTP site.
  3. You created a default rule for the FTP site to allow anonymous users "Read" access to the files.
  4. You added an authorization rule that allows the administrator account both "Read" and "Write" permissions for the FTP site.
  5. You added Basic Authentication to the FTP site.

Examining the New FTP User Isolation Settings

  1. In IIS Manager, click the node for the FTP site that you created; this will display the icons for all of the FTP features.
  2. Double-click the FTP User Isolation icon to open the FTP user isolation feature.
  3. When the FTP User Isolation feature page is displayed, notice that you have five different options available:
  4. These five options are defined as:
    • Do not isolate users. Start users in:
      • FTP root directory
        • This option specifies that all FTP sessions will start in the root directory for the FTP site.
        • Note: This option is new in this FTP server, and simply disables all user isolation or starting folder logic.
      • User name directory
        • This option specifies that all FTP sessions will start in the physical or virtual directory with the same name of the currently logged on user if the folder exists; otherwise, the FTP session will start in the root directory for the FTP site.
        • Note: This option is the same as choosing no user isolation in the IIS 6.0 FTP server. For additional information about using this option, see the "Do Not Isolate Users Mode" section in the Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0) topic.
    • Isolate users. Restrict users to the following directory:
      • User name directory (disable global virtual directories)
        • This option specifies that you want to isolate FTP user sessions to the physical or virtual directory with the same name of the FTP user account. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the physical or virtual directory tree. Any global virtual directories that are created will be ignored.
        • Note: This option is new in this FTP server.
      • User name physical directory (enable global virtual directories)
        • This option specifies that you want to isolate FTP user sessions to the physical directory with the same name of the FTP user account. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the physical directory tree. Any global virtual directories that are created will apply to all users.
        • Note: This option is the same as choosing user isolation in the IIS 6.0 FTP server.
      • FTP home directory configured in Active Directory
        • This option specifies that you want to isolate FTP user sessions to the home directory that is configured in the Active Directory account settings for each FTP user.
        • Note: This option is the same as choosing Active Directory user isolation in the IIS 6.0 FTP server. For additional information about using this option, see the "Isolate Users Using Active Directory Mode" section in the Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0) topic.

Configuring User Isolation Settings by Physical Directories

When isolating users by physical directories only, all FTP user sessions are restricted to the physical directory with the same name of the FTP user account. However, any global virtual directories that are created will apply to all users.

  1. In IIS Manager, click the node for the FTP site that you created; this will display the icons for all of the FTP features.
  2. Double-click the FTP User Isolation icon to open the FTP user isolation feature.
  3. When the FTP User Isolation feature page is displayed, select the User name physical directory (enable global virtual directories) option, then click Apply in the Actions pane.

Logging in to your FTP site

You can now log in to your FTP site using user isolation, but the following information applies:

  1. If you log in to your FTP site anonymously, your session will be restricted to the "LocalUser\Public" folder that you created in the Prerequisites section.
  2. If you attempt to log in to your FTP site using the administrator account, your logon request will be denied because the administrator account does not have a home directory defined. To allow the administrator account to log in you would need to create a home directory for the administrator account at "%SystemDrive%\inetpub\ftproot\LocalUser\Administrator". After which, if you logged in to your FTP site using the administrator account, your session will be restricted to the "LocalUser\Administrator" folder that you just created.

Summary

To recap the items that you completed in this step, you configured FTP user isolation using the User name physical directory (enable global virtual directories) option. When using this mode of user isolation, all FTP user sessions are restricted to the physical directory with the same name of the FTP user account, and any global virtual directories that are created will apply to all users.

To create home directories for each user, you first need to create a physical directory under your FTP server's root folder that is named after your domain or named LocalUser for local user accounts. Next, you need to create a physical directory for each user account that will access your FTP site. The following table lists the home directory syntax for the authentication providers that ship with the FTP service:

User Account Types

Physical Home Directory Syntax

Anonymous users

%FtpRoot%\LocalUser\Public

Local Windows user accounts
(requires basic authentication)

%FtpRoot%\LocalUser\%UserName%

Windows domain accounts
(requires basic authentication)

%FtpRoot%\%UserDomain%\%UserName%

IIS Manager or ASP.NET custom
authentication user accounts

%FtpRoot%\LocalUser\%UserName%

(Note: In the above table, %FtpRoot% is the root directory for your FTP site; for example, C:\Inetpub\Ftproot.)

Important Note: Global virtual directories are enabled; all virtual directories that are configured at the root-level of your FTP site can be accessed by all FTP users, provided that they have sufficient permissions.

Configuring User Isolation Settings for All Directories

When isolating users for all directories, all FTP user sessions are restricted to the physical or virtual directory with the same name of the FTP user account. In addition, all global virtual directories that are created will be ignored. In this step you will configure user isolation for all directories, and add a virtual directory for the administrator user.

  1. In IIS Manager, click the node for the FTP site that you created; this will display the icons for all of the FTP features.
  2. Double-click the FTP User Isolation icon to open the FTP user isolation feature.
       
  3. When the FTP User Isolation feature page is displayed, select the User name directory (disable global virtual directories) option, then click Apply in the Actions pane.
  4. Expand the tree node for your FTP site, then right-click the LocalUser folder and click Add Virtual Directory. (Note: In this example the "LocalUser" folder is a physical directory, but a virtual directory could also have been used.)
  5. When the Add Virtual Directory dialog box appears:
    • Enter "administrator" for the Alias.
    • Enter "%SystemDrive%\inetpub\adminfiles" for the Physical path.
    • When you have completed these items, click OK.

Logging in to your FTP site

You can now log in to your FTP site using user isolation, but the following information applies:

  1. As with Step 3, if you log in to your FTP site anonymously, your session will be restricted to the "LocalUser\Public" folder that you created in the Prerequisites section.
  2. If you log in to your FTP site using the administrator account, your session will be restricted to the "/LocalUser/administrator" virtual directory that you just created.

Summary

To recap the items that you completed in this step, you configured FTP user isolation using the User name directory (disable global virtual directories) option. When using this mode of user isolation, all FTP user sessions are restricted to the virtual or physical directory with the same name of the FTP user account, and any global virtual directories that are created will be ignored.

To create home directories for each user, you first need to create a virtual or physical directory under your FTP server's root folder that is named after your domain or named LocalUser for local user accounts. Next, you need to create a virtual or physical directory for each user account that will access your FTP site. The following table lists the home directory syntax for the authentication providers that ship with the FTP service:

User Account Types

Physical Home Directory Syntax

Anonymous users

%FtpRoot%\LocalUser\Public

Local Windows user accounts
(requires basic authentication)

%FtpRoot%\LocalUser\%UserName%

Windows domain accounts
(requires basic authentication)

%FtpRoot%\%UserDomain%\%UserName%

IIS Manager or ASP.NET custom
authentication user accounts

%FtpRoot%\LocalUser\%UserName%

(Note: In the above table, %FtpRoot% is the root directory for your FTP site; for example, C:\Inetpub\Ftproot.)

Global virtual directories are ignored; all virtual directories that are configured at the root-level of your FTP site cannot be accessed by any FTP users. All virtual directories must be explicitly defined under a user's physical or virtual home directory path.

Related Content

Comments

monkeyhouse

I'm just curious, but creating the directories for ftp isn't necessary if you already have a website created on the server, right? Or is there a way to ftp to one directory and host the website in another?

Jul 25 2008 by monkeyhouse
robmcm

You are correct - if you are deploying an integrated HTTP and FTP site then it is not necessary to create the folders. In fact, using User Isolation on an integrated HTTP/FTP site would more than likely be counter-productive because the directory hierarchy for your users would now be hosted over HTTP. Where User Isolation is most useful is when you only want to deploy a single FTP site and you have a series of web sites (or other file locations) that users need unique access to; User Isolation ensures that each user can access their files and remain isolated from other users’ files.

Jul 25 2008 by robmcm
slhungry

when setting up user isolation such as "User name directory (disable global virtual directories)", i need to create virtual directories using unc paths to shares on the network. to do so i need to use the "connect as" option to specify the user to connect with. that works fine, but when i try to create a second virtual directory to a different unc share then the ftp client gets the error when trying to list the root directory after logging in.

200 EPRT command successful.
550-Keyset does not exist
Win32 error: Keyset does not exist
Error details: Invalid configuration.
550 End


if i remove one of the virtual directories that was using the "connect as" option, then it works fine. i tried several combinations and concluded that this error happens when more than one virtual dirctory is created with "connect as" option. i believe this is a bug. is there a work around for this or hotfix?

thanks

May 27 2009 by slhungry
netjess

I have followed these instruction and when I attemp to log in I get the following:
ftp> open testftp.afrmic.com
Connected to ftp2008.afrmic.com.
220 Microsoft FTP Service
User (ftp2008.afrmic.com:(none)): ftpuser
331 Password required for ftpuser.
Password:
530 User cannot log in, home directory inaccessible.
Login failed.
ftp> disconnect

Here is the log entry:

2009-06-02 16:00:42 172.16.100.104 - FTP2008 - 21 ControlChannelOpened b5c52641-2355-49af-ac2f-7a7e06d03c46 - -
2009-06-02 16:00:42 172.16.100.104 - FTP2008 - 21 USER b5c52641-2355-49af-ac2f-7a7e06d03c46 - -
2009-06-02 16:00:42 172.16.100.104 FTP2008\ftpuser FTP2008 - 21 PASS b5c52641-2355-49af-ac2f-7a7e06d03c46 / Authorization+rules+denied+the+access.
2009-06-02 16:00:42 172.16.100.104 - FTP2008 - 21 ControlChannelClosed b5c52641-2355-49af-ac2f-7a7e06d03c46 - -

I have looked in the Event viewer and I don't see any thing referencing FTP of file not found errors.

Here is the file system layout:
Directory of C:\inetpub\ftproot\LocalUser

06/02/2009 10:38 AM DIR> .
06/02/2009 10:38 AM DIR> ..
06/01/2009 10:33 AM DIR> ftpuser_mf
05/21/2009 02:01 PM DIR> public
0 File(s) 0 bytes

Directory of C:\inetpub\ftproot\LocalUser\ftpuser_mf

06/01/2009 10:33 AM DIR> .
06/01/2009 10:33 AM DIR> ..
06/01/2009 10:32 AM 0 ftproot_ftpuser_mf.txt
1 File(s) 0 bytes

Directory of C:\inetpub\ftproot\LocalUser\public

05/21/2009 02:01 PM DIR> .
05/21/2009 02:01 PM DIR> ..
05/21/2009 02:01 PM 0 test_file.txt
1 File(s) 0 bytes
--------------------------------------------------------------
Not sure what other info would be helpfull. I have gone back over the tutorial and my settings but don't see anything missing. Yet I can not connect using isolation. The site works If I just use anonymous.

Jun 02 2009 by netjess
netjess

FYI, the username and file paths match. They don't match in my sample because I was trying to hide some of my account info but forgot to edit the DIR paths.
Ooops.

Thanks for any help.

Jun 02 2009 by netjess
disco-legend-zeke

a few notes...

You MUST have a directory below c:\inetpub\ftproot called LocalUser

Within THAT directory you must have a REAL (not virtual) directory that is the same as the username on your server.

Inside the [username] directory you may make virtual directories.

Don't freak out when it doesn't work at first... go have a cup of coffee and wait for IIS to do whatever the heck it does to propigate your changes.

FTP 7.5 does not (apparently) support PASV command.

Be sure to open ports 21 and 22 incoming.

You must open outgoing ports (in firewall) 100-some big number> in order to get port command to work. i just opened all outgoing ports... even though this may not be the best way, perhaps we can open outgoing ports for the specific application, but i have been up 6 houst working on this and so....

SSL now works but you must use "clear command channel" after connection.
PASV command is refused.

Still... this is a great improvement over the old version...




I think you should consider 7.5 a BETA... it works but in a very flaky manner.

Jul 03 2009 by disco-legend-zeke
SLORider

disco-legend-zeke:

I BEG TO DIFFER! User directories CAN be virtual directories!

Look at the FTP User Isolation window again:

------
Isolate users. Restrict users to the following directory:

[ ] User name directory (disable global virtual directories)
[ ] User name physical directory (enable global virtual directories)
------

Notice one option says "directory" and the other "physical directory"? When global directories are disabled YOU CAN use virtual directories for users.

Virtual directories can point anywhere on your machine. Because the global directory (the FTP root) is disabled, you can even point a virtual directory back to the root.

I use this to give a few friends FTP access to a photo gallery on my site. Their virtual directory points to the photos directory, and they don't have access to the root of the entire web site. You can also create user directories that point to any other drive or location.

Jul 23 2009 by SLORider
cosmopoet

Ok why is FTP so difficult in IIS. I have unsuccessfully been able to creat an FTP site in over 6 months. So I gave up. I installed Filezilla and within about 10 Min done! This is a joke that MS can't get this right and easy.

Aug 15 2009 by cosmopoet
yvangelist


Is there any way to prevent a user to view another user's folder?

Sep 21 2009 by yvangelist
raldo

I agree with cosmopoet; setting up FTP with FTP 7.5 is very confusing and the docs are not clear.

I just want to allow different users access to different folders; easy as that. I have followed steps outlined above but I get stuck at:

[ ] User name directory (disable global virtual directories)
[ ] User name physical directory (enable global virtual directories)

Whats the difference? I tried first option, I created a Windows Local account which works with FTP 7.5 without user isolation. Now I want to use user isolation and I create a physical directory under ftproot/localuser/username and then point the virtual directory (using the username) to another physical directory. When I access via FTP the folder browsing is almost in a "loop" and I can see the folders in the directory I pointed it to, but when I try to list one of the folders it takes me back to LocalUser folder? How the heck does this think work?

Oct 05 2009 by raldo
skumar2003

What this article seems to be missing is the whole setting permissions part. Permissions not only to the ftproot folder and others but also for the administration.config and redirection.config files.

Further, the "user" that needs to be given permission is not IUSR but Network Service (at least in most cases and the default case).

I followed the steps in this article and many others over and over on 3 different machines and had no luck . Even tried Process monitor and it never showed a "failure" or "access denied" result. I finally just tried givning the user Network Service special permissions and eventually had to also give it permissions for the config folder and files mentioned above.

I simply can't see why anything has to be so complicated or time consuming. This should be a 30 second job but ends up taking 3 days for most people.

Anyway, if the above article does not work for anyone, you can try the following:

To grant Special permissions to the user Network Service to the Ftp Root folder (using a command prompt):
CACLS "%SystemDrive%\inetpub\ftproot" /G "Network Service":C /T /E

Next the user Network Server need to be given permission to the config folder and two config files

CACLS "%SystemDrive%\Windows\System32\inetsrv\config" /G "Network Service":R /E

CACLS "%SystemDrive%\Windows\System32\inetsrv\config\administration.config" /G "Network Service":R /E

CACLS "%SystemDrive%\Windows\System32\inetsrv\config\redirection.config" /G "Network Service":R /E

Oct 14 2009 by skumar2003
mshaich

I was able to get FTP User Isolation with either user name.. or user name physical.. by changing the DefaultAppPool (which was selected by the default FTP setup and is editable in the FTP Basic Settings) Identity to Network Service (it was ApplicationPoolIdentity) and then giving Network Service Read perms on the target and the default ftp root folders. I didn't find I needed the CACLS that skumar mentions.

Nov 03 2009 by mshaich
dajohnson

This is ridiculous,

Have set up an FTP site in XP using IIS 5 in 10 minutes.

In Server 2003 with IIS 6, took days of research and trials to complete the task.

Server 2008 and IIS FTP 7.5, working for weeks with no sign of success.

Nice work Microsoft FTP Crew!!!

Nov 22 2009 by dajohnson
joled0

Ok, this is very frustrating. I've followed the article above, done the CACLS commands and still have a problem for an user other than "anonymous". Here is my configuration

Windows 2008, IIS7, ftp7.5
Created ftp site named "TestFtp", root folder/physical Path=d:\FtpAccounts
Allow Anonymous users read only
My account (accntXYZ) is in AD & I allowed my account read,write
created folders d:\ftpaccounts\LocalUser\Public, d:\ftpaccounts\LocalUser\accntXYZ
Gave full control to accntXYZ to the folder

I can log in using anonymous/email and can get a file from the server.
When I try to login as accntXYZ I get the error "User cannot log in, home directory inaccessible".
Any help is appreciated.
Joe


Dec 29 2009 by joled0
C Brooks KY

I have FTP working, well almost working. I have over all management set to Windows or IIS. I have a window user setup with matching name and password in the IIS Manager. I have also setup a couple users that do not have matching Windows accounts.

Storage Server 08

I have a FTP site setup with only IIS Manager, and basic Authentication enabled. I have FTP user isolation set to user name physical dir. I have made a virtual dir that appears under my FTP site with a shortcut icon on it. I can click it in the manager and see the folders under it. Admin as read and write access. When I go to log in as admin I can not access the virtual folder. It always pulls up the ftproot folder. I just want to be able to FTP to a second hard drive in the system

Jan 28 2010 by C Brooks KY

Submit a Comment

You must Log In to comment.