Unlike a normal FTP server, the magic of FTP with user isolation is that every user
is jailed in this own directory and the user cannot see or write to other users’ directories, as well as changing to the parent root directory. In linux, it is similar to “chroot” option after the user has logged into his home directory.
Today, I will show you how to make ftp with user isolation in IIS 8.5 (also tested on server 2008R2 with IIS 7.5) with Domain user accounts in graphical Mode. Also, I have made a good powershell script to automate this ftp setup process for thousand of users ;P. All Active Directory users must be already created before you do this ftp setup. (If you need to create bulk AD users in nested OUs automatically by powershell, you can make it easy with the script I created earlier here. It will create 1,500 users in 3 minutes from your csv or excel file.;P)
1) if you are using GUI Method , you only need to install FTP Server role and IIS Management Console. And then, you manually have to create folders and users and give each users the access right to ftp site. But if you create a security group add AD users to that group. You don’t need to deal with each users for permission issue.
2) If you are using Powershell method, you will need 2 more additional roles: Active
Directory module for Windows Powershell, Windows Process Activation Service. So,
totally there are 4 roles you need to install before using scripting method. Don’t worry, I include installing these 4 roles automatically while you are running the script. Or if you like to install it separately before the script run, you can do it in one powershell command.
Add-WindowsFeature RSAT-AD-Powershell,Web-Ftp-Server,Web-Mgmt-Console, WAS-Process-Model
You need either local admin permission or domain admin permission to do this. And, I assume that the computer where you want to install FTP service have already been joined to domain.
- Create new security group for ftp users
- Install FTP Service and IIS Management Console
- Create new FTP Site and Virtual Directory
- Configure FTP user isolation mode.
In our scenario, we have 3 computers:
- dc1.contoso.com (domain controller where we will create users and group)
- node2.contoso.com (domain member computer where ftp server will be installed and do necessary ftp configurations)
- And another client computer where we will test access to our ftp site
Method-1: Using GUI to setup FTP with user isolation
1) Create new group for ftp users
On the Domain Controller computer or the computer where Remote Server Administration Tool is installed, create a new security group in the OU where ftp users are located. Later, we will add the ftp users to that group and give permission on that group to access to our ftp site. Let’s say we create a group for our sales department users “sales_group” in “Sales Users” OU. See Figure-1.
Next, we have to add users in the OU to our newly created group. Since, we don’t want to give ftp access to “Admin” and “Jenny”, we skipped these users. Also, don’t forget to create folders for each user in our ftp root directory. All users folders will be under ftp root directory. Here, I give “ftproot” for root folder and create each user subfolders. See Fig-2.
We need to install FTP Service and IIS Management Console for our setup. Open Server Manager >> Add roles and features >> Server Roles. On the Server Role page, select Web Server(IIS) and go next until you find the Role Service. On the Role Service page, select FTP Service and IIS Management Console and install these roles. See Fig-3.
Now it’s time to create our first ftp site and give necessary permissions.
Go Start >> Administrative Tools >> Internet Information Services (IIS) Manager
Expand until you see the “Sites” in the left pane, right-click and Add FTP Site. See Fig-4.
On the next page, give ftp site name and physical path. For me, I give it sales-ftp and c:\ftproot. On the next page, select the binding interface you want to give FTP service with port number. Also, you can select SSL if you have a valid SSL certificate (either self-signed or the purchased one). Do not Enable Virtual Host Names since it’s used only when you are using different domain names with a single public IP address, mostly used by public web hostings. Then Enable Start FTP site automatically. You can also select Allow SSL if you have a valid SSL certificate. See Fig-5.
Now, you can create virtual directory. From IIS Manager, select the site you have created (here sales-ftp), right-click and choose Add Virtual Directory. See Fig-7.
On the next Page, give the Alias name and physical path. See Fig-8. Here, our physical path is c:\ftproot and Alias name is CONTOSO. The alias name is our domain’s NetBIOS name. You must use only the NetBIOS name as virtual directory, otherwise it will not be working. You can get the NetBIOS name in two ways:
From the Active Directory Users and Computers console on domain controller, select your domain, right-click and choose Properties. On the General tab, you will see Domain Name (pre-Windows 2000). See Fig-9.
You can also run this powershell command on either domain joined server or domain controller to fetch the name.
Now, it’s time to configure user isolation. From IIS Management console, select our sales-ftp and double-click FTP User Isolation in the middle pane of the console.
On the next page, choose User name directory(disable global virtual directories) and click Apply. See Fig-10.
So, far we have configure user isolation mode and SSL settings. Now, restart the ftp service for the firwall rules to take effect. And now each users can connect to his own directory by using Filezilla or WinSCP from our another client computer. See Fig-11.
I have created one script to deploy that sort of scenario for bulk users. The script is tested on Server 2012R2 (with IIS 8.5) and Server 2008R2 (IIS 7.5). I hope it works well on Server 2012 also. But, I do suggest you doing on your testing machine first with the same OS/IIS version as production one, before you actually go on production machine. Powershell 3.0 is needed to run the script. Images on my testing machines are shown for your quick reference.
You can download my script from github.