The Magic of FTP with user isolation and how to automate the setup with Powershell (with Domain Users)

Unlike a normal FTP server, the magic of FTP with user isolation is that every user
is jailed in this own directory and the user cannot see or write to other users’ directories, as well as changing to the parent root directory. In linux, it is similar to “chroot” option after the user has logged into his home directory.
Today, I will show you how to make ftp with user isolation in IIS 8.5 (also tested on server 2008R2 with IIS 7.5) with Domain user accounts in graphical Mode. Also, I have made a good powershell script to automate this ftp setup process for thousand of users ;P. All Active Directory users must be already created before you do this ftp setup. (If you need to create bulk AD users in nested OUs automatically by powershell, you can make it easy with the script I created earlier here. It will create 1,500 users in 3 minutes from your csv or excel file.;P)

1) if you are using GUI Method , you only need to install FTP Server role and IIS Management Console. And then, you manually have to create folders and users and give each users the access right to ftp site. But if you create a security group add AD users to that group. You don’t need to deal with each users for permission issue.

2) If you are using Powershell method, you will need 2 more additional roles: Active
Directory module for Windows Powershell, Windows Process Activation Service. So,
totally there are 4 roles you need to install before using scripting method. Don’t worry, I include installing these 4 roles automatically while you are running the script. Or if you like to install it separately before the script run, you can do it in one powershell command.

Add-WindowsFeature RSAT-AD-Powershell,Web-Ftp-Server,Web-Mgmt-Console, WAS-Process-Model
You need either local admin permission or domain admin permission to do this. And, I assume that the computer where you want to install FTP service have already been joined to domain.

We will do the below steps for this GUI configuration mode.
  1. Create new security group for ftp users
  2. Install FTP Service and IIS Management Console
  3. Create new FTP Site and Virtual Directory
  4. Configure FTP user isolation mode.

In our scenario, we have 3 computers:

  • (domain controller where we will create users and group)
  • (domain member computer where ftp server will be installed and do necessary ftp configurations)
  • And another client computer where we will test access to our ftp site 
Method-1: Using GUI to setup FTP with user isolation
1) Create new group for ftp users

On the Domain Controller computer or the computer where Remote Server Administration Tool is installed, create a new security group in the OU where ftp users are located. Later, we will add the ftp users to that group and give permission on that group to access to our ftp site. Let’s say we create a group for our sales department users “sales_group” in “Sales Users” OU. See Figure-1.

Create new AD Group
Figure-1: Create new ftp group

Next, we have to add users in the OU to our newly created group. Since, we don’t want to give ftp access to “Admin” and “Jenny”, we skipped these users. Also, don’t forget to create folders for each user in our ftp root directory. All users folders will be under ftp root directory. Here, I give “ftproot” for root folder and create each user subfolders. See Fig-2.

Create user folders
Figure-2: Create folder for each user, folders’ names are same as users’ names
2) Install FTP Service and IIS Management Console

We need to install FTP Service and IIS Management Console for our setup. Open Server Manager >> Add roles and features >> Server Roles. On the Server Role page, select Web Server(IIS) and go next until you find the Role Service. On the Role Service page, select FTP Service and IIS Management Console and install these roles. See Fig-3.

Install FTP Service  related roles and IIS Management Console
Figure-3: Install FTP Service  and IIS Management Console
3) Create new FTP Site and Virtual Directory

Now it’s time to create our first ftp site and give necessary permissions.

Go Start >> Administrative Tools >> Internet Information Services (IIS) Manager

Expand until you see the “Sites” in the left pane, right-click and Add FTP Site. See Fig-4.

Create new FTP site
Figure-4: Create new FTP site and Virtual directory

 On the next page, give ftp site name and physical path. For me, I give it sales-ftp and c:\ftproot. On the next page, select the binding  interface you want to give FTP service with port number. Also, you can select SSL if you have a valid SSL certificate (either self-signed or the purchased one). Do not Enable Virtual Host Names since it’s used only when you are using different domain names with a single public IP address, mostly used by public web hostings. Then Enable Start FTP site automatically. You can also select Allow SSL if you have a valid SSL certificate. See Fig-5.

FTP SSL setting
Figure-5: Setting up Binding interface and SSL certificate
On the next page, we select Authentication type to Basic and give ftp permission to our newly created FTP_Group with Read,Write permission. And click Finish. See Fig-6.
Setting FTP authentication and permissions
Figure-6: Setting FTP authentication and permissions

Now, you can create virtual directory. From IIS Manager, select the site you have created (here sales-ftp), right-click and choose Add Virtual Directory. See Fig-7.

Adding Virtual directory
Figure-7: Adding Virtual directory

On the next Page, give the Alias name and physical path. See Fig-8. Here, our physical path is c:\ftproot and Alias name is CONTOSO. The alias name is our domain’s NetBIOS name. You must use only the NetBIOS name as virtual directory, otherwise it will not be working. You can get the NetBIOS name in two ways:

  1. From the Active Directory Users and Computers console on domain controller, select your domain, right-click and choose Properties. On the  General tab, you will see Domain Name (pre-Windows 2000). See Fig-9.

  2. You can also run this powershell command on either domain joined server or domain controller to fetch the name.

 (Get-WMIObject win32_NTdomain).DomainName

FTP Virtual directory
Figure-8: Setting virtual directory
Find Domain NETBIOS name
Figure-9: We can also get NetBIOS domain name from here (on dc1 computer)
4) Configure FTP user isolation mode, SSL setting

Now, it’s time to configure user isolation. From IIS Management console, select our sales-ftp and double-click FTP User Isolation in the middle pane of the console.

On the next page, choose User name directory(disable global virtual directories) and click Apply. See Fig-10.

FTP user isolation setting
Figure-10: Users isolation setting in IIS management console

So, far we have configure user isolation mode and SSL settings. Now, restart the ftp service for the firwall rules to take effect. And now each users can connect to his own directory by using Filezilla or WinSCP from our another client computer. See Fig-11.

Connect FTP with WinSCP Client
Figure-11: Testing FTP with WinSCP Client
 Method-2: Using Powershell script to setup FTP with user isolation

I have created one script to deploy that sort of scenario for bulk users. The script is tested on Server 2012R2 (with IIS 8.5) and Server 2008R2 (IIS 7.5). I hope it works well on Server 2012 also. But, I do suggest you doing on your testing machine first with the same OS/IIS version as production one, before you actually go on production machine. Powershell 3.0 is needed to run the script. Images on my testing machines are shown  for your quick reference.

Powershell script to setup the FTP
Figure-12: Running the script to setup FTP with domain users isolation
How to get help with FTP powershell script
Figure-13: Getting Help

You can download my script from github.

Leave a Reply

Your email address will not be published. Required fields are marked *