Create FTP with Local User Isolation (in GUI Method)

The magic of ftp with user isolation is that every users has his own directory and this user cannot see or browse other users’ directories. In linux, it is similar to “chroot” option after the user has logged in. This feature came from since IIS 7.5 (server2008R2).
In this tutorial, we are going to create FTP with user isolation in Graphical Mode. If you are looking for automatic setup, then I wrote a powershell script for this work here.

1) Install necessary windows server features.
Go to Server Manager >> Add roles and features. Click Next until you find the Select Server Roles.
On the server role page, select Web Server IIS and IIS Management console. See Fig-1.
On the Roles services page, select FTP service & IIS Management console. See Fig-2.
Click Next, Next & finishe the installation.

Add windows feature

Fig-1: Add windows feature

Add FTP Role

Fig-2: Add FTP Role

2) Create FTP Site & give necessary permissions
Open “Internet Information Service (IIS) Manager” from Administrative Menu.
Create FTP Site

Fig-3: Create FTP Site

Right-click the site icon & choose “Add FTP Site”. See Fig-3.

On the next page, name the ftp site “First-Ftp-Site”. Content directory is “C:ftproot”. You need to create that folder in advance.
On the Binding page, choose “No SSL”, choose “All unassigned” and Port 21. See Fig-4.
Change SSL setting and Port

Fig-4: Change SSL setting and Port

On the next page, choose Basic Authentication, give read and write permission to FtpAdmin. You need to create ‘FtpAdmin‘ user earlier. This user is created for browsing users’ uploaded files. See Fig-5.
Set user authentication & permission to ftp site

Fig-5: Set user authentication & permission to ftp site

3) Add Root Virtual Directory
You need to add new virtual directory under your ftp site. The name must be ‘LocalUser’, otherwise it doesn’t work for user isolation. Right-click First-Ftp-Site and select ‘Add Virtual Directory…’. Fill out the Alias and physical path. See, Fig-6.

Fig-6: Specify root virtual directory location of FTP server

Fig-6: Specify root virtual directory location

4) Add Virtual Directories for ALL FTP users
As we do in step-3, we have to add each & every virtual directory for every ftp users. Before this, you need to create every users in ‘Local Users and Groups’ Console. Also, every user’s directory must be created under ftp root folder. See Fig-7. Right-click and ‘Add Virtual Directory’ under ‘First-Ftp-Site’ (I show ‘jack’ for example). Location is C:\ftprootjack. Figure-7 shows up all consoles you need to create with.

Add FTP Virtual Directory

Fig-7: Add Virtual Directory for user ‘jack’

After, you created ‘jack’ virtual directory, we see that ‘FtpAdmin’ inherits the read/write permission from it’s parent FTP site as shown in figure. So, you will need to explicitly add another read/write permission for ‘jack’ to his directory. Select the ‘jack’ virtual directory, double-click the ‘FTP Authorization Rules’. See Fig-8. In the “FTP Authorization Rules” (middle pane), right-click and select ‘Add Allow Rule’. See Fig-9. You will need to give ‘jack’ the read/write permission and click OK. See Fig-10.
You need to do the same steps for all the FTP users.

Fig-8: Add ‘jack’ FTP authorization rule

Add Allow Rule in FTP Authorization Panel

Fig-9: Add Allow Rule in FTP Authorization Panel

Add FTP read/write permission

Fig-10: Add read/write permission to ‘jack’

5) Set FTP User Isolation type and restart the FTP service
So far, you’ve done with users, physical, virtual directories. You have to turn on FTP user isolation features. To do this, select the ‘First-Ftp-Site’, double-click the “FTP User Isolation”. Select the radio button to “User name directory(Disable global virtual directories)”. On the right pane, click Apply. See Fig-11. Then, restart the FTP service. See Fig-12.

Turn on FTP User Isolation Feature

Fig-11: Turn on FTP User Isolation Feature

Restart FTP Service

Fig-12: Restart FTP Service

6) Testing with the user ‘jack’
Now, it’s time to test our ftp with our created users. Let’s start with ‘jack’. From another machine, type ftp://yourserverIP/. In my case, it’s ftp://10.170.0.11/. It will prompt you for user name and password. Enter jack’s credentials. See Fig-13.

Testing FTP Connection

Fig-13: Testing FTP connection with user ‘jack’

 Now, you can see that ‘jack’ can successfully create his folders and files under his private directory. See Fig-14.
Creating folders in FTP site

Fig-14: Now, user ‘jack’ can create his folder and files

7) (Optional) Adding FTP Administrator
You can add ftp administrator who can browse users’ uploaded files. For this, simply add a virtual directory for FtpAdmin (the user we created earlier) under ‘LocalUser’ directory. The
physical path should be ftp root directory (in our case c:\ftproot). When you connect with ftp admin’s username & password. It will be redirected to ftp root directory. See Fig-15.

Creating user in FTP virtual directory

Fig-15: Creating FTP Administrator virtual directory

This entry was posted in IIS, Windows. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *