Configuring FTP User Isolation in IIS 7 and IIS 8
AuthorAdrian McNab Article Reference NumberAA-04668 Views8725 0 Rating/ Voters

Microsoft has created a new FTP service that has been completely rewritten for Windows Server 2008. This new FTP service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.

This document will walk you through the various FTP user isolation settings using the new FTP user interface and by directly editing the IIS configuration files.

Note: This walk-through contains a series of steps where you will be logging in to your FTP site using the local administrator account. These steps should only be followed on the server itself using the loopback address or over SSL from a remote server. If you prefer to use a separate user account instead of the administrator account, you will need to create the appropriate folders and set the correct permissions for that user account when necessary.

First Steps

The following items are required to complete the procedures in this article:

  1. IIS 7 must be installed on your Windows Server 2008 RC0 server, and the Internet Information Services Manager must be installed.
  2. The new FTP service must be installed. You can download and install the FTP service from the http://www.iis.net/ web site using one of the following links:
  3. You will need to create a root folder for FTP publishing:
    • Create a folder at "%SystemDrive%\inetpub\ftproot"
    • Set the permissions to allow anonymous access:
    • Open a command prompt.
    • Type the following command:
    ICACLS "%SystemDrive%\inetpub\ftproot" /Grant IUSR:R /T
    • Close the command prompt.
  4. You will need to create additional content folders:
    • Create a folder at "%SystemDrive%\inetpub\ftproot\LocalUser\Public"
    • Create a folder at "%SystemDrive%\inetpub\adminfiles"


Using the FTP Site Wizard to Create an FTP site

In this first section we will create a new FTP site that can be opened for Read-only access by anonymous users and Read/Write access by the administrator account.

  1. In IIS Manager, in the Connections pane, click the Sites node in the tree.
  2. As shown in the image below, right-click the Sites node in the tree and click Add FTP Site, or click Add FTP Site in the Actions pane.
  3. When the Add FTP Site wizard appears:
    • Enter "My New FTP Site" in the FTP site name box, then navigate to the "%SystemDrive%\inetpub\ftproot" folder that you created in the Prerequisites section. Note that if you choose to type in the path to your content folder, you can use environment variables in your paths.
    • When you have completed these items, click Next.
  4. On the next page of the wizard:
    • You would normally choose an IP address for your FTP site from the IP Address drop-down, or you could choose to accept the default selection of "All Unassigned." Because you will be using the administrator account later in this walk-through, you want to make sure that you restrict access to the server and enter the local loopback IP address for your computer by typing "127.0.0.1" in the IP Address box.
    • You would normally enter the TCP/IP port for the FTP site in the Port box. For this walk-through, you will choose to accept the default port of 21.
    • For this walk- through, you will not use a host name, so make sure that the Virtual Host box is blank.
    • Make sure that the Certificates drop-down is set to "Not Selected" and that the Allow SSL option is selected.
    • When you have completed these items, click Next.


  5. On the next page of the wizard:
    • Select Anonymous for the Authentication settings.
    • For the Authorization settings, choose "Anonymous users" from the Allow access to drop-down, and select Read for the Permissions option.
    • When you have completed these items, click Finish.
  6. In IIS Manager, click the node for the FTP site that you created; this will display the icons for all of the FTP features.
  7. We need to add Basic Authentication so that users can log in. To do so, double-click the FTP Authentication icon to open the FTP authentication feature page.
  8. When the FTP Authentication page is displayed, highlight Basic Authentication and then click Enable in the Actions pane.
  9. In IIS Manager, click the node for the FTP site to re-display the icons for all of the FTP features.
  10. We need to add an authorization rule so that the administrator can log in. To do so, double-click the FTP Authorization Rules icon to open the FTP authorization rules feature page.
  11. When the FTP Authorization Rules page is displayed, click Add Allow Rule in the Actions pane.
  12. When the Add Allow Authorization Rule dialog box is displayed
    • Select Specified users, then type "administrator" in the box.
    • For Permissions, select both Read and Write.
    • When you have completed these items, click OK.

Configuring User Isolation Settings by Physical Directories

When isolating users by physical directories only, all FTP user sessions are restricted to the physical directory with the same name of the FTP user account. However, any global virtual directories that are created will apply to all users.

  1. In IIS Manager, click the node for the FTP site that you created; this will display the icons for all of the FTP features.
  2. Double-click the FTP User Isolation icon to open the FTP user isolation feature.
  3. When the FTP User Isolation feature page is displayed, select the User name physical directory (enable global virtual directories) option, then click Apply in the Actions pane.

Logging in to your FTP site

You can now log in to your FTP site using user isolation, but the following information applies:

  1. If you log in to your FTP site anonymously, your session will be restricted to the "LocalUser\Public" folder that you created in the Prerequisites section.
  2. If you attempt to log in to your FTP site using the administrator account, your logon request will be denied because the administrator account does not have a home directory defined. To allow the administrator account to log in you would need to create a home directory for the administrator account at "%SystemDrive%\inetpub\ftproot\LocalUser\Administrator". After which, if you logged in to your FTP site using the administrator account, your session will be restricted to the "LocalUser\Administrator" folder that you just created.


Configuring User Isolation Settings for All Directories

When isolating users for all directories, all FTP user sessions are restricted to the physical or virtual directory with the same name of the FTP user account. In addition, all global virtual directories that are created will be ignored. In this step you will configure user isolation for all directories, and add a virtual directory for the administrator user.

  1. In IIS Manager, click the node for the FTP site that you created; this will display the icons for all of the FTP features.
  2. Double-click the FTP User Isolation icon to open the FTP user isolation feature.
  3. When the FTP User Isolation feature page is displayed, select the User name directory (disable global virtual directories) option, then click Apply in the Actions pane.
  4. Expand the tree node for your FTP site, then right-click the LocalUser folder and click Add Virtual Directory. (Note: In this example the "LocalUser" folder is a physical directory, but a virtual directory could also have been used.)
  5. When the Add Virtual Directory dialog box appears:
    • Enter "administrator" for the Alias.
    • Enter "%SystemDrive%\inetpub\adminfiles" for the Physical path.
    • When you have completed these items, click OK.


Logging in to your FTP site

You can now log in to your FTP site using user isolation, but the following information applies:

  1. As with Step 3, if you log in to your FTP site anonymously, your session will be restricted to the "LocalUser\Public" folder that you created in the Prerequisites section.
  2. If you log in to your FTP site using the administrator account, your session will be restricted to the "/LocalUser/administrator" virtual directory that you just created.
Comments(0)
There are no comments for this article.
Info Add Comment
Nickname: Email (will not be shown): Subject: Comment:
Quick Jump Menu
Subscribe to updates Subscribe to Updates
Email to a frien Email to a Friend
Print Print Article
Info Vote
Info Ask a Question
Email (will not be shown): Subject: Question: