Configure FTP User Isolation on Windows Server 2008 R2

This guide will show you how to setup FTP User Isolation on Windows Server 2008 R2.

So what is FTP User Isolation? It allows you to isolate or limit access to FTP users connecting to your FTP server to the root directory or a user name directory. So for example is when user1 connects to your FTP server he will only be able access a folder named user1. In Server 2008 R2, the user1 folder can either be a physical folder or a virtual directory.

The best way to learn is by doing so let’s crack on and setup FTP User Isolation on Windows Server 2008 R2!

 

Installing the FTP Server

In Server 2008 R2 the FTP Server is a module that can be found under the Web Server role. In this post I am assuming that you do not have the Web Server (IIS) role installed and our instructions will involve installing this role as well as the FTP components. If you do have the Web Server (IIS) role already installed, skip steps 1 – 10 and start from step 11.

1. Click Start > Run and then enter servermanager.msc in the Open dialogue box then click OK to load Server Manager:

C:\>servermanager.msc

2. Click on Roles in the left pane and the Roles section will appear in the right pane. Click on Add Roles:

20150209165746

3. In the Add Roles Wizard that appears click Next to proceed:

20150209165929

4. In the Select Server Roles section check Web Server (IIS) and click Next:

20150209170045

5. This will bring up the Web Server (IIS) section, click Next to proceed:

20150209170215

6. In the Select Role Services section you will see the below, some default options will be pre-selected:

20150209170708

Scroll down and check FTP Server and ensure FTP Service and FTP Extensibility, then click Next:

20150209170851

7. In the Confirmation section click Install:

20150209170935

8. The installation will start:

20150209171049

9. When the installation finishes, click Close:

20150209174714

10. Reboot the server to ensure that all the components restart cleanly and then re-open the Roles section in Server Manager to confirm the successful installation of the Web Server (IIS) role:

20150209174820

From the above you can see that the Web Server (IIS) role is present so the installation was successful. Under the Role Services section scroll further down and you will see the FTP server components (FTP Server, FTP Service & FTP Extensibility):

20141231101548

Once the installation completes click Close. Reboot the server to ensure it starts up in a clean state.

11. Steps 1- 10 have assumed that you do NOT have the Web Server (IIS) role installed, however, if you do have the Web Server (IIS) role already installed you just need to install the FTP components. The quickest method of installing them is by running the PowerShell command below:

</pre>
<pre>PS C:\Users\Administrator> Import-Module Servermanager
PS C:\Users\Administrator> Add-WindowsFeature Web-Ftp-Server
PS C:\Users\Administrator> Restart-Computer

The commands above installs the FTP server components (FTP Server, FTP Service & FTP Extensibility) and then reboots the server via the PowerShell console. Once the server comes back up check for these specific components by running the following commands in the PowerShell console:

PS C:\Users\Administrator> Get-WindowsFeature Web-FTP*

The output is below confirming the installation of FTP Server, FTP Service & FTP Extensibility:

20141229101252

 Creating FTP Users and Group

12. Go back to Server Manager, expand Configuration and then Local Users and Groups:

20150212175223

13.  Right-click on Groups and then select New Group:

20150212175334

14. In the Group name box enter FTP Users and click Create per the below :

20150212175503

This creates a group called FTP Users which should appear in the Groups list per the below:

20150212175540

15. Next, right-click on Users and select New User:

20150212175728

16. In the User name box enter FTPUser1 and for the Password enter a password of your choice. I used Password123 then click Create:

20150212175818

You will then see the newly created account in the Users list:

20150212175858

17. Follow steps 15-16 and create 4 more users; FTPUser2FTPUser3FTPUser4 and FTPUser5. To save yourself some time run the commands below in CMD to create the required FTP users and to set their respective passwords to never expire:

net user FTPUser2 Password123 /add
net user FTPUser3 Password123 /add
net user FTPUser4 Password123 /add
net user FTPUser5 Password123 /add
WMIC USERACCOUNT WHERE "Name='FTPUser2'" SET PasswordExpires=FALSE
WMIC USERACCOUNT WHERE "Name='FTPUser3'" SET PasswordExpires=FALSE
WMIC USERACCOUNT WHERE "Name='FTPUser4'" SET PasswordExpires=FALSE
WMIC USERACCOUNT WHERE "Name='FTPUser5'" SET PasswordExpires=FALSE

18. Then run the commands below to move the FTP user accounts into the FTP Users group:

net localgroup "FTP Users" FTPUser1 /add
net localgroup "FTP Users" FTPUser2 /add
net localgroup "FTP Users" FTPUser3 /add
net localgroup "FTP Users" FTPUser4 /add
net localgroup "FTP Users" FTPUser5 /add

As we can see from the FTP Users group properties the FTP accounts were added successfully:

20150215012425

 Configuring the FTP Server

19. Click Start > Run and then enter inetmgr in the dialogue box then click OK to load Internet Information Services (IIS) Manager which is shown below:

20141231110810

20. Once IIS Manager is open right-click on Sites and select Add FTP Site:

20141231110919

21. In the Site Information section configure the settings per the screenshot below and click Next:

20141231111154

22. In the Bindings and SSL Settings section configure it per the screenshot below. Under IP Address select All Unassigned unless you want to use a specific IP, in which case, click on the drop-down box and select your desired IP address. Everything else should be  as configured below, once done click Next:

20141231111358

23. In the Authentication and Authorization Information section, configure the settings per the below and click Finish:

20141231111637

This creates a default rule to allow anonymous users Read access to the files in the FTP Site.

24. You will now see the new FTP site we just created simply named FTP Site on the left pane. Click on it and in the right pane open FTP User Isolation:

20150130192753

25. Once open select User name directory (disable global virtual directories) per the below and click Apply under the Actions pane to save the changes:

20141231114057

26. Go back and click on the FTP Site node on the left pane and then open FTP Authentication:

20150130194245

27. Select Basic Authentication and then click Enable in the Actions pane on the right side:

20141231120702

This settings enables Basic Authentication to FTP Site.

28. Go back to the FTP Site node on the left pane and expand it. Then right-click and select Add Virtual Directory:

20150201020015

29. Add the information as it appears in the Add Virtual Directory box below:

The above adds a Virtual Directory called LocalUser to FTP Site:

20150201020305

Its physical location is C:\FTPData. It is important to note that the physical location can be anywhere but the name must be LocalUser (it is case sensitive) if you are going to setup FTP User Isolation.

30. Now that we have setup the LocalUser virtual directory we need to setup the folders for each FTP user we created earlier. To do so run the commands below in a PowerShell console:

New-Item "C:\FTPData\FTPUser1" -type Directory
New-Item "C:\FTPData\FTPUser2" -type Directory
New-Item "C:\FTPData\FTPUser3" -type Directory
New-Item "C:\FTPData\FTPUser4" -type Directory
New-Item "C:\FTPData\FTPUser5" -type Directory

This will create folders with exactly the same name as their respective usernames in C:\FTPData:

20150215001347

As we configured the  LocalUser virtual directory to linked to C:\FTPData in step 25 we should see the folders we just created in the previous step appear under it in IIS:

20150215003851

31. We also need to configure NTFS permissions for the IUSR account, which IIS uses to access the FTP Site folders:

ICACLS C:\FTPData /Grant IUSR:R /T

32. Now that the LocalUser virtual directory plus each of the isolated folders has been setup we have to enable and configure  FTP Authorization Rules. Go back and click on the FTP Site node on the left pane and then expand it and then expand  the LocalUser virtual directory. Select the FTPUser1 folder and in the right pane open FTP Authorization Rules:

20150215004204

33. When the FTP Authorization Rules section loads, click Add Allow Rule in the Actions pane on the right side:

20150215004434

34. When the Add Allow Authorization Rule dialog box is appears ensure the following settings are configured for FTPUser1:

20150201004407

This creates a rule that allows the FTPUser1 account Read and Write permissions to the FTPUser1 directory only, it cannot access any other directories or folders unless they are in C:\FTPData\FTPUser1. When you have completed the above, click OK to save the changes and the rule will be added accordingly:

20150215004737

35. Perform the same steps (19 – 22) to add authorization rules for the remaining FTP users which are FTPUser2FTPUser3FTPUser4 and FTPUser5 to their respective virtual directories.

So we have setup an FTP site called FTP Site, configured FTP User Isolation, created a virtual directory root folder and isolated sub-folders and configured authorization rules to control access to them. We are now ready to test the configuration we have just created.

Testing the Config

36. Open up an FTP client of your choice – I am using FileZilla. Then connect using the relevant server and username/password information and hit Quickconnect per the below:

20150205135308

Once connected successfully the user FTPUser1 will access whichever folder his/her virtual directory relates to, in this case it is C:\FTPData\FTPUser1. So FTPUser1 is isolated to, meaning he/she is restricted to their respective folder only.

I hope this has made this FTP User Isolation a lot simpler to understand and implement.

Install and configure FTP Over SSL (FTPS) in IIS 7.5

This guide will show you how to install FTP Server in IIS 7.5 and also how to configure FTP Over SSL (FTPS).

FTP Over SSL (FTPS) allows FTP sessions to be encrypted. It is vitally important to secure FTP traffic as usernames and passwords, are by default, sent in plain text across the network when an FTP client is establishing a connection with the server.

Note: In this guide I am assuming that your server environment is Windows Server 2008 R2 and that you have IIS 7.5 already installed but not the FTP Server. I am also assuming that you want to add FTP publishing to an existing site – in the example below this will be the Default Web Site.

Installing the FTP Server

In Server 2008 R2 the FTP Server is a module that can be found under the Web Server role. To install it do the following:

1. Click Start > Run and then enter servermanager.msc in the Open dialogue box then click OK to load Server Manager:

C:\>servermanager.msc

2. Click on Roles in the left pane and the Roles section will appear in the right pane. Locate the Web Server (IIS) section and then then click on Add Role Services:

20130606224147

3. In the Select Role Services  scroll down to the bottom and check FTP Server, FTP Service & FTP Extensibility then click Next and then Install:

20130508215249

4. Once the installation completes click Close. To install FTP Server, FTP Service & FTP Extensibility via the command line run the following:

C:\>CMD /C PKGMGR.EXE /iu:IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility

Configuring the FTP Server

5. Click Start > Run and then enter inetmgr in the dialogue box then click OK to load Internet Information Services (IIS) Manager.

6. Once IIS Manager is open select Default Web Site and then click on Add FTP Publishing under the Actions pane as highlighted below:

20130508215320

7. In the Bindings and SSL Settings section configure the settings per the screenshot below and click Next:

20130508215328

Note: If you want your FTP site to use a specific IP address, select it from the drop-down menu, otherwise leave the default setting which binds all FTP traffic to the site you are creating.

8. In the next section configure per the screenshot below. Under Authentication ensure that only Basic is checked. Under Authorization, ensure that your FTP user account is set under the Specified Users box, then click Finish:

20130508215338

At this point basic FTP publishing has been enabled on the Default Web Site.

9. Next, click on the Server object and then in the right pane double-click on the FTP Firewall Support icon:

20130520233612

10. I am configuring FTP connections to use Passive Transfers and the Data Channel Port Range will be set to 0-0 and the External IP Address of Firewall should be left blank (per below):

20130520221406

Note: The firewall in this environment is the built-in Windows software firewall. As it provides Stateful Packet Inspection (SPI) we do not need to state a port range for passive transfers as the firewall will detect which ports are dynamically required and allow the data transfers to go through..For more information about configuring firewalls for FTP see this link.

11. Next, click on the Default Web Site and then in the right pane double-click on the FTP Firewall Support icon. When this loads up input the FTP site’s public IP address and then click on Apply under the Actions pane on the right-hand side:

20130520224735

11. Within IIS Manager, click on the server object and in the centre pane open Server Certificates:

20130519224741

12. Then click on Create Self-Signed Certificate in the Actions pane in the right hand side:

20130519224830

13. Type a name for the certificate, I used FTP Site Certificate but any descriptive name will suffice, then click on OK:

20130519225034

14. You will now see the created certificate in the list:

20130519225141

15. Click on the server object again and open FTP SSL Settings:

20130522235958

16. Under SSL Certificate select the certificate we created earlier. Under SSL Policy select Custom and then click on the Advanced button:

20130519230643

17. Under Control Channel select Require only for credentials and under Data Channel select Require and then click on OK:

20130519230909

18. Now click on the Default Web Site and then open FTP SSL Settings and ensure you configure the same settings as for the server level as performed in steps 15 – 17. Failing to configure the FTP SSL Settings at BOTH the SERVER and SITE levels with result in FTP connection errors per the below:

Response: 534 Local policy on server does not allow TLS secure connections.
Error: Critical error
Error: Could not connect to server

19. Click on the Default Web Site and then click on Bindings in the Actions pane:

20130604214640

20. In the Site Bindings section click on the Add Button:

20130604215037

21. In the Add Site Binding section select the Type as ftp, leave the IP Address box as All Unassigned and then enter the hostname for the FTP Site and then click on OK:

20130604215232

22. Confirm that you can see the new FTP Site binding and then click Close:

20130604215431

23. While still in the Default Web Site context select Advanced Settings in the Actions pane to view the FTP Site’s home directory – it will be the physical path for the Default Web Site:

20130523222443

24. You will need to configure the ftp_user account to have write permissions to C:\inetpub\wwwroot in order for you to be able to upload files to this directory. NTFS permissions should be configured per below:

20130523223358

25. As mentioned earlier, my environment uses the Windows software firewall. The rules that need to be enabled to allow FTP and FTPs communication are:

Inbound Rules
FTP Server (FTP Traffic-In)
FTP Server Passive (FTP Passive Traffic-In)
FTP Server Secure (FTP SSL Traffic-In)

Outbound Rules
N/A – because the default setting for public traffic is that outbound connections that do not match a rule are allowed.

Connecting to the FTP Site

26. The only thing left to do is test the connection from your FTP client. Using FileZilla, you will need the connection information below, changing only the Host, User and Password fields according to your specific settings:

Host: ftp.vsysad.com
Protocol: FTP – File Transfer Protocol
Encryption: Require explicit FTP over TLS
Logon Type: Normal
User: ftp.vsysad.com|ftp_user
Password: **********

In FileZilla, I added a site called vSysad and then added the relevant connection info above:

20130608200123

Note: The user field must be VirtualHostName|User to allow successful authentication. The virtual host name is a requirement and the FTP Server is expecting that string, if it doesn’t see it then you will see the following error:

Status: Connecting to ftp.vsysad.com…
Status: Connection established, waiting for welcome message…
Response: 220 Microsoft FTP Service
Command: AUTH TLS
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status: Initializing TLS…
Status: Verifying certificate…
Command: USER ftp_user
Status: TLS/SSL connection established.
Response: 530 Valid hostname is expected.
Error: Could not connect to server

27. Once you have input the relevant connection info for the FTP Site, click Connect and assuming that the connection is successful you will see a pop-up box displaying an unknown certificate which we created earlier:

20130608193639 - Copy

28. Check the box Always trust certificate in future sessions and hit OK. After which you will be connected to the home directory:

20130608200420

And that’s all. Happy FTPing over SSL!

References:
Using FTP Virtual Host Names in IIS 7
Configuring FTP 7.5 with Host Header and SSL
Setup FTPS on IIS 7.5 Using Host Headers Tutorial
Local policy on server does not allow TLS secure connections
Configuring FTP Firewall Settings in IIS 7
Using FTP Over SSL in IIS 7