This guide will show you how to setup FTP User Isolation on Windows Server 2008 R2.
So what is FTP User Isolation? It allows you to isolate or limit access to FTP users connecting to your FTP server to the root directory or a user name directory. So for example is when user1 connects to your FTP server he will only be able access a folder named user1. In Server 2008 R2, the user1 folder can either be a physical folder or a virtual directory.
The best way to learn is by doing so let’s crack on and setup FTP User Isolation on Windows Server 2008 R2!
Installing the FTP Server
In Server 2008 R2 the FTP Server is a module that can be found under the Web Server role. In this post I am assuming that you do not have the Web Server (IIS) role installed and our instructions will involve installing this role as well as the FTP components. If you do have the Web Server (IIS) role already installed, skip steps 1 – 10 and start from step 11.
1. Click Start > Run and then enter servermanager.msc in the Open dialogue box then click OK to load Server Manager:
2. Click on Roles in the left pane and the Roles section will appear in the right pane. Click on Add Roles:
3. In the Add Roles Wizard that appears click Next to proceed:
4. In the Select Server Roles section check Web Server (IIS) and click Next:
5. This will bring up the Web Server (IIS) section, click Next to proceed:
6. In the Select Role Services section you will see the below, some default options will be pre-selected:
Scroll down and check FTP Server and ensure FTP Service and FTP Extensibility, then click Next:
7. In the Confirmation section click Install:
8. The installation will start:
9. When the installation finishes, click Close:
10. Reboot the server to ensure that all the components restart cleanly and then re-open the Roles section in Server Manager to confirm the successful installation of the Web Server (IIS) role:
From the above you can see that the Web Server (IIS) role is present so the installation was successful. Under the Role Services section scroll further down and you will see the FTP server components (FTP Server, FTP Service & FTP Extensibility):
Once the installation completes click Close. Reboot the server to ensure it starts up in a clean state.
11. Steps 1- 10 have assumed that you do NOT have the Web Server (IIS) role installed, however, if you do have the Web Server (IIS) role already installed you just need to install the FTP components. The quickest method of installing them is by running the PowerShell command below:
PS C:\Users\Administrator> Import-Module Servermanager PS C:\Users\Administrator> Add-WindowsFeature Web-Ftp-Server PS C:\Users\Administrator> Restart-Computer
The commands above installs the FTP server components (FTP Server, FTP Service & FTP Extensibility) and then reboots the server via the PowerShell console. Once the server comes back up check for these specific components by running the following commands in the PowerShell console:
PS C:\Users\Administrator> Get-WindowsFeature Web-FTP*
The output is below confirming the installation of FTP Server, FTP Service & FTP Extensibility:
Creating FTP Users and Group
12. Go back to Server Manager, expand Configuration and then Local Users and Groups:
13. Right-click on Groups and then select New Group:
14. In the Group name box enter FTP Users and click Create per the below :
This creates a group called FTP Users which should appear in the Groups list per the below:
15. Next, right-click on Users and select New User:
16. In the User name box enter FTPUser1 and for the Password enter a password of your choice. I used Password123 then click Create:
You will then see the newly created account in the Users list:
17. Follow steps 15-16 and create 4 more users; FTPUser2, FTPUser3, FTPUser4 and FTPUser5. To save yourself some time run the commands below in CMD to create the required FTP users and to set their respective passwords to never expire:
net user FTPUser2 Password123 /add net user FTPUser3 Password123 /add net user FTPUser4 Password123 /add net user FTPUser5 Password123 /add WMIC USERACCOUNT WHERE "Name='FTPUser2'" SET PasswordExpires=FALSE WMIC USERACCOUNT WHERE "Name='FTPUser3'" SET PasswordExpires=FALSE WMIC USERACCOUNT WHERE "Name='FTPUser4'" SET PasswordExpires=FALSE WMIC USERACCOUNT WHERE "Name='FTPUser5'" SET PasswordExpires=FALSE
18. Then run the commands below to move the FTP user accounts into the FTP Users group:
net localgroup "FTP Users" FTPUser1 /add net localgroup "FTP Users" FTPUser2 /add net localgroup "FTP Users" FTPUser3 /add net localgroup "FTP Users" FTPUser4 /add net localgroup "FTP Users" FTPUser5 /add
As we can see from the FTP Users group properties the FTP accounts were added successfully:
Configuring the FTP Server
19. Click Start > Run and then enter inetmgr in the dialogue box then click OK to load Internet Information Services (IIS) Manager which is shown below:
20. Once IIS Manager is open right-click on Sites and select Add FTP Site:
21. In the Site Information section configure the settings per the screenshot below and click Next:
22. In the Bindings and SSL Settings section configure it per the screenshot below. Under IP Address select All Unassigned unless you want to use a specific IP, in which case, click on the drop-down box and select your desired IP address. Everything else should be as configured below, once done click Next:
23. In the Authentication and Authorization Information section, configure the settings per the below and click Finish:
This creates a default rule to allow anonymous users Read access to the files in the FTP Site.
24. You will now see the new FTP site we just created simply named FTP Site on the left pane. Click on it and in the right pane open FTP User Isolation:
25. Once open select User name directory (disable global virtual directories) per the below and click Apply under the Actions pane to save the changes:
26. Go back and click on the FTP Site node on the left pane and then open FTP Authentication:
27. Select Basic Authentication and then click Enable in the Actions pane on the right side:
This settings enables Basic Authentication to FTP Site.
28. Go back to the FTP Site node on the left pane and expand it. Then right-click and select Add Virtual Directory:
29. Add the information as it appears in the Add Virtual Directory box below:
The above adds a Virtual Directory called LocalUser to FTP Site:
Its physical location is C:\FTPData. It is important to note that the physical location can be anywhere but the name must be LocalUser (it is case sensitive) if you are going to setup FTP User Isolation.
30. Now that we have setup the LocalUser virtual directory we need to setup the folders for each FTP user we created earlier. To do so run the commands below in a PowerShell console:
New-Item "C:\FTPData\FTPUser1" -type Directory New-Item "C:\FTPData\FTPUser2" -type Directory New-Item "C:\FTPData\FTPUser3" -type Directory New-Item "C:\FTPData\FTPUser4" -type Directory New-Item "C:\FTPData\FTPUser5" -type Directory
This will create folders with exactly the same name as their respective usernames in C:\FTPData:
As we configured the LocalUser virtual directory to linked to C:\FTPData in step 25 we should see the folders we just created in the previous step appear under it in IIS:
31. We also need to configure NTFS permissions for the IUSR account, which IIS uses to access the FTP Site folders:
ICACLS C:\FTPData /Grant IUSR:R /T
32. Now that the LocalUser virtual directory plus each of the isolated folders has been setup we have to enable and configure FTP Authorization Rules. Go back and click on the FTP Site node on the left pane and then expand it and then expand the LocalUser virtual directory. Select the FTPUser1 folder and in the right pane open FTP Authorization Rules:
33. When the FTP Authorization Rules section loads, click Add Allow Rule in the Actions pane on the right side:
34. When the Add Allow Authorization Rule dialog box is appears ensure the following settings are configured for FTPUser1:
This creates a rule that allows the FTPUser1 account Read and Write permissions to the FTPUser1 directory only, it cannot access any other directories or folders unless they are in C:\FTPData\FTPUser1. When you have completed the above, click OK to save the changes and the rule will be added accordingly:
35. Perform the same steps (19 – 22) to add authorization rules for the remaining FTP users which are FTPUser2, FTPUser3, FTPUser4 and FTPUser5 to their respective virtual directories.
So we have setup an FTP site called FTP Site, configured FTP User Isolation, created a virtual directory root folder and isolated sub-folders and configured authorization rules to control access to them. We are now ready to test the configuration we have just created.
Testing the Config
36. Open up an FTP client of your choice – I am using FileZilla. Then connect using the relevant server and username/password information and hit Quickconnect per the below:
Once connected successfully the user FTPUser1 will access whichever folder his/her virtual directory relates to, in this case it is C:\FTPData\FTPUser1. So FTPUser1 is isolated to, meaning he/she is restricted to their respective folder only.
I hope this has made this FTP User Isolation a lot simpler to understand and implement.