Thursday, December 22, 2016

Create FTP with Local User Isolation (in GUI Method)

The magic of ftp with user isolation is that every users has his own directory and this user cannot see or browse other users' directories. In linux, it is similar to "chroot" option after the user has logged in. This feature came from since IIS 7.5 (server2008R2).
In this tutorial, we are going to create FTP with user isolation in Graphical Mode. If you are looking for automatic setup, then I wrote a powershell script for this work here.

1) Install necessary windows server features.
Go to Server Manager >> Add roles and features. Click Next until you find the Select Server Roles.
On the server role page, select Web Server IIS and IIS Management console. See Fig-1.
On the Roles services page, select FTP service & IIS Management console. See Fig-2.
Click Next, Next & finishe the installation.
 Fig-1: Required role to install
Fig-2: Required role service to install
2) Create FTP Site & give necessary permissions
Open "Internet Information Service (IIS) Manager" from Administrative Menu.
Right-click the site icon & choose "Add FTP Site". See Fig-3.
Fig-3: Add first FTP Site
On the next page, name the ftp site "First-Ftp-Site". Content directory is "C:\ftproot". You need to create that folder in advance.
On the Binding page, choose "No SSL", choose "All unassigned" and Port 21. See Fig-4.
Fig-4: Change SSL setting and Port
On the next page, choose Basic Authentication, give read and write permission to FtpAdmin. You need to create 'FtpAdmin' user earlier. This user is created for browsing users' uploaded files. See Fig-5.
Fig-5: Set user authentication & permission to ftp site

3) Add Root Virtual Directory
You need to add new virtual directory under your ftp site. The name must be 'LocalUser', otherwise it doesn't work for user isolation. Right-click First-Ftp-Site and select 'Add Virtual Directory...'. Fill out the Alias and physical path. See, Fig-6.
Fig-6: The root virtual directory location
4) Add Virtual Directories for ALL FTP users
As we do in step-3, we have to add each & every virtual directory for every ftp users. Before this, you need to create every users in 'Local Users and Groups' Console. Also, every user's directory must be created under ftp root folder. See Fig-7. Right-click and 'Add Virtual Directory' under 'First-Ftp-Site' (I show 'jack' for example). Location is C:\ftproot\jack. Figure-7 shows up all consoles you need to create with.

Fig-7: Add Virtual Directory for user 'jack'
After, you created 'jack' virtual directory, we see that 'FtpAdmin' inherits the read/write permission from it's parent FTP site as shown in figure. So, you will need to explicitly add another read/write permission for 'jack' to his directory. Select the 'jack' virtual directory, double-click the 'FTP Authorization Rules'. See Fig-8. In the "FTP Authorization Rules" (middle pane), right-click and select 'Add Allow Rule'. See Fig-9. You will need to give 'jack' the read/write permission and click OK. See Fig-10.
You need to do the same steps for all the FTP users.

 Fig-8: Add 'jack' FTP authorization rule

Fig-9: Add Allow Rule in FTP Authorization Panel

Fig-10: Add read/write permission to 'jack'
5) Set FTP User Isolation type and restart the FTP service
So far, you've done with users, physical, virtual directories. You have to turn on FTP user isolation features. To do this, select the 'First-Ftp-Site', double-click the "FTP User Isolation". Select the radio button to "User name directory(Disable global virtual directories)". On the right pane, click Apply. See Fig-11. Then, restart the FTP service. See Fig-12.
Fig-11: Turn on FTP User Isolation Feature
Fig-12: Restart FTP Service
6) Testing with the user 'jack'
Now, it's time to test our ftp with our created users. Let's start with 'jack'. From another machine, type ftp://yourserverIP/. In my case, it's ftp://10.170.0.11/. It will prompt you for user name and password. Enter jack's credentials. See Fig-13.
 Fig-13: Testing FTP with user 'jack'
 Now, you can see that 'jack' can successfully create his folders and files under his private directory. See Fig-14.
 Fig-14: Now, user 'jack' can create his folder and files
7) (Optional) Adding FTP Administrator
You can add ftp administrator who can browse users' uploaded files. For this, simply add a virtual directory for FtpAdmin (the user we created earlier) under 'LocalUser' directory. The
physical path should be ftp root directory (in our case c:\ftproot). When you connect with ftp admin's username & password. It will be redirected to ftp root directory. See Fig-15.
Fig-15: Creating FTP Administrator virtual directory
Posted by at
Labels: ,

1 comment:

  1. Digital Software MarketJanuary 21, 2021 at 12:03 PM

    Nice Blog, Best best microsoft office deals for Mac Home and Business edition is a powerful suite which fulfils the productivity applications, written for Mac OS X.

    ReplyDelete

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)