Saturday, November 22, 2008

FTP in Windows Server 2008 - isolating users

Apparently Windows 2003 has something called "FTP user isolation". You know, so lots of people use one FTP site and see only their own stuff? I never really needed this as a few years ago I accidentally discovered an apparently undocumented way of doing isolating FTP users:

  • Create a single FTP site with the default folder location, disallow anonymous access
  • For each FTP username you want, create Active Directory or local Windows users on the IIS box with damn good passwords
  • Create virtual directories in IIS with the same names as the usernames you just created. Point them to the home directories you want for your users
  • For each of these folders, make sure its relavent username has NTFS write permissions

Easy! You would not want to set up thousands of users like this but if only have a couple it works a treat. Each user logging into your FTP site with their AD or local username and password (use an AD account if your FTP server is also a domain controller - yikes!) and see only their own folder.

Now, I've just got my first Windows Server 2008 web and FTP server I just assumed all this would still work, but I have just found its a bit more complicated. Actually, its positively bonkers. This example is for domain users, it might be different for local users. Anyway, to achieve the same thing in Windows Server 2008...

  • Install IIS, Download the FTP server for Server 2008 (mutter mutter), set up an FTP site pointing at some empty folder - probably c:\inetpub\ftproot
  • In the IIS tools, select your FTP site so all the options are displayed on the right. Select "FTP User Isolation", and set it to Isolate Users, using "user name directory" (the first Isolated option)
  • In Windows Explorer, create a folder called the name of the domain (just the short version, no dots) in the ftp root folder (I really can't remember how I figured out this was needed!)
  • Back in the IIS tools expand the site so you can see the new folder. Right click, New Virtual Directory. Give it one of the usernames and point it to the folder that username should be restricted to. Create a virtual directory for each of the users you want to have access.

Not the most obvious process!

1 comment:

  1. Nice post. Great blog. Thanks for the share. Keep posting such kind of information on your blog. I bookmarked it for continuous visit. Thanks once again.
    flash to html5 converter