Wednesday, May 1, 2013

IIS FTP User Isolation

Creating a New FTP Site with Isolate Users Mode (IIS 6.0)

Isolate users mode authenticates users against local or domain accounts before they can access the home directory that matches their username. All user home directories are in a directory structure under a single FTP root directory where each user is placed and restricted to their home directory. Users are not permitted to navigate out of their home directory. If users need access to dedicated shared folders, you can also establish a virtual root. This mode does not authenticate against Active Directory directory service.
Important   You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".

To create a new FTP site with Isolate users mode

1.In IIS Manager, click the local computer, right-click the FTP Sites folder, point to New, and then click FTP Site.
2.In Welcome to the FTP Site Creation Wizard, click Next.
3.In FTP Site Description, type a description for the FTP site, and then click Next.
4.In IP Address and Port Settings, type an IP address and port number, and then click Next.
5.In FTP User Isolation, click Isolate users, and then click Next.
6.Follow the directions in the FTP Site Creation Wizard.
7.Type or browse to the FTP site home directory, and then click Next.
8.Enable the Read and Write permissions as appropriate, and then click Next, and click Finish.

Q. I am trying to understand the user isolation mode in the Microsoft FTP Server that is included with IIS 6. I do not understand what folders I need to configure as all I get is "User Home Directory Inaccessible" when I try to log onto my FTP site. Can you help?
A. User isolation was added to Microsoft FTP Server with version 6.0 of IIS. This means that user isolation is available on the Windows Server 2003 family only. Future versions will also support this feature.
There are 3 different options for User Isolation when creating an FTP site. These settings can only be set when you are creating a new FTP site and if you want to change the mode you will need to delete the existing FTP site and create a new site, unless you write a script to edit the IIS configuration database.
The three user isolation modes available with IIS 6 are:
Do not isolate users (default option) Users can access the FTP home directory of other users.
Isolate Users Users must be assigned an FTP home directory within the root of the FTP site.
Isolate Users using Active Directory Users must be assigned an FTP home directory that is configured using their Active Directory user account.
Do not isolate users
The default option of "do not isolate users" means that any user that logs onto the FTP site can access any folder on the FTP site (as long as their User Account has the correct NTFS permissions to access the folder). It also means that if a user logs in and there is a folder with the same name as their User Account in the Home Directory of the FTP site then they will be automatically placed into that directory. The user in this case can use an FTP command "CWD /" to move to the root of the FTP site. This automatic placing you into a folder when you log on can not be disabled.
Isolate Users
When you use the Isolate Users option the user will be placed into a folder and this folder becomes the root of the FTP site for their session. They can not back up to the real FTP site Home Directory, they are in effect Isolated.
There are a number of differences depending on the configuration of the server as shown below:
FTP Server Name User Account Isolation Folder User Folder
FTP-SRV-01 Anonymous LocalUser Public
FTP-SRV-01 FTP-SRV-01\User LocalUser User
FTP-SRV-01 Domain\User Domain User
The main points to take from the above is that:
  • If the user logs in Anonymously and Isolate Users is enabled then the Isolation Folder is called "LocalUser" and the users folder is called "Public".
  • If the User Account that the user is logging in with is an account on the local FTP Server computer then "LocalUser" is the name of the Isolation folder as long as the FTP server is not running on a Domain Controller.
  • If the User Account that the user is logging in with is a Domain Account then the "Domain" is the name of the Isolation folder.
Here is an example of the location of the folders:
Directory Description
c:\inetpub\ftproot The FTP sites home directory
c:\inetpub\ftproot\LocalUser The Isolation folder
c:\inetpub\ftproot\LocalUser\Public The users folder if logging in anonymously
c:\inetpub\ftproot\LocalUser\XYZ The user'�s folder if logging in as the Local Account "XYZ"
c:\inetpub\ftproot\Domain\XYZ The user�s folder if logging in as the "Domain" Account "XYZ"
Note: Where Domain is references above change it to the name of your Windows Domain.
Note: When you create an FTP site with Isolated users you need to create the LocalUser or the Domain folder as well as all user account folders.

No comments: