FTP User Isolation with IIS 8

FTP User Isolation is a great way to lock down your FTP site and prevent users from accessing resources they are not supposed to. Regardless if your server is providing shared hosting or dedicated hosting, FTP User Isolation can be leveraged for greater FTP security. It is particularly beneficial in hosting environments when you have a limited number of IP addresses to utilize but have several users requiring FTP access. In this case you’ll want to create 1 master FTP site and configure user virtual directories. Alternatively if your web server has several IP addresses available then one will typically deploy FTP Publishing on each site being hosted using a dedicated IP address. FTP user isolation in this case is not as critical but can still be implemented if you need multiple users accessing different folders on the same site.

In This Walk-through

In this walk-through I’ll be configuring 1 master FTP that will be used to isolate FTP users for 3 different web site’s I’ve created. To see how to setup an FTP site please check my recent blog post on setting up an FTP site with SSL. Our FTP site will use c:\inetput\ftproot as the root directory. Double check the FTP Authentication section has Anonymous Authentication disabled and Basic Authentication enabled.



Create User Group for FTP Users

Our server has 3 user accounts we want to use for FTP access: ftpuser1, ftpuser2, ftpuser3. In the Computer Management console under Local Users and Groups create a new group called FTPUsers.



Add the 3 FTP users to the group and then go to the root folder of the FTP site c:\inetpub\ftproot and add FTPUsers group to the folder permissions.



Check the FTP Authorization Rules

Go back to the Features View of the FTP site in the IIS Manager and click on FTP Authorization. In the FTP Authorization settings select Specified roles or user groups enter the FTPUsers group we just created.  By storing the users in 1 group it will make it easier to maintain in the future if we have to add more FTP users. We want the users to have Read and Write permissions.



Configure LocalUser Virtual Directory

Now on the the FTP site we need to create a virtual directory called LocalUser. This is a special directory which is required to make the user isolation work properly. Right click on the master FTP site and then click Add Virtual Directory.


Enter the name LocalUser and specify the root folder of the FTP site c:\inetpub\ftproot.



Create FTP User Virtual Directories

Under the LocalUser virtual directory create an additional virtual directory for each FTP user. Enter the name of the FTP user and set the physical path to the web site they will be accessing. In this example ftpuser1 will be access c:\domains\domain1.com. Ftpuser2 will access c:\domains2.com and Ftpuser3 will access c:\domains3.com.


Since we have 3 FTP users we’ll have a virtual directory for each user under LocalUser.



Configure FTP User Isolation

On the Features View of the FTP Site and click on FTP User Isolation. Under the section Isolate Users select User name directory (disable global virtual directories). As a reminder If you are deploying FTP Publishing at the site level with only 1 user accessing the site content then user isolation is not necessary and selecting the first option FTP root directory will be sufficient. The FTP user will be dropped into the root of the site.



Testing FTP Client

Now our FTP site is ready for testing. With my FTP client I connect to the site using ftpuser1 and I am correctly logged into domain1.com root folder.


You can test if the isolation is working properly by trying to change the directory to the parent level or another ftp user’s folder. If you remember back to FTP and IIS 6  this would have been possible or at least you you would have been able to get into the root folder of the FTP site and potentially seen other FTP users’ folders. In the example below I login as ftpuser2 and then try to change to the directory of ftpuser1 however thanks to FTP Isolation we get an error message that the path does not exist. Each user is now completely isolated from the others.


In Summary

Starting with IIS 7, Microsoft completely redesigned the FTP service offering the highest level of security. FTP User Isolation will completely shield web site content from other FTP users. It is particularly beneficial when you have an FTP site that needs to allow access to multiple users to different folder paths. Thanks for reading.

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

One Response

  1. Travis