Configuring a (more-or-less) Secure FTP Site on Windows 2003

For a long time we have had an FTP site that we used for transferring files around inside our firewall.  No one from the outside world had access so security wasn’t a concern.  We allowed anonymous FTP access and life was good.

Then we suddenly had a need to allow people from outside the firewall to upload files to our server.  It would have been too much trouble to change our existing site to forbid anonymous access because we had a lot of automated processes in place that expected to be able to log on anonymously.  So we chose to set up a second FTP site on the same server that would require users to log on with a specific user id and password and to be restricted to their own home directory once they were connected.  This turned out to be both easier and more difficult than you would expect.

Creating a New FTP Site

Setting up the second FTP site is a piece of cake.  Simply open the IIS Manager, right click on FTP Sites and select New | FTP Site.  This will start the FTP Site Creation Wizard.  Fill in the values for the following fields:

  • Description - Enter a meaningful description of the FTP site.
  • IP address to use for this site - You would generally want to leave this as “All Assigned”, but you can restrict FTP to a specific internal IP address.
  • TCP port for this site - You will need to use a port number other than 21 (assuming that your first FTP site used 21).  This can be anything you want, but should be > 1023 to avoid conflicts with other well known port numbers.  I chose 2021.
  • FTP User Isolation - This is the tricky part.  If you select “Do not isolate users” all FTP users will share the same root directory and will have access to each other’s files.  If you select “Isolate users” each user will have their own home directory but that directory will be a sub-directory of the home directory for this FTP site.  Anonymous users will use <ftproot>\LocalUser\Public.  People logging with a user id local to the server will use <ftproot>\LocalUser\userid.  People logging with a domain user id will use <ftproot>\domain\userid.  If you can live with this directory structure, this is by far the easiest way to restrict users to their own home directory.  Unfortunately, this didn’t work for us.  That left us with the final option, ‘Isolate users using Active Directory’.  This allowed us to put each user’s home directory wherever we wished, but configuring that home directory was a bit of a pain.  I will show you how to set up the user id a bit later.
  • Root Directory - Enter the path of this FTP site’s root directory.
  • User name -Enter a user name that the FTP server can use to access the Active Directory.
  • Password - Enter the password of “User name”.
  • Default Active Directory Domain - Enter the domain that you want FTP users to use by default when logging in.

Once you click the finish button, the FTP site will be created.  If you chose either of the “Isolate users” options no one is going to be able to log in yet because you need to set up the home directories first.

Setting Up Home Directories

If you selected “Isolate users” above, you obviously need to create user ids and passwords for your FTP users.  These can be either local or domain user ids and are set up in the usual way.  Nothing special is required.  Then just create the users’ home directories in the root directory of the new FTP site as described above.  Obviously, the user ids will need permission to read and possibly write the home directory.  For example, suppose your FTP sites root directory is C:\ExternalFtpRoot and you want to allow a local user whose id is localftp access to your FTP site.  His home directory would be C:\ExternalFtpRoot\LocalUser\localftp.  Suppose you want to allow access to a domain user whose id is LNS2\domainuser.  His home directory would be C:\ExternalFtpRoot\LNS2\domainuser.

If you selected “Isolate users using Active Directory” it gets a bit more complicated.  First of all, you have to use a domain user id since the user’s home directory is stored in Active Directory.  Setting up the user is done in the usual way.  However, setting the user’s FTP root and FTP home directories involves a bit of esoterica that is not especially well documented in the Microsoft documentation.  You have to open a command prompt and use the IisFtp.vbs script to set both of these values.

Suppose you have a user whose id is ftpuser and you want the user’s home directory to be E:\ftp_in\ftpuserhome.  The FTP root directory would be E:\ftp_in and the FTP home directory would be ftpuserhome.  To set these value use the following commands:

  • IisFtp.vbs /SetADProp ftpuser FTPRoot E:\ftp_in
  • IisFtp.vbs /SetADProp ftpuser FTPDir ftpuserhome

Now all that remains is to create the FTP user’s home directory and make sure that the user has permission to read and possibly write it and you should be off to the races.

Leave a Reply