In this step-by-step guide, we’ll look at how to install and configure an FTP server for easy file transfer on Windows Server. The built-in FTP server is available in all versions of Windows Server (as well as the desktop editions of Windows 10/11) and is based on the IIS web server role.
Install an FTP Server on Windows and Create an FTP Site
To install the FTP Server role in Windows Server, open the Server Manager console, run the Add Roles and Features wizard, expand Web Server (IIS) -> FTP Server, and check the options FTP Service and FTP Extensibility.
In Windows 10 and 11, you can install FTP server components using the Turn Windows Features on or off dialog (run the optionalfeatures command). Expand the Internet Information Services and select the FTP Server services to install.
Once you have installed the role, you can create an FTP site. Use the IIS management console (inetmgr) to manage an FTP server on Windows.
Create a new FTP site (Sites -> Add FTP Site).
- FTP site name: MyTestSite
- FTP site root directory: C:\inetpub\ftproot
The next step allows you to select a certificate to encrypt and protect FTP traffic (FTP over SSL /FTPS), which is recommended for use when transferring FTP data over public networks. In this case, we don’t use encryption (No SSL option).
Leave the default settings in the Authentication and Authorization step (we will configure FTP user access permissions later).
Setup User Access Permission on Windows FTP Server
There are two types of user authentication supported by the Windows FTP server:
- Anonymous Authentication – Anyone can access the FTP server (anonymous or guest is specified as the name of the user and any e-mail address as a password);
- Basic Authentication – the user must authenticate with their Windows account (local or domain) to connect to the FTP server.
In this case, we will only allow Basic Authentication (in the Site Settings, expand the FTP Authentication section and enable only this mode).
To make it easier to grant access to the FTP site, create a local group called ftp_users.
Let’s create a local user ftp_user1 and add it to the group:
net user ftp_user1 /add *
net localgroup ftp_users ftp_user1 /add
Then add a domain user to that group:
net localgroup ftp_users woshub\m.korman /add
Give the ftp_users group you created NTFS RW permissions on the C:\inetpub\ftproot directory.
Next, allow specified users and groups to access the FTP site. In the IIS console, select FTP Authorization Rules -> Add allow Rule:
- Specified roles or user groups: ftp_users (users in this group can access FTP)
- Permissions: Read + Write (Allow both reading and writing to the FTP directory
Users can now connect to the FTP server. You can connect to an FTP server with any third-party FTP client, or open FTP directly from Windows Explorer.
In the File Explorer address bar, type the address of the FTP server in the format ftp://192.168.3.21/ and specify the user account and password.
A user should see a list of files and folders on the FTP server.
In this case, all the users will connect to the root of the FTP site and will see all the files. The Windows FTP server supports isolation mode, which allows the creation of a home directory for each user.
Configure FTP User Isolation on Windows
If you need to restrict FTP users’ access to only their folders (home directories), you need to enable the FTP isolation mode. In IIS, open the FTP user isolation in the site setting.
The first two options don’t suggest user isolation:
- FTP root directory – the user connects to the FTP site root;
- User name directory – FTP user session starts with the
%username%directory. The session will start from the ftp site root if this directory doesn’t exist.
Different modes of user isolation are available in the next three options:
- User name directory (disable global virtual directories) – the user’s FTP session is isolated by a directory whose name corresponds to the FTP username. Users only see their own directory (it is their root FTP-directory) and cannot go beyond it (to an upper directory in the FTP tree). Any global virtual directories will be ignored;
- User name physical directory (enable global virtual directories) – the user’s FTP session is restricted (isolated) to a physical directory that has the same name as the name of the FTP user account. A user cannot go outside their FTPHome directory. All global virtual directories are available to users;
- FTP home directory configured in Active Directory – The FTP user is isolated within the home directory specified in their Active Directory account settings (FTPRoot and FTPDir user attributes).
Select the isolation mode you want to use (in this example, I am using the second option to isolate the FTP users).
Now you need to create personal directories for users in C:\inetpub\ftproot. Depending on the type of user account, the path to the FTP home directory will be different.
| Account Type | Syntax of FTP Home Directory Naming |
| Anonymous users | %FtpRoot%\LocalUser\Public |
| Local Windows account | %FtpRoot%\LocalUser\%UserName% |
| Domain Windows account | %FtpRoot%\%UserDomain%\%UserName% |
| Special IIS Manager or ASP.NET accounts | %FtpRoot%\LocalUser\%UserName% |
In this example, I have two users for whom I will create the following directories
- Local user ftp_user1 (
C:\inetpub\ftproot\LocalUser\ftp_user1) - Domain user woshub\m.korman (
C:\inetpub\ftproot\woshub\m.korman)
Users will now only see files in their home directories when connecting to an FTP server.
Install and Configure an FTP Server with PowerShell
You can quickly deploy an FTP server on Windows using the PowerShell script.
Install the FTP server role and management tools on Windows Server:
Install-WindowsFeature Web-FTP-Server -IncludeAllSubFeature -IncludeManagementTools
Enable-WindowsOptionalFeature -Online -FeatureName IIS-FTPServer
Enable-WindowsOptionalFeature -Online -FeatureName IIS-FTPSvc
Enable-WindowsOptionalFeature -Online -FeatureName IIS-FTPExtensibility
Create a local user and group using PowerShell:
$pass = ConvertTo-SecureString "myPassw0rd22!" -AsPlainText -Force
New-LocalUser -Name ftp_user1 -Password $pass
New-LocalGroup -Name ftp_users
Add-LocalGroupMember -Group ftp_users -Member ftp_user1
Create an FTP site directory and grant NTFS access permissions to the ftp_users group:
$ftproot='C:\inetpub\ftproot\MyFTP'
mkdir $ftproot
New-WebFtpSite -Name MyFTP -IPAddress "*" -PhysicalPath $ftproot -Port 21
icacls $ftproot /grant "ftp_group:(OI)(CI)(F)"
Allow to connect without using SSL:
$FtpSite="IIS:\Sites\MyFTP"
Set-ItemProperty $FtpSite -Name ftpServer.security.ssl.controlChannelPolicy -Value "SslAllow"
Set-ItemProperty $FtpSite -Name ftpServer.security.ssl.dataChannelPolicy -Value "SslAllow"
Allow basic authentication on the FTP site:
Set-ItemProperty $FtpSite -Name ftpServer.security.authentication.basicAuthentication.enabled -Value $true
Allow the specified group to access the FTP site:
Add-WebConfiguration "/system.ftpServer/security/authorization" -Location MyFTP -PSPath IIS:\ -Value @{accessType="Allow";roles="ftp_users";permissions="Read,Write"}
To restrict access to an FTP site by source IP address:
Set-ItemProperty $FtpSite -Name ftpServer.firewallSupport.externalIp4Address -Value "10.2.1.100"
Create a Windows Defender firewall rule to allow access to the FTP server:
New-NetFirewallRule -Name "FTP 21" -DisplayName "FTP 21" -Profile All -Direction Inbound -Action Allow -Protocol TCP -LocalPort 21 -Program "%windir%\system32\svchost.exe"
Restart the FTP site:
Restart-WebItem -PSPath $FtpSite
Use the Test-NetConnection cmdlet to verify that your FTP server is available:
Test-NetConnection -ComputerName yourftpservername -Port 21
7 comments
Hi,
I am trying to build the same but I am using a secure FTP setup or FTP over SSL so I have to use a secure FTP client to access the site such as CoreFTP or filezilla and for whatever reason I am able to see other users folders even though I am not able to access them.
but I am setting this for a sensitive data transfer so I can’t allow users to see other users folders, because they can be part of different customers.
any ideas?
Try at NTFS level prevent users from displaying content of root folder (List folder permission).
Which user isolation mode do you use?
Hi,
Thank you for your instructions, very helpful! However, I need to have home directory for FTP site on D: drive not C:\inetpub\ftproot. How can I change it in Windows 2012 server?
Thank you,
megan
Hi
To change the default Home directory on IIS FTP server
1) Right click on the FTP site Manage FTP Site ->Advanced Settings
2) Then change the PhysicalPath> to one you want (by default %systemdrive%\inetpub\ftproot
Hi
I’m trying to set up an FTP server that uses ActiceDirectory. My problem is that access to folders in FTP is governed by group membership. So, all members of a AD specified group have access to a specified folder. Users can be members of multiple AD groups so they can have access to multiple folders. I’m not sure how to go about this, being new to windows.
Any help is much appreciated.
Thanks
John
Hi, John
You can for each directory on the FTP server on the NTFS level permissions assign rights for certain Active Directory groups
Thank you. Poor documentation for the isolation portion left me guessing! The LocalUser / Domain directory was what I was missing.