Posted on January 9, 2015 · Posted in Windows Server 2012 R2

FTP Server with User Isolation on Windows Server 2012 R2

Despite FTP being one of the oldest protocols (it is 40 years old already), it is being used everywhere when a simple file transfer protocol is necessary. It is possible to install an FTP server in any Microsoft operation system. Last deep modernization of the service was made in Windows 7 / Server 2008 R2 (actually the service code has almost been written from scratch). The security of the service has considerably improved and a number of new features have appeared. In particular, FTP server on Windows have the opportunity to configure FTP user isolation. It allows to restrict access of a number of users to their own folders on a single FTP server.

Due to the isolation, users can work only with their folders and can’t go up the FTP directory tree. Thus, the access to the data of other users on the FTP server can be prevented. FTP user isolation is widely used by ISP/ASP providers when they need to give individual access to a single file storage for different users.

Like  in previous Windows versions, the FTP service in Windows Server 2012 R2 is based on and deeply integrated into IIS and has a single administrative management interface.

In this article we’ll show how to install an FTP server on the base of IIS 8 in Windows Server 2012 R2 and configure the user isolation in it (the instructions are also applicable to Windows 8).

How to Install the FTP Service in Windows Server 2012 R2

You can install an FTP service with  Server Manager console by checking FTP Service and FTP Extensibility in section  Web Server(IIS) -> FTP Server.

Install ftp server on Windows Server 2012 r2

Also you can set an FTP server role with a single Powershell command:

Install-WindowsFeature Web-FTP-Server

Install-WindowsFeature Web-FTP-Server

Creating FTP Site, Users and configuring rights

Open IIS management console (Internet Information Service Manager).

IIS management console

And create a new FTP site (Sites ->Add FTP Site).

Create ftp site

The name of the FTP site: MyTestSite

The root directory of the FTP site: C:\inetpub\ftproot

ftp site name and path

To protect data, you can configure SSL for FTP (if you do it, all data and passwords/accounts of the FTP users transferred in the network are encrypted ), but in our presentation it is not necessary. All other settings are left default.

Select an FTP site and disable the Anonymous Authentication in the FTP Authentication section. Basic Authentication must be enabled.

FTP Authentication

An FTP service on Windows 2012 R2 can use two account types: domain or local. Depending on the account type, there are some differences in the structure of FTP directories and isolation settings. To make it easier to describe, we will use local Windows accounts.

Create some FTP users, suppose, these are ftp_user1, ftp_user2 and ftp_user3. Also create a group ftp_users which includes those users. You can create users in Local Users and Groups section of  Computer Management console.

computer managment console

Or do it from the command prompt:

net localgroup ftp_users /add

net localgroup /add

net user ftp_user1 /add *

net user add

net localgroup ftp_users ftp_user1 /add

add localuser to localgroup

Create the two other users in the same way.

Give ftp_users the RW rights to the directoryC:\inetpub\ftproot.

ftproot ntfs permissions

Make a directory with the name LocalUser (the name must be the same, it’s important!!!) in C:\inetpub\ftproot. Then make three directories under with names ftp_user1, ftp_user2, ftp_user3 in C:\inetpub\ftproot\LocalUser.

Note. Depending on the account type, you have to create the following directory structures (under %FtpRoot%\ we mean the root of the FTP site; in our case it is C:\inetpub\ftproot\):

Account Type Syntax of Home Directory Naming
Anonymous users %FtpRoot%\LocalUser\Public
Local Windows account %FtpRoot%\LocalUser\%UserName%
Domain Windows account %FtpRoot%\%UserDomain%\%UserName%
Special IIS Manager or ASP.NET accounts %FtpRoot%\LocalUser\%UserName%

ftp users home folders

Let’s go back to the IIS console and create a new rule (Add AllowRules) in FTP Authorization Rules for the site. Specify that ftp_users group must have the rights to read and write.

FTP Authorization Rules

How to Configure FTP User Isolation on Windows Server 2012 R2

Let’s move to configuring FTP user isolation. The isolation of FTP users is configured on the level of the FTP site, not the entire server.

Open FTP User Isolation in the settings of the FTP site.

This section contains several settings. The first two of them do not suggest user isolation:

  1. FTP root directory (an FTP session of a user starts in the root directory of the FTP site)
  2. User name directory (the user starts with physical/virtual directory u with the user name. If the directory is missing, a session begins in the root directory of the FTP site)

The next three options are different modes of user isolation:

  • User name directory (disable global virtual directories) suggests that the ftp session of a user is isolated in a physical/virtual directory that has the same name as the ftp user. Users see only their own directory (it is their root directory) and cannot go beyond it (to the upper directory of the FTP tree). Any global virtual directories are ignored.
  • User name physical directory (enable global virtual directories) suggests that the ftp session of a user is isolated in a physical directory that has the same name as the name of the ftp user account. A user cannot go above its directory. However, a user can access all global virtual directories.
  •  FTP home directory configured in Active Directory – an FTP user is isolated within their home directory specified in the settings of his Active Directory account (FTPRoot and FTPDir properties)

Important. If the global virtual directories are active, all users can access all virtual directories set in the root of the FTP site (with the appropriate NTFS permissions).

FTP User Isolation on Windows Server 2012 R2

Select the desired isolation mode (we have chosen the second option) and try to connect to your FTP site with any FTP client or directly from Explorer (specify ftp://yourservername/ in the address bar).

Enter the user name and password

open ftp site in windows explorer

And now we have access to the home directory with the user data (which is the root of the FTP site to the user). As we can see, the user session is isolated and the user sees only their data.

ftp user home folder is isolated

Tip. In case of anonymous connection to the FTP site, a session is limited to LocalUser\Public directory (it’s obvious, that Public directory has to be created in advance).

So, we have looked how to configure an FTP site with user isolation in Windows Server 2012 R2. In the isolation mode the users are authenticated on FTP with their local or domain accounts to access their root directory with the same name as the user has.

Related Articles