FTP restrict user access to a specific folder

Question

I have created a FTP Site inside IIS 7.5 panel. Now I have access to whole site using administrator username and password.

Now, I want to let my friend access a specific folder of that FTP site. (for example, this path: \some\folder\accessible\)

I can't create a whole new FTP Site for this purpose, since it says the port is being used by another website.

How to create an account for my friend to have access to just an specific folder?

P.S: I have read about User Isolation feature of IIS 7.5, but I couldn't find how to create a user just for FTP and set it to a custom path.

Answer 1

I've finally solved this problem. Here is what I did:

1. Configure FTP with IIS Manager Authentication (I've pointed my FTP site to empty folder C:\inetpub\ftproot which was empty)

2. In IIS Control panel, select your FTP Site and then double click on FTP User Isolation.

3. Select User name directory and click Apply.

4. Now right click on the FTP Site, click Create new Virtual directory.

5. Set the alias to the IIS Manager user name that you created in step 1, and set its physical path to everywhere you want that user to have access.

6. Click OK.

Now that IIS manager user is able to access the folder you wanted via FTP, and he'll not have access to any other place.

Please note that you should repeat steps 1-6 for each user. (Step 1, from CONFIGURE THE IIS MANAGEMENT SERVICE AND ADD AN IIS 7 MANAGER part to the end of that page, then steps 2-6)

Answer 2

Just went through this myself and learned quite a bit.

There are some additional options and specifics beyond what was explained in the accepted answer that may be beneficial so here we are.

You have two options:

OPTION A: There are no particular requirements on the location or naming of the user's home directory.

OPTION B: The user's home directory will need to be a specific folder and/or will not be named the same as the user's username.

OPTION A: There are no particular requirements on the location or naming of the user's home directory.

1. Create windows user account for the ftp user. This user account does NOT need elevated priveleges.

2. In the windows filesystem browse to the root directory of the ftp site and create a folder named "LocalUser".

3. In this folder create a folder named exactly the same as the user's username.

4. Set the desired filesystem permissions on this folder (Ex: Add the user and set the permission to Full control)

5. Open IIS Manager

6. Click the root of the FTP Site

7. On the right, Under "FTP", Open "FTP User Isolation"

8. Under "Isolate Users. Restrict users to the following directory:" select "User name directory (disable global virtual directories)"

9. Click Apply

10. Click the root of the FTP Site again

11. Navigate down through the tree to the LocalUser folder, then finally to the User's home folder.

12. On the right, Under "FTP", Open "FTP Authorization Rules" and "Add Allow Rule..."

13. Choose "Specified Users", add the user we created earlier and check the desired permissions. (Ex: Read and Write)

14. At this point the user should be able to login via ftp using the Windows user account credentials you created in step 1 and they should drop into their home directory.

OPTION B: The user's home directory will need to be a specific folder and/or will not be named the same as the user's username.

1. Create windows user account for the ftp user. This user account does NOT need elevated priveleges.

2. In the windows filesystem browse to the root directory of the ftp site and create a folder named "LocalUser".

3. In the windows file system browse the folder that will be the users home directory

4. Set the desired filesystem permissions on this folder (Ex: Add the user and set the permission to Full control)

5. Open IIS Manager

6. Click the root of the FTP Site

7. On the right, Under "FTP", Open "FTP User Isolation"

8. Under "Isolate Users. Restrict users to the following directory:" select "User name directory (disable global virtual directories)"

9. Click Apply

10. Click the root of the FTP Site again

11. Navigate down through the tree to the LocalUser folder

12. Right-click the LocalUser folder and click "Add Virtual Directory..."

13. In the "Alias" field enter the windows username exactly as you named it in step 1

14. Enter the physical path that will serve as the user's home directory.

15. Press Ok

16. Select this new virtual directory in the tree

17. On the right, Under FTP, Open "FTP Authorization Rules" and "Add Allow Rule..."

18. Choose "Specified Users" and add the User we created earlier and Check the desired permissions. (Ex: Read and Write)

19. At this point the user should be able to login via ftp using the Windows user account credentials you created in step 1 and they should drop into their home directory.

Answer 3

It's all set with windows permissions. Keep in mind if the folder you want is inside a folder you don't want him to have, he will still need a minimum of Read access to the folder containing the destination folder.

I would recommend setting up FileZilla Server, it will give you more control and I think it will help you do what you want to easier. Doesn't require Windows credentials and you can jail (restrict a user's home directory) to wherever you want. Plus you can use symbolic links that appear in their home directory but point elsewhere. Makes it easier to administer than with IIS 7.