2

This is the background of my question (OS is Windows Web Server 2008 R2).

I want to prevent ftp users from deleting files and sub folders of root ftp directory. I removed delete permission for IUSR account for the root folder but ftp users can still delete the sub folders and files. Is there a different windows account that ftp runs under other than IUSR?

I authenticate ftp users via a custom authentication provider as described here, http://www.iis.net/learn/develop/developing-for-ftp/how-to-use-managed-code-c-to-create-a-simple-ftp-authentication-provider and user home directory is chosen as described here, http://www.iis.net/learn/develop/developing-for-ftp/how-to-use-managed-code-c-to-create-a-simple-ftp-home-directory-provider

I am new to the IIS and FTP server configurations. Any help is greatly appreciated.

Thanks

Asela
  • 191
  • 1
  • 1
  • 11
  • I added two request filters to deny 'dele' and 'rmd' FTP commands and it worked! Now files and folders cannot be deleted! I added this to the ftp site I have exposed to the end users so admin ftp accounts can delete without any issues. Please let me know if there are any bad side effects to this. Thanks – Asela Apr 30 '14 at 09:54
  • Adding request filters to deny 'dele' and 'rmd' FTP commands has the drawback of preventing users from resuming uploads. So my problem is still there :( – Asela May 05 '14 at 11:33

1 Answers1

2

Once the user has authenticated, his permissions will apply, not the FTP Service account.

Since by default, all FTP Users are members of the local group "FTP Users", simply go to Properties -> Security -> Advanced -> Edit Permissions and then add a permission entry with the following characteristics on the root folder:

  • Principal Name: "FTP Users"
  • Apply to: "This folder only"
  • Permission: "Delete subfolders and files" - Deny
Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95
  • Hi Mathias, Thanks for the reply, but I got following error when I tried what you suggested, "An object (User, Group, or Built-in security principal) with the following name cannot be found: "FTP Users". Check the selected object types and locations for accuracy and ensure that you have typed the object name correctly, or remove this object from the selection." – Asela Apr 29 '14 at 10:25
  • Oh, 2008, not R2? You'll need to create a new local group for the FTP users and add them manually then for this to work – Mathias R. Jessen Apr 29 '14 at 10:33
  • My OS is Windows Web Server 2008 R2 And I authenticate ftp users via a custom authentication provider as described here, http://www.iis.net/learn/develop/developing-for-ftp/how-to-use-managed-code-c-to-create-a-simple-ftp-authentication-provider and user home directory is chosen as described here, http://www.iis.net/learn/develop/developing-for-ftp/how-to-use-managed-code-c-to-create-a-simple-ftp-home-directory-provider Thanks – Asela Apr 29 '14 at 10:46