How do IIS FTP 7.5 User accounts work?

Question

We'd like to set up an IIS 7 FTP server with non-Windows user accounts. We've heard that FTP Server v7.5 supports this, but the documentation is talking about "IIS Manager Accounts" and implies that these accounts have the ability to configure sites and applications. We want low-privilege accounts that only have the ability to read and write files in their home directories. Is there a way to accomplish this?

What do you mean by "non-windows user accounts"? Do you mean not Active Directory accounts? — Izzy, Nov 09 '09 at 20:29
I'm looking to create accounts that have no privileges on the system other than on the FTP server. In my case this is a standalone server so they would be Windows accounts, not Active Directory accounts. See the answer below. — davidcl, Nov 10 '09 at 14:23
Interesting to note that this question just earned the "Popular Question" badge by passing 1000 views, which makes me think a lot of people have this question. Although the question's been answered, I still don't have a good understanding of what "IIS Manager" permissions are and what the benefits and drawbacks of granting them are. — davidcl, May 01 '10 at 16:09
Davidcl, I can no longer comment on your original post since it has been answered but I am actually trying to accomplish the same thing and would like to know what you ended up implementing in order to solve this problem? Does the using the IIS manager to create accounts introduce any sort of security flaw? — Nitax, Jun 24 '10 at 15:51

score 4 · Accepted Answer · answered Nov 10 '09 at 03:48

IIS 7 introduces IIS Manager accounts which can be used for a number of things, including FTP.

Note that once you grant them IIS Manager Permissions, they will be able to manage their site using IIS Manager, as long as you also turn on the Management Service (WMSvc) at the top level.

Additionally, you can then grant that user access to FTP.

Here are the key steps:

create a user at the top level, under IIS Manager Users
give the "Local Service" user read/write access to the site, or change the Web Management Service (WMSvc) service to a custom account and use that instead. The account that the WMSvc service runs under is what needs to have read/write access to disk when using IIS Manager user.
grant that user access to the site or application, under IIS Manager Permissions
in FTP Authentication on the site, make sure to add the IisManagerAuth custom provider
in FTP Authorization, make sure to grant that user access

Everything else is the same as you would setup a Windows user for FTP.

So there's no way to give a user FTP access without giving them the ability to manage the site? — davidcl, Nov 10 '09 at 14:26
Do you mean FTP but not IIS Manager access? You're correct, it's not possible, but it's not as bad as it seems. From delegated permissions in IIS Manager, the user only has permissions to update their site's web.config, which they can do through FTP anyway. They can't make changes that apply to applicationHost.config. So, this just gives them a friendly tool to do what they can already do. — Scott Forsyth, Nov 10 '09 at 21:42

score 1 · Answer 2 · edited Oct 07 '15 at 13:44

1

In FTP 7.5, you can create non-active directory accounts for use in ftp.

Open IIS Manager, click on the item under start page (it is the name of the machine), then look for Managment section (very bottom). Click on IIS Manager User, add any user for ftp here.

You also need to do one more thing click on Management Services and click on Windows credentials or IIS manager credentials. That's it.

edited Oct 07 '15 at 13:44

GregL

9,370
2
25
36

answered Aug 05 '10 at 18:26

rtwPhoenix

41
4

Not quite... must enable the IisManagerAuth provider. For the site in question dbl-click on FTP Authentication and then under Actions click Custom Providers. Select the IisManagerAuth provider and click OK. Follow the link in judoman's answer and see STEP 2. – mobill May 12 '16 at 20:18

score 1 · Answer 3 · answered Sep 16 '11 at 18:42

Please note that the IIS Manager Users and IIS Manager Permissions icons are not installed in IIS by default. If you don't see them in the IIS Manager console, you can add them by enabling the Management Service Role Service in IIS.

To do this, launch Server Manager and in the left pane, highlight Web Server (IIS) which is located under Roles (assuming you have IIS already installed). On the right pane, scroll down about halfway until you see the Add Role Services link on the far right. Click it. The Add Role Services dialog appears.

Put a check mark next to Management Service, located under the Management Tools tree. Press Install, and voila!

Here's a graphical representation of what I just wrote: http://learn.iis.net/page.aspx/321/configure-ftp-with-iis-7-manager-authentication/#02

How do IIS FTP 7.5 User accounts work?

3 Answers3