Hosting Multiple FTP Sites with FTP User Isolation

Applies To: Windows Server 2003, Windows Server 2003 with SP1

You can host multiple FTP sites on the same server running IIS. If you are an ISP or an application service provider in a multi-site Internet hosting scenario and you want to ensure that your customers cannot access the FTP directories of one another, then you can enable FTP User Isolation. When you enable FTP User Isolation, the user's top-level directory appears as the root of the FTP site, so other users cannot view or overwrite content. Within the user's specific site, the user can create, modify, or delete files and folders.

FTP User Isolation supports three isolation modes: Do not isolate users, Isolate users, and Isolate users using Active Directory. You can select the isolation mode during FTP site setup using the FTP Site Creation Wizard. You can use Iisftp.vbs to configure FTP User Isolation, using the*/isolation*parameter. When you use the /isolation parameter, specify either AD, for Active Directory isolation, or Local, for local isolation. If you do not include the /isolation parameter, the site will not isolate users.

You can select a different isolation mode for each FTP site.

Do Not Isolate Users Mode

The Do not isolate users mode does not enforce FTP User Isolation and is designed to work like earlier versions of the FTP service in IIS. Because isolation is not enforced among the different users that log on to your FTP server, this mode is ideal for a site that offers only download capabilities for shared content or for sites that do not require protection of data between users.

In this mode, all user directories are in one level as a subdirectory of the FTP site directory. The site directory can reside either on the local computer or on a network share. When a user accesses the FTP site, the home directory is determined as follows:

• By default, the initial user directory is set to the physical path configured as the FTP site directory. If this directory does not exist, the user connection is denied.

• If a user name is supplied, the home directory is derived from the user name. For anonymous users, the derived name is anonymous. For local computer users, the derived name is the user name. For domain users, the derived name is the user name without the domain name.

• If a directory with the derived name exists in the site directory, then that directory becomes the initial log-on directory for the user.

  Important

  The user is not restricted to this subdirectory and can navigate up to the site directory and into other subdirectories unless you have set ACLs to prevent users from accessing them.

Isolate Users Mode

The Isolate usersmode determines a unique home directory for each user derived from the user name. The home directory of the user is treated as a root directory for the user, and the user cannot navigate or access the physical file system outside of the root directory. If users need access to dedicated shared folders, then you can establish a virtual directory.

User home directories are located in a two-level directory structure under the FTP site directory. The site directory can reside either on the local computer or on a network share. When a user accesses the FTP site, the home directory is determined in one of three ways:

• For anonymous users, the home directory is LocalUser\Public under the FTP root directory.

• For local users, the home directory is **LocalUser\**UserName under the FTP root directory.

• For users that log on with Domain\UserName, the home directory is Domain\UserName under the FTP root directory.

The user home directory must be created before the user logs on. If the directory does not exist when the user attempts to connect, the connection is denied.

For information about creating a new FTP site or converting an existing FTP site to Isolate users mode, see Creating a New FTP Site with Isolate Users Mode and Converting an Existing FTP Site to Isolate Users Mode.

Isolate Users Using Active Directory Mode

In the Isolate users using Active Directory mode, the FTP service is integrated with Active Directory to retrieve home directory information for users. To accomplish this integration, the Active Directory user object is extended with two properties: msIIS-FTPRoot and msIIS-FTPDir. The msIIS-FTPRoot property stores the file server share, and the msIIS-FTPDir property stores the relative physical path to the home directory for each user. You can use Iisftp.vbs to get and set these properties.

Information that is frequently retrieved from Active Directory is cached by the FTP service. The default caching interval is 10 minutes. You can adjust the caching interval by editing the registry entry DsCacheRefreshSecs.

If the FTP service successfully accesses the path, it becomes the home directory for the user. The user cannot access the file system outside this directory. The user is denied access if either the msIIS-FTPRoot or msIIS-FTPDir property does not exist, or if the resulting home directory cannot be accessed.

This configuration option provides maximum flexibility and control over user home directories in an ISP environment. For example, John Doe connects to his FTP site at ftp.example.com. The example.com network load-balancing server (NLBS) resolves this request to the server FTPS3. John Doe enters the user name JohnDoe. FTPS3 is configured with the default domain name Domain4, so the user Domain4\JohnDoe is authenticated and the home directory information for John Doe is retrieved from Active Directory as \\FS1\Share2\Users\u2\johndoe_dir. From now on, FTPS3 will access the data under this home directory for all the FTP requests from John Doe. This example is illustrated in Figure 8.1.

User Home Directories

In the Isolate users using Active Directory mode, each user's home directory resides on an arbitrary network path, which provides you with the flexibility to distribute user home directories across multiple servers, volumes, and directories. In addition, you can move user's home directories transparently from one location to another, which affects the service for the users only during the duration of the move. You can also set the msIIS-FTPRoot and msIIS-FTPDir properties so that the users home directory maps to a local folder on the FTP server; for example, msIIS-FTPRoot is set to E:\FTPUsers.

Configuring Isolate Users Using Active Directory Mode

There are three main steps to configuring the Isolate users using Active Directory mode:

• Configure the file servers.

• Configure Active Directory.

• Create and configure the FTP sites to be isolated.

When you configure the file servers, you must create the shares and user directories for all the users that are permitted to connect to the FTP service, including the user configured to impersonate anonymous users. Before you complete this step, consider factors such as expected disk space usage, storage management, and network traffic.

To configure Active Directory, you need a server running Windows Server 2003, Standard Edition, and Active Directory. Configure the user object in Active Directory for each user, including the user configured to impersonate the anonymous user, by setting the msIIS-FTPRoot and msIIS-FTPDir properties to point to the home directories that you previously created. You can do this by using the Iisftp.vbs command-line utility with the /SetADPropcommand. To learn more about setting up Active Directory, see Active Directory in Help and Support Center for Windows Server 2003.

For information about working with FTP sites with Isolate users using Active Directory mode, see Creating a New FTP Site with Isolate Users Using Active Directory Mode, Enabling Anonymous Access for an FTP Site Configured with Isolate Users Using Active Directory Mode, and Converting an Existing FTP Site to Isolate Users Using Active Directory Mode.