Export (0) Print
Expand All

FTP User Isolation Page

Updated: October 5, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Use the FTP User Isolation feature page to define the user isolation mode for your FTP site. FTP user isolation is a solution for Internet service providers (ISPs) who want to offer their customers individual FTP directories for uploading content. FTP user isolation prevents users from viewing or overwriting other users' content by restricting users to their own directories. Users cannot navigate higher up the directory tree because their top-level directory appears as the root of the FTP service. Within their specific site, users can create, modify, or delete files and folders.

The following tables describe the UI elements that are available on the feature page and in the Actions pane.

 

Element Name Description

Do not isolate users. Start users in: FTP root directory

Select this option to specify that you do not want to isolate users.

All FTP sessions will start in the root directory of the FTP site.

CautionCaution
If they have sufficient permissions, any FTP user can potentially access the content of any other FTP user.

Do not isolate users. Start users in: User name directory

Select this option to specify that you do not want to isolate users.

All FTP sessions will start in the physical or virtual directory with the same name of the currently logged-on user if the folder exists; otherwise, the FTP session will start in the root directory of the FTP site.

noteNote
To specify the starting directory for anonymous access, create a physical or virtual directory folder named default in the root directory of the FTP site.

CautionCaution
If they have sufficient permissions, any FTP user can potentially access the content of any other FTP user.

Isolate users. Restrict users to the following directory: User name directory (disable global virtual directories)

Select this option to specify that you want to isolate FTP user sessions to the physical or virtual directory with the same name of the FTP user account. The user sees only their FTP root location and is restricted from navigating higher up the directory tree.

noteNote
To create home directories for each user, you first must create a physical or virtual directory under your FTP server's root folder that is named after your domain or named LocalUser for local user accounts. Next, you must create a physical or virtual directory for each user account that will access your FTP site. The following table lists the home directory syntax for the authentication providers that are included with the FTP service:

 

User Account Types Home Directory Syntax

Anonymous users

%FtpRoot%\LocalUser\Public

Local Windows user accounts

(requires Basic authentication)

%FtpRoot%\LocalUser\%UserName%

Windows domain accounts

(requires Basic authentication)

%FtpRoot%\%UserDomain%\%UserName%

IIS Manager or ASP.NET custom authentication user accounts

%FtpRoot%\LocalUser\%UserName%

noteNote
%FtpRoot% is the root directory for your FTP site: for example, C:\Inetpub\Ftproot.

ImportantImportant
Global virtual directories are ignored. No FTP users can access virtual directories that are configured at the root-level of your FTP site. All virtual directories must be defined explicitly under a user’s physical or virtual home directory path.

Isolate users. Restrict users to the following directory: User name physical directory (enable global virtual directories)

Select this option to specify that you want to isolate FTP user sessions to the physical directory with the same name of the FTP user account. The user sees only their FTP root location and is restricted from navigating higher up the directory tree.

noteNote
To create home directories for each user, you first must create a physical directory under your FTP server's root folder that is named after your domain or named LocalUser for local user accounts. Next, you must create a physical directory for each user account that will access your FTP site. The following table lists the home directory syntax for the authentication providers that are included with the FTP service:

 

User Account Types Home Directory Syntax

Anonymous users

%FtpRoot%\LocalUser\Public

Local Windows user accounts

(requires Basic authentication)

%FtpRoot%\LocalUser\%UserName%

Windows domain accounts

(requires Basic authentication)

%FtpRoot%\%UserDomain%\%UserName%

IIS Manager or ASP.NET custom authentication user accounts

%FtpRoot%\LocalUser\%UserName%

noteNote
%FtpRoot% is the root directory for your FTP site; for example, C:\Inetpub\Ftproot.

ImportantImportant
Global virtual directories are enabled. All virtual directories that are configured at the root-level of your FTP site can be accessed by all FTP users, if those users have sufficient permissions.

CautionCaution
When global virtual directories are enabled, all FTP users can potentially access the content of other FTP users, if those users have sufficient permissions.

Isolate users. Restrict users to the following directory: FTP home directory configured in Active Directory

Select this option to specify that you want to isolate FTP user sessions to the home directory that is configured in the Active Directory account settings for each FTP user. When a user's object is located in the Active Directory container, the FTPRoot and FTPDir properties are extracted to provide the full path of the user's home directory. If the FTP service can successfully access the path, the user is positioned within their home directory, which represents their FTP root location. The user sees only their FTP root location and is restricted from navigating higher up the directory tree. The user is denied access if either the FTPRoot or FTPDir property do not exist, or, if these two together do not form a valid and accessible path.

noteNote
This mode requires an Active Directory server that runs using the Windows Server 2003 operating system or a later operating system. A Windows 2000 Active Directory can also be used but requires manual extension of the User Object schema.

Custom

This option specifies that you want to isolate FTP user sessions by using a custom provider.

ImportantImportant
This option is an advanced feature that can be selected only by modifying the FTP configuration settings in your ApplicationHost.config file.

 

Element Name Description

Apply

Saves the changes that you have made on the feature page.

Cancel

Cancels the changes that you have made on the feature page.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft