FTP User Isolation

 

Applies To: Windows Server 2012 R2, Windows Server 2012

Use the FTP User Isolation feature page to define the user isolation mode for your FTP site. FTP user isolation is a solution for internet service providers (ISPs) who want to offer their customers individual FTP directories for uploading content. FTP user isolation prevents users from viewing or overwriting other users' content by restricting users to their own directories. Users cannot navigate higher up the directory tree because their top-level directory appears as the root of the FTP service. Within their specific site, users can create, modify, or delete files and folders.

Related scenarios

In this document

UI Elements for FTP User Isolation

The following tables describe the UI elements that are available on the feature page and in the Actions pane.

Feature Page Elements

Element Name

Description

Do not isolate users. Start users in: FTP root directory

Select this option to specify that you do not want to isolate users.

All FTP sessions starts in the root directory of the FTP site.

Caution

If they have sufficient permissions, any FTP user can potentially access the content of any other FTP user.

Do not isolate users. Start users in: User name directory

Select this option to specify that you do not want to isolate users.

All FTP sessions starts in the physical or virtual directory with the same name of the currently logged-on user if the folder exists; otherwise, the FTP session starts in the root directory of the FTP site.

Note

To specify the starting directory for anonymous access, create a physical or virtual directory folder named default in the root directory of the FTP site.

Warning

If they have sufficient permissions, any FTP user can potentially access the content of any other FTP user.

Isolate users. Restrict users to the following directory: User name directory (disable global virtual directories)

Select this option to specify that you want to isolate FTP user sessions to the physical or virtual directory with the same name of the FTP user account. The user sees only their FTP root location and is restricted from navigating higher up the directory tree.

Note

To create home directories for each user, you first must create a physical or virtual directory under your FTP server's root folder that is named after your domain or named LocalUser for local user accounts. Next, create a physical or virtual directory for each user account that accesses your FTP site. The following lists the home directory syntax for the authentication providers that are included with the FTP service:

  • User Account Type: Anonymous users

    Home Directory Syntax: %FtpRoot%\LocalUser\Public

  • User Account Type: Local Windows user accounts (requires Basic authentication)

    Home Directory Syntax: %FtpRoot%\LocalUser\%UserName%

  • User Account Type: Windows domain accounts (requires Basic authentication)

    Home Directory Syntax: %FtpRoot%\%UserDomain%\%UserName%

  • User Account Type: IIS Manager or ASP.NET custom authentication user accounts

    Home Directory Syntax: %FtpRoot%\LocalUser\%UserName%

Note

%FtpRoot% is the root directory for your FTP site: for example, C:\Inetpub<EM>Ftproot.

Important

Global virtual directories are ignored. No FTP users can access virtual directories that are configured at the root-level of your FTP site. All virtual directories must be defined explicitly under a user’s physical or virtual home directory path.

Isolate users. Restrict users to the following directory: User name physical directory (enable global virtual directories)

Select this option to specify that you want to isolate FTP user sessions to the physical directory with the same name of the FTP user account. The user sees only their FTP root location and is restricted from navigating higher up the directory tree.

Note

To create home directories for each user, you first must create a physical directory under your FTP server's root folder that is named after your domain or named LocalUser for local user accounts. Next, create a physical directory for each user account that accesses your FTP site. The following lists the home directory syntax for the authentication providers that are included with the FTP service:

  • User Account Type: Anonymous users

    Home Directory Syntax: %FtpRoot%\LocalUser\Public

  • User Account Type: Local Windows user accounts (requires Basic authentication)

    Home Directory Syntax: %FtpRoot%\LocalUser\%UserName%

  • User Account Type: Windows domain accounts (requires Basic authentication)

    Home Directory Syntax: %FtpRoot%\%UserDomain%\%UserName%

  • User Account Type: IIS Manager or ASP.NET custom authentication user accounts

    Home Directory Syntax: %FtpRoot%\LocalUser\%UserName%

Note

%FtpRoot% is the root directory for your FTP site; for example, C:\Inetpub\Ftproot.

Important

Global virtual directories are enabled. All virtual directories that are configured at the root-level of your FTP site can be accessed by all FTP users, if those users have sufficient permissions.

Warning

When global virtual directories are enabled, all FTP users can potentially access the content of other FTP users, if those users have sufficient permissions.

Isolate users. Restrict users to the following directory: FTP home directory configured in Active Directory

Select this option to specify that you want to isolate FTP user sessions to the home directory that is configured in the Active Directory account settings for each FTP user. When a user's object is located in the Active Directory container, the FTPRoot and FTPDir properties are extracted to provide the full path of the user's home directory. If the FTP service can successfully access the path, the user is positioned within their home directory, which represents their FTP root location. The user sees only their FTP root location and is restricted from navigating higher up the directory tree. The user is denied access if either the FTPRoot or FTPDir property do not exist, or, if these two together do not form a valid and accessible path.

Note

This mode requires an Active Directory server that runs using the Windows Server 2003 operating system or a later operating system. A Windows 2000 Active Directory can also be used but requires manual extension of the User Object schema.

Custom

This option specifies that you want to isolate FTP user sessions by using a custom provider.

Important

This option is an advanced feature that can be selected only by modifying the FTP configuration settings in your ApplicationHost.config file.

Actions Pane Elements

Element Name

Description

Apply

Saves the changes that you have made on the feature page.

Cancel

Cancels the changes that you have made on the feature page.

Set Credentials Dialog Box

Use the Set Credentials dialog box to specify the Active Directory credentials for your FTP server to use when it contacts your Active Directory server to retrieve FTP home directory settings.

Element Name

Description

User name

Specifies the user account that the FTP server uses to contact your Active Directory server.

Password

Specifies the password for the user account.

Confirm password

Confirms the password for the user account.