How To Set Up FTP Access for Multiple Users with User Isolation
If you’ve ever found yourself needing to set up multiple FTP Sites within IIS7, the walk through below will help immensely. Happy reading.
I have encountered many questions about setting up multiple FTP sites in IIS7 so that individual users can access different ftp root locations. There is no reason to use Virtual Host Names and multiple sites to accomplish this goal. IIS7 can provide this functionality using a single FTP site while ensuring that users only have access to a specific directory.
For starters, the Web Server (IIS) role and the FTP Server, FTP Service, and FTP Extensibility Role Services will need to be installed. This is done from within Server Manager.
I created a new FTP site named MainFTP and pointed it to c:\inetpub\ftproot. I also selected All Unassigned for the IP Address and No SSL for simplicity. Select Basic as the Authentication method and Allow access to Specified users. You have to enter one user to be able to proceed. I setup my local user account for this walk-through. I also enabled both Read and Write permissions. Once the site has been created, click on the MainFTP entry under Sites to open the Features View and double click on FTP User Isolation.
In order to isolate the users and provide access only to a specific directory, I chose Isolate users. Restrict users to the following directory: User name directory (disable global virtual directories) as shown in the screenshot below.
I created 4 users: user1, user2, user3, and user4. user1, user2, and user3 will only have access to a specific directory within c:\inetpub. User4 will have access to all folders within c:\inetpub. To begin with, I created a virtual directory named LocalUser which I pointed to c:\inetpub\ftproot. To do this, right click on MainFTP and choose Add Virtual Directory. The alias must be LocalUser for the user isolation to work correctly. Right click on the LocalUser virtual directory and select Add Virtual Directory. The alias has to exactly match the local windows user that you created. For user1, the alias is user1 and the Physical path is c:\inetpub\user1. Click OK to create the virtual directory.
Repeat this process for user2, user3, and user4 setting each to the specific directory they should have access to in the physical path. Once you have completed this, your directory listing should look like this.
When I originally setup the FTP, I assigned my local user access to the FTP site. This can be viewed by selecting MainFTP and double clicking on the FTP Authorization Rules feature. We now need to grant our users authorization to their respective directories. Click on user1 in the folder list and double click on FTP Authorization Rules in the feature window. You will see that your original user is granted Allow and Read, Write permissions. This was automatically configured when the FTP site was setup. Click on Add Allow Rule…
Select Specified users and enter user1. Check Read and Write in the Permissions as shown below. Click OK to add the Allow Rule.
I have now my local user and user1 that can access the c:\inetpub\user1 folder via FTP.
Repeat this for the remaining 3 user folders assigning the specific user access to the folder. It is now time to test. I used Filezilla to connect to my ftp server as user1. The screenshot below shows that the user only has access to the folder assigned in the user1 virtual directory and is unable to traverse up to a higher level to see other data on the server.
As you can see from this walk-through, this is a great way to provide FTP access to multiple users/clients while ensuring that only the data that a user is granted access to is available. It also requires less administrative effort to maintain since it is a single FTP site with multiple independent user mappings rather than a large number of FTP sites with single user access.
If you found this tutorial useful, or have anything to add, please leave a comment below.
As a managed Windows hosting company that puts a major emphasis on both service and support, we strive to go beyond offering the best solutions in dedicated and Cloud server solutions. If you would like to learn more, give us a call at 1-855-780-0955, or email us at Sales@sherweb.com