FTP . IIS . User Isolation
sherweb news
Terri Donahue

How To Set Up FTP Access for Multiple Users with User Isolation

If you’ve ever found yourself needing to set up multiple FTP Sites within IIS7, the walk through below will help immensely. Happy reading.

I have encountered many questions about setting up multiple FTP sites in IIS7 so that individual users can access different ftp root locations. There is no reason to use Virtual Host Names and multiple sites to accomplish this goal. IIS7 can provide this functionality using a single FTP site while ensuring that users only have access to a specific directory.

For starters, the Web Server (IIS) role and the FTP Server, FTP Service, and FTP Extensibility Role Services will need to be installed. This is done from within Server Manager.

I created a new FTP site named MainFTP and pointed it to c:\inetpub\ftproot. I also selected All Unassigned for the IP Address and No SSL for simplicity. Select Basic as the Authentication method and Allow access to Specified users. You have to enter one user to be able to proceed. I setup my local user account for this walk-through. I also enabled both Read and Write permissions. Once the site has been created, click on the MainFTP entry under Sites to open the Features View and double click on FTP User Isolation.

 MainFTP Home

In order to isolate the users and provide access only to a specific directory, I chose Isolate users. Restrict users to the following directory: User name directory (disable global virtual directories) as shown in the screenshot below.

 FTP User Isolation

I created 4 users: user1, user2, user3, and user4. user1, user2, and user3 will only have access to a specific directory within c:\inetpub. User4 will have access to all folders within c:\inetpub. To begin with, I created a virtual directory named LocalUser which I pointed to c:\inetpub\ftproot. To do this, right click on MainFTP and choose Add Virtual Directory. The alias must be LocalUser for the user isolation to work correctly. Right click on the LocalUser virtual directory and select Add Virtual Directory. The alias has to exactly match the local windows user that you created. For user1, the alias is user1 and the Physical path is c:\inetpub\user1. Click OK to create the virtual directory.

 Add Virtual Directory

Repeat this process for user2, user3, and user4 setting each to the specific directory they should have access to in the physical path. Once you have completed this, your directory listing should look like this.

 FTP Directory Listing

When I originally setup the FTP, I assigned my local user access to the FTP site. This can be viewed by selecting MainFTP and double clicking on the FTP Authorization Rules feature. We now need to grant our users authorization to their respective directories. Click on user1 in the folder list and double click on FTP Authorization Rules in the feature window.  You will see that your original user is granted Allow and Read, Write permissions. This was automatically configured when the FTP site was setup. Click on Add Allow Rule…

 FTP Authorization Rules

Select Specified users and enter user1. Check Read and Write in the Permissions as shown below. Click OK to add the Allow Rule.

Allow FTP Authorization Rule 

I have now my local user and user1 that can access the c:\inetpub\user1 folder via FTP.

 FTP Authorization of Multiple Users

Repeat this for the remaining 3 user folders assigning the specific user access to the folder. It is now time to test. I used Filezilla to connect to my ftp server as user1. The screenshot below shows that the user only has access to the folder assigned in the user1 virtual directory and is unable to traverse up to a higher level to see other data on the server.

 User Authorization Breakdown

As you can see from this walk-through, this is a great way to provide FTP access to multiple users/clients while ensuring that only the data that a user is granted access to is available. It also requires less administrative effort to maintain since it is a single FTP site with multiple independent user mappings rather than a large number of FTP sites with single user access.

 If you found this tutorial useful, or have anything  to add,  please leave a comment below.

As a managed Windows hosting company that puts a major emphasis on both service and support, we strive to go beyond offering the best solutions in dedicated and Cloud server solutions. If you would like to learn more, give us a call at 1-855-780-0955, or email us at Sales@sherweb.com 

  • twitter
  • linkedin
  • facebook
  • google
  • 4


Terri Donahue

About Terri Donahue

Terri is a System Administrator that has been supporting IIS since version 4.0. Through the years she has had extensive hands-on experience with many web servers including Lotus Domino, Apache, and of course, IIS. She has a passion for helping people solve technology related problems. In addition, she's an active member of the Charlotte PowerShell User Group. She was originally awarded Microsoft MVP for IIS in 2013 and was recently re-awarded on July 1st, 2014.

Related Articles


Cloud Servers . Private cloud
What-is-Private Cloud

What is Private Cloud?

In an era where everybody speaks IT, you may already know enough about clouds! But let me tell you, there is always room to learn more. Cloud service providers offer three different types of cloud service: public cloud, hybrid cloud or private cloud. This article will focus on the Private Cloud. [+]

Cloud Servers . Remote Desktop Services
Guillaume Boisvert

Reselling IaaS: What you should know about Remote Desktop Services

Hardware virtualization has been an alternative to costly IT infrastructure, allowing the use of one server to provide multiple virtual machines. Application virtualization removes the dependency between an application and the end-user device. It allows a program to be executed directly from a server with only input/output interactions processed on the workstation. These virtualization technologies are at the center of the Windows-based Remote Desktop and RemoteApps scenarios. You can leverage them to offer tailored services for SMBs who want to reduce expenditures on end-user devices. [+]