Windows 2022
Sponsored Link

FTP Server : FTP User Isolation2022/02/02

 
Configure FTP User Isolation Setting.
For this setting, each user can access only to their own named folder.
If thete is no file share requirements among users, this setting is useful.
[1] Run PowerShell with Admin Privilege and Configure FTP Service.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

# add FTP site
# -Name [any name you like]
# -IPAddress [listening IP address] (below is 0.0.0.0 (all))
# -Port [listening port]
PS C:\Users\Administrator> New-WebFtpSite -Name "FTPRoot" -IPAddress "*" -Port 21 

Name             ID   State      Physical Path                  Bindings
----             --   -----      -------------                  --------
FTPRoot          2    Started                                   ftp *:21:

# set physical folder that is used for FTP site
# example below, create a [FTPSite01] folder under the [C:\inetpub\ftproot] that is created by default and set it
PS C:\Users\Administrator> Set-ItemProperty "IIS:\Sites\FTPRoot" -Name physicalPath -Value 'C:\inetpub\ftproot' 

# set SSL/TLS setting (example below is allowing No SSL)
PS C:\Users\Administrator> Set-ItemProperty "IIS:\Sites\FTPRoot" -Name ftpServer.security.ssl.controlChannelPolicy -Value "SslAllow" 
PS C:\Users\Administrator> Set-ItemProperty "IIS:\Sites\FTPRoot" -Name ftpServer.security.ssl.dataChannelPolicy -Value "SslAllow" 

# set basic authentication
PS C:\Users\Administrator> Set-ItemProperty "IIS:\Sites\FTPRoot" -Name ftpServer.security.authentication.basicAuthentication.enabled -Value $true 

# set read and write authority to all local users
PS C:\Users\Administrator> Add-WebConfiguration "/system.ftpServer/security/authorization" -Location FTPRoot -PSPath IIS:\ -Value @{accessType="Allow";users="*";permissions="Read,Write"} 

# set user isolation
PS C:\Users\Administrator> Set-ItemProperty "IIS:\Sites\FTPRoot" -Name ftpServer.userIsolation.mode -Value "IsolateRootDirectoryOnly" 

# set external IP address (the one client computers can connect)
PS C:\Users\Administrator> Set-ItemProperty "IIS:\Sites\FTPRoot" -Name ftpServer.firewallSupport.externalIp4Address -Value "10.0.0.101" 

# create the [LocalUser] folder under the Path you set as physical path of FTP site (it is needed on this setting)
# if Domain users, create [(FTP root)\(%UserDomain%)]
PS C:\Users\Administrator> mkdir C:\inetpub\ftproot\LocalUser 

    Directory: C:\inetpub\ftproot


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         1/31/2022  11:43 PM                LocalUser

# restart FTP site
PS C:\Users\Administrator> Restart-WebItem -PSPath 'IIS:\Sites\FTPRoot' 

# create folders for each local user that each folder name is the same with thier username
# naming rule ⇒ [(FTP root)\LocalUser\(Username)] (example below is for [Serverworld] user)
PS C:\Users\Administrator> mkdir C:\inetpub\ftproot\LocalUser\Serverworld 
PS C:\Users\Administrator> icacls "C:\inetpub\ftproot\LocalUser\Serverworld" /grant "Serverworld:(OI)(CI)(F)" 
processed file: C:\inetpub\ftproot\LocalUser\Serverworld
Successfully processed 1 files; Failed processing 0 files
FTP Server : FTP User Isolation (GUI)
 
On GUI configuration, set like follows.
[2] Add FTP Site.
Run [Start] - [Server Manager] and Click [Tools] - [Internet Information Services (IIS) Manager]. Next, Select the [Site] and right click it, then Open [Add FTP Site].
[3] Input any name for [FTP site name], specify physical Path for [Physical path]. On this example, set the default root [C:\inetpub\ftproot] to [Physical path].
[4] This is Binding setting section. It's OK to keep default for IP Address and Port.
For the case of this default setting, FTP service listens on 0.0.0.0:21.
For [SSL] section, Select settings for your needs.
[5] This is Authentication and Authorization settings section.
Set [Basic] for authentication and [All users] for Authorization.
[6] FTP site has been added. Select the new FTP site on the left pane and click [FTP Firewall Support] on center pane.
[7] Set IP address that client computers can connect to.
[8] Back to FTP site index and Click [FTP User Isolation] on the center pane.
[9] Check a box [User name physical directory] and apply setting.
[10]
On FTP User Isolation setting, FTP root folder is needed for each user.
Create a [LocalUser] folder under the FTP root of the FTP site. (on this example, FTP root is [C:\inetpub\ftproot])
Next, create user folders that folder name is the same with each username and add read and write authority to their folders.
(example below is for [Serverworld] user)
That's OK, FTP User Isolation setting has done. Try to access to FTP site from Client Computer.
Matched Content