Mastering IIS FTP Part 1: Redirecting Users
page 1 of 1
Published: 04 Mar 2004
Unedited - Community Contributed
I'm going to attempt to reveal some of the hidden but powerful features that exist with Microsoft's FTP program. Understanding just a couple basic concepts and putting those concepts to good use will open up a new world of possibility.
by Web Team at ORCS Web
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 25864/ 71

Part 1: Managing multiple users with one IP Address

In choosing which software to use for managing the server-side of FTP, often times people don't use Microsoft's FTP program because they think that it's too simple or they think that it doesn't do what they want. I'm going to attempt to reveal some of the hidden but powerful features that exist with Microsoft's FTP program. Understanding just a couple basic concepts and putting those concepts to good use will open up a new world of possibility.

I'm not trying to convert the many people that are using another FTP program or try to say that Microsoft's is better. I don't work for Microsoft and I'm not being paid to endorse their product. But for those that aren't happy with their current solution, want to utilize Microsoft FTP better or are diving into this fresh, read on.

I'm assuming that you are somewhat familiar with using Microsoft IIS / FTP. The 10 second description for those coming in brand new is: For those running a version of Windows that includes IIS (Internet Information Services), you already have Microsoft FTP available to you. This is included in Windows NT/2000/2003/XP. Except for Windows NT, use the IIS snap-in found in Start -> Administrative Tools -> Internet Information Services. If you don't have that installed, it can be installed from Add/Remove Programs in the control panel. For some people using Windows XP you won't see Administrative Tools off your Start Menu. You can still find them in your control panel. For those wondering what FTP means, you've probably stumbled across the wrong article.

Let's get started:

Rule #1: If (virdir name = user name) Then (path of virdir takes effect)

Now, what does that mean? Microsoft FTP, which I'll call MS FTP after this, doesn't have an interface like most of us would expect, where you can add a user and point to a particular folder. Instead, it has a strange way of handling this. If the Virtual Directory name is exactly the same as a Windows User's name, then the Virtual Directory will “catch“ the user rather than the root FTP account.

Of course, if you have lots of IP addresses, you can assign one IP address per user and setup multiple sites and then rely on the NTFS permissions to grant or deny access to particular sites. (Note: Windows XP only allows 1 FTP site.) But, even if you do this, there may come a time when you want to use the same IP address for multiple users who will be destined for different locations. For those trying to run a web server with multiple sites and one IP address, you'll benefit the most from this rule. Let me start with an example:

Let's say you have this directory structure:

And you have 3 users.
- Mike needs access to the root of
- Sue needs access to the root of
- Joe needs access to the graphics folder of

I'll repeat myself because I feel this is important. The trick with MS FTP is that if the Virtual Directory name is the same as a Windows Username, the user will be "caught" by the Virtual Directory and directed to the folder specified in the Virtual Directory.

Example in MS-FTP

Behind the scenes, the “Mike” Virtual Directory is pointing to D:\domains\, Sue is pointing to D:\domains\ and Joe is pointing to D:\domains\\graphics.

- If you logged in as Mike, then the Mike virdir would "catch" it and you would be dropped into the D:\domains\ folder.
- Same with Joe or Sue. They would be caught by their corresponding Virtual Directories.

Now, let's say you had another user called Jane. If you logged in as Jane then the settings on the “Default FTP Site“ will handle her because there isn't a Virtual Directory to “catch“ her and direct her elsewhere.

Rule #2: The username used to log in needs List permissions to the root FTP site folder

Even if the Virtual Directory is pointing to a different location, the user that is logging in always needs List permissions to the folder specified in “Default FTP Site“. Yes, it seems strange, but even in IIS6, this is still the case.

So, each user must have read/write permissions, D:\domains\ needs read/write for Matt. D:\domains\ needs read/write for Sue. D:\domains\\graphics needs read\write for Joe. This is the obvious part.

The non-obvious consideration is if the path of “Default FTP Site“ was D:\domains than that folder needs "List" permissions for all 3 users. Otherwise they won't be able to log in at all.

Tip #1: Set the root FTP account to a dummy location if assigning multiple users

If the path of the “Default FTP Site“ is D:\domains then you have a fairly large security issue with this setup. If you log in as Mike for example, you'll have the option to move up a folder (..) (well, most FTP programs will give you that option). If you do, you'll be dropped into the folder of the “Default FTP Site” root. (d:\domains). As I just mentioned, you are forced to give List permissions for all users which means that every user can view the names of all the sites. If you ever slip up and give too many permissions at the NTFS level your users can potentially access other people's sites.

Fortunately there is an easy solution. Just consider your Master FTP Site root a dummy location that isn't meant to be used for anything practical. Point it to d:\ftproot\dummyfolder or something like that. (I call mine 'deadend'). Give List permissions to the Everyone group on that folder and make sure it's completely empty. Now, you've solved the security issue. If Mike connects with their FTP program and moves up a folder or does a chgdir to '\' he will dropped into d:\ftproot\dummyfolder which is completely empty. You'll never have to worry about users gaining access to d:\domains which is a folder that you want to keep your users out of.

And, in all this, don't forget that every user that will be logging into your FTP account needs to have a Virtual Directory assigned or else they will immediately be placed into the dummyfolder location.

I've covered managing multiple users with a single IP address, required permissions for setting up FTP and given a tip on keeping users out of your confidential folders. There is more to come. In the following 3 weeks I plan to cover: IIS6 User Isolation; Managing Virtual Directories (why can't I see the virtual directory that I created in my FTP program); and how to have a logged in user only see and access some, but not all, of the subfolders in a folder.

by Scott Forsyth is Director of IT at ORCS Web, Inc. - a company that provides managed hosting services for clients who develop and deploy their applications on Microsoft Windows platforms.

User Comments

Title: How can you stop a logged in ftp-user from browsing the ftp dirs of other users?   
Name: Scott Forsyth
Date: 2009-04-28 10:40:45 AM
Hi Mikael,

If you don't use user isolation mode (which finally got to where it needs to be in IIS7), then you're right that IIS doesn't protect users from each other under the same site structure. You are on the right path. The solution is to lock it down by NTFS permissions. Just make sure that the User1 user doesn't have access to the /user2 path on disk. Don't remove other users, just the User1, and of course don't use Everyone or Users for permissions on disk.

Title: How can you stop a logged in ftp-user from browsing the ftp dirs of other users?   
Name: Mikael Ljung
Date: 2009-04-27 5:46:19 AM
The article is informative really.It is true that you cannot climb higher up in the tree thanks to the ftproot direction.
But, I noticed this problem: When I am logged in as in IE I can just type in the url field. This will take me into user2´s home directory without any need for typing a password.
Is there a way of solving this? I tried to remove the users group from under the security tab on the folder of user2, but then I cannot acces user2´s folder at all
Title: IIS as FTP server works quite well..   
Name: Woody Hayday
Date: 2008-12-09 4:15:43 AM
Excellent Article!
Title: Setting up FTP   
Name: Scott Forsyth
Date: 2005-09-09 8:28:51 PM
Raju Rawat, can you provide more information please? What do you have set up so far what what errors are you running into?
Title: Links to part 2 and 3   
Name: Scott Forsyth
Date: 2005-09-09 8:27:09 PM
Here are the links to part 2 and part 3
Title: Mr   
Name: Raju Rawat
Date: 2005-09-09 5:19:40 PM
Dear Expert,

Please help me to setup FTP using IIS with the static IP address. I have already done the necessary basic required for FTP option in IIS server. But user login cannot be obtained.

Title: Thanks!   
Name: G
Date: 2004-12-23 10:40:42 AM
Thanks for the article.

I agree that most people do not use the Microsoft FTP server because they do not understand it. It actually all makes good sense, if you think about users and authentication the way that Microsoft does.

Now where is part 2!?
Title: good idea   
Name: dave clough
Date: 2004-09-19 11:09:46 AM
excellent, i fully suport this suggestion, the amount of "rubbish" that's printed as well as the article.

please please put a printer friendly link, and a link to follow lessons, some of the pages have no link to previous or folow on lessons. Regards from the UK !!!
Title: a print suggestion   
Name: SMJ
Date: 2004-08-20 2:31:06 AM
I have a suggestion for the articles : a "print mode" for
artclles to help us to print the artcle. For example , in the article has a print mode so
I can print a clean article. Thank You

Product Spotlight
Product Spotlight 

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2017  |  Page Processed at 2017-03-25 11:32:51 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search