Mastering IIS FTP - Part 1 - Redirecting Users

Part 1: Managing multiple users with one IP Address

In choosing which software to use for managing the server-side of FTP, often time people don't use Microsoft's FTP program because they think that it's too simple or they think that it doesn't do what they want.  I'm going to attempt to reveal some of the hidden but powerful features that exist with Microsoft's FTP program.  Understanding just a couple basic concepts and putting those concepts to good use will open up a new world of possibility.

I'm not trying to convert the many people that are using another FTP program or try to say that Microsoft's is better.  I don't work for Microsoft and I'm not being paid to endorse their product.  But for those that aren't happy with their current solution, want to utilize Microsoft FTP better or are diving into this fresh, read on.

I'm assuming that you are somewhat familiar with using Microsoft IIS / FTP.  The 10 second description for those coming in brand new is: For those running a version of Windows that includes IIS (Internet Information Services), you already have Microsoft FTP available to you.  This is included in Windows NT/2000/2003/XP.  Except for Windows NT, use the IIS snap-in found in Start -> Administrative Tools -> Internet Information Services.  If you don't have that installed, it can be installed from Add/Remove Programs in the control panel.  For some people using Windows XP you won't see Administrative Tools off your Start Menu.  You can still find them in your control panel.  For those wondering what FTP means, you've probably stumbled across the wrong article.

Let's get started:

Rule #1: If (virdir name = user name) Then (path of virdir takes affect)

Now, what does that mean?  Microsoft FTP, which I'll call MS FTP after this, doesn't have an interface like most of us would expect, where you can add a user and point to a particular folder.  Instead, it has a strange way of handling this.  If the Virtual Directory name is exactly the same as a Windows Users, then the Virtual Directory will “catch“ the user rather than the root FTP account.

Of course, if you have lots of IP addresses, you can assign one IP address per user and setup multiple sites and then rely on the NTFS permissions to grant or deny access to particular sites.  (Note: Windows XP only allows 1 FTP site.)  But, even if you do this, there may come a time when you want to use the same IP address for multiple users who will be destined for different locations.  For those trying to run a web server with multiple sites and one IP address, you'll benefit the most from this rule.  Let me start with an example:

Let's say you have this directory structure:
D:\domains\site1.com
D:\domains\site2.com
D:\domains\site2.com\graphics

And you have 3 users.
- Mike needs access to the root of site1.com
- Sue needs access to the root of site2.com
- Joe needs access to the graphics folder of site2.com

I'll repeat myself because I feel this is important.  The trick with MS FTP is that if the Virtual Directory name is the same as a Windows Username, the user will be "caught" by the Virtual Directory and directed to the folder specified in the Virtual Directory.

Example in MS-FTP

ftpscreenshot_sf

Behind the scenes, the “Mike” Virtual Directory is pointing to D:\domains\site1.com, Sue is pointing to D:\domains\site2.com and Joe is pointing to D:\domains\site2.com\graphics.

- If you logged in as Mike, then the Mike virdir would "catch" it and you would be dropped into the D:\domains\site1.com folder.
- Same with Joe or Sue.  They would be caught by their corresponding Virtual Directories.

Now, let's say you had another user called Jane.  If you logged in as Jane then the settings on the “Default FTP Site“ will handle her because there isn't a Virtual Directory to “catch“ her and direct her elsewhere.

Rule #2: The username used to log in needs List permissions to the root FTP site folder

Even if the Virtual Directory is pointing to a different location, the user that is logging in always needs List permissions to the folder specified in “Default FTP Site“.  Yes, it seems strange, but even in IIS6, this is still the case. 

So, each user must have read/write permissions, D:\domains\site1.com needs read/write for Matt.  D:\domains\site2.com needs read/write for Sue.  D:\domains\site2.com\graphics needs read\write for Joe.  This is the obvious part. 

The none obvious consideration is if the path of “Default FTP Site“ was D:\domains then that folder needs "List" permissions for all 3 users.  Otherwise they won't be able to log in at all.

Tip #1: Set the root FTP account to a dummy location if assigning multiple users

If the path of the “Default FTP Site“ is D:\domains then you have a fairly large security issue with this setup.  If you log in as Mike for example, you'll have the option to move up a folder (..) (well, most FTP programs will give you that option).  If you do, you'll be dropped into the folder of the “Default FTP Site” root. (d:\domains).  As I just mentioned, you are forced to give List permissions for all users which means that every user can view the names of all the sites. If you ever slip up and give too many permissions at the NTFS level your users can potentially access other people's sites.

Fortunately there is an easy solution.  Just consider your Master FTP Site root a dummy location that isn't meant to be used for anything practical.  Point it to d:\ftproot\dummyfolder or something like that. (I call mine 'deadend').  Give List permissions to the Everyone group on that folder and make sure it's completely empty.  Now, you've solved the security issue.  If Mike connects with their FTP program and moves up a folder or does a chgdir to '\' he will dropped into d:\ftproot\dummyfolder which is completely empty.  You'll never have to worry about users gaining access to d:\domains which is a folder that you want to keep your users out of.

And, in all this, don't forget that every user that will be logging into your FTP account needs to have a Virtual Directory assigned or else they will immediately be placed into the dummyfolder location.

I've covered managing multiple users with a single IP address, required permissions for setting up FTP and given a tip on keeping users out of your confidential folders.  There is more to come.  In the following 3 weeks I plan to cover: IIS6 User Isolation; Managing Virtual Directories (why can't I see the virtual directory that I created in my FTP program); and how to have a logged in user only see and access some, but not all, of the subfolders in a folder.

Part 1 - Redirecting Users
Part 2 - Managing Virtual Directory / Physical Directories
Part 3 - The Doorway Folder Trick
Part 4 - Coming soon

51 Comments

  • Thank you for that excellent article

  • this is a very nice text, i just started creating a c# app to do this kind of stuff automated, now i at least now everything that has to be done :)

  • in iis 6.0 you can create a localuser folder with the names of the user thats logged on, then that becomes the ftp root folder, providing more security



    currently am running a 2003 server with over 40 different users each one with their own home dir



    look up localuser iis 6.0 ftp

  • I like the AD isolation approach with FTP in IIS but it's obvioiusly not manageble for a lot of users so this is a good tip.

  • niceone mate, havent done it yet, but you made it nice and straight forward and seemed to cover everything. i've wondering about user home dirs for awhile and got around to asking google.

    Ta

  • Great article.. was looking all around for such information !

  • Is it possible in IIS-6.0 that the user can see the contents of a the directory he is currently in. I am not able to configure that option hence though any user can access any stuff he wants, he cannot actually see what all is present.

  • Santosh. For sure. It is supposed to show the contents of the folder that he is currently in. If it isn't, possibly the files or folders were set so that his user doesn't have list permissions to them. Also, it's possible the you are using User Isolation Mode in IIS6 which can work differently than you expect. I'll write a blog about that in a week or so but my preference is to use the method I've shown in this blog instead. Personally I don't like the way user isolation works in most cases. You can't change once it's created in IIS6 so my suggestion is to remove the FTP site and create it again, being careful not to use user isolation mode unless you specifically plan to use that.

  • Thanks Scott, that was helpful.

  • Scott,



    Is it possible to have one user on the system and then redirect them to different home directories for different FTP sites on the same system based on the URL they entered?

  • Tim,



    Sure thing. Do this by setting up a new FTP site for each URL (the URLs need to have different IP addresses). The different sites will "catch" the user depending on what URL you use and then direct them to whatever path is specfied for that site. You can't use host headers and 1 IP address for FTP like you can for web though. Generally if you want to use 1 IP address you need to have different users to direct to different places.



  • Scott, this seems to be about IIS 6.0, but I'm trying to do the same thing on a WIN2K server with IIS 5.0. This seems like it should be simple, but every time I try to login with the account I created specifically for this, I get cannot login with account specified. Would the instructions be the same for IIS 5.0? Is there something additional I need to do? At this point I just have one account for one site as a test. I have a dummy folder for the default ftp directory with list permissions given to that one account. I also set up a virtual directory under the default ftp site with the same name to catch it. In other words I believe I followed all your instructions for 6 hoping they are the same as what I need to do for 5, but I can't log in. Any help would be appreciated.

  • Dan, Actually this all applies to IIS5 as well. Another thing to consider that I didn't mention in the blog is that the user needs to be able to log on interactivly. That needs to be set in group policy. If the user is part of the Users group then it shouldn't be a problem but if you are trying to use a user with tighter permissions then you might run into this. A great tool for troubleshooting this is netmon from www.sysinternals.com. It's quick, free and quite easy to use and will tell you exactly what permissions are denied if there are any at the file level. Sometimes even if it's not a file permission issue, it will give give enough hints to give the answer that you are looking for.

  • thanks for a great article. now i think everything i could not understand is clear for me.

  • More kudos. I had a feeling this existed somewhere.

  • Thanks, this HOWTO was exactly what I was looking for.

  • Thanks, this article helped me fix a local accounts problem that had me stumped for... well, too long!

  • This is good stuff, I was trying to find out how to configure those Virtual Directories just the way I want them and Scott's guide explained them well. GJ Scott :)

  • This has been a huge help, but it appears that if you know (or can guess) the explicit path, any user can get to any other users directories. I'm still palying before I post some other issues/comments.

  • As a followup-- I am trying to give users access to multiple web site directories, but isolate them for accessing sections they are not responsible for.

  • Clint, To comment on your second comment, I was planning to talk about that in part 4 of this blog thread. I have been extra busy recently but am hopefully nearly done and ready to start blogging again. I'll explain a couple tricks on how to do this in more detail but will answer briefly now. If you create a "doorway" folder you can give a user access to multiple, but not all, sub-folders in a folder.

  • Obrigado pela super ajuda !!!

    Muito bom o texto !!!

  • you should call this article "MS FTP made easy" ;) Great!!

  • Your article is just what the doctor ordered. I've archived this for future reference. Thanks so much.

  • hey I can't seem to get the redirect to a virtual directory to work.



    i have a "user" account with the proper directory created in \inetpub\ftproot\localuser\user



    now i created a virtual directory IIS manager called "user" as well. The target directory is pointed somewhere in c:\program files\stuff\...





    now when i try to login it goes to the root first (\inetpub\ftproot\localuser\user) but I want to goto where my VD points after logging in.



  • Joe, it sounds like you have user isolation enabled on IIS6. My suggestion is to create your FTP account again but make sure not to select user isolation. I hope to finally write my 3rd and 4th part soon which will cover this in more depth.

  • Hi Scott,



    thanks it worked

    i look forward in reading your other parts



    Regards

  • besides the users who log on I would also like anonymous users. I tried doing the 'ananoymous user' as a user but it did not work!

  • Evan, first it's important to consider the risk. Having anonymous users means that the hackers and werez users can upload whatever they want. You are almost guarenteed that within a month they will upload their content so that they get free hosting of their content until you notice and solve the issue.



    But, if you want to do it, in the FTP Site, add an anonymous user that has access to the the FTP root and site. Make sure the username/password is correct or it won't work. Also, double check that the user has access to the FTP root, and if you're using a vdir, to the vdir.

  • Nice solution.



    A caution should be noted that if you have other FTP ports open, these users can also login to the FTP sites on that port if it does not have a "default site". You must minimize the privileges of the users so that they can see ONLY their own directories.



    Jayson

  • I'm having an issue where users can remotely delete the deadend folder with the command xrmd /. This command is successful no matter what i do. I've tried messing with the NTFS permissions but it still allows me to delete. this is on IIS 5.0.

  • Jayson, Interesting. If you don't mind sending me your email address to me (use the "contact" link at the top left), I would be interested in talking to you further about this.



    The xrmd command is originally a unix command if I'm correct. I can do a remotehelp from the windows command prompt FTP and see xrmd but I can seem to run it. Would you mind letting me know how to reproduce this?



    As long as you only give the dummyfolder "List" permissions you should be safe from this though.

  • This artical helped me get things running perfectly. I hate to bug you with anything after all the help you have already been, but I can't find the answer to anything I'm looking for on ony other forum or microsofts site. This server is a domain controller that I recently demoted from a domain domain.com and reinstalled as a controller for office.domain.com ever sense I made that change no user can logon to an ftp folder except anyone belonging to the administrator group. The virtual directories are named right and I have placed the users in the active directory but nothing unless I add them to the administrator group. can you by chance point me in the right direction here?



    Thank you

    Brady

  • Brady, I don't work much with an AD environment as a rule so I'll take a guess. I believe the policy to "Log on locally" is required. I believe you need to do this from the Local Security Policy on the FTP server but it may be that you can do this directly from Group Policy. (actually, I assume you can). I'm curious to know what you find out. Sorry I don't know right off.

  • I am running IIS4 (Microsoft Management Console) on Win NT. I have two user accounts (user1, user2). I have two Virtual Directory folders called (user1, user2). I only have one IP. The problem I am having is when I try to start the Virtual Directory folder user2. I am getting an error saying "A duplicate name exists on the network". The Virtual Directory folders don't seem to want to use the same IP. Any ideas as to how this can be fixed?



    Thanks

    Lon

  • Lon, Are you sure you're using a Virtual Directory and not a new FTP account? A Virtual Directory won't ask for the IP address, just a new FTP site will. A duplicate name could be the username that is duplicated. On a very rare occasion, something in the metabase can get messed up so if you remove the master FTP account and create it again, that might fix this.

  • I think that the Virtual Directory explanation and this article may have solved my problem!



    Thankyou :)

  • Thanks Scott! This IIS FTP series was a big help to me. My morning was almost pleasant, instead of being a big headache.



  • Hi..It is a very good article but my problem is this:
    I am in a LAN and I want to be server.How can i give other users permission?How can I assign user name/password?

  • Hi Soner,

    If you create a windows user through Administrative Tools -> Computer Management, that username/password is what is used for the FTP account. If that user has adequate permissions on disk, they will be able to utilize their account. With that in mind, these blogs should lead you through the rest of the process.

  • Great article;

    I had seen a setup similar to this before, but never knew quite how the whole thing actually worked! Your article allowed me to reproduce the setup to what I was looking for.

  • That's prety good!..one more thing, to your Rule #1: If (virdir name = user name) Then (path of virdir takes affect), but if there is a group of users, then how to set the virdir name? setup virdir for each user (same as its username) in that group then point to the same directory....or just needs set virdir name as group name?

    thanks

  • Thanks,nice article

  • A quality blog still relevant today. Thanks Scott, don't stop

  • Thank you Scott. That's exactly what I needed for my setup.

  • thank you very much for the tutorial-- helped me set up exactly what I needed!

  • Hi guys, I wish someone can help.

    I have an ftp setup with virtual directories. To the best of my knowledge all permissions are set accordingly. I am unable to log in. The ftp log shows the following.

    15:36:38 10.44.104.108 [694]PASS User@ 530 5
    15:36:46 10.44.104.108 [695]USER cch_mak_test 331 0
    15:36:46 10.44.104.108 [695]PASS - 530 5
    15:36:52 10.44.104.108 [696]USER cch_mak_test 331 0
    15:36:52 10.44.104.108 [696]PASS - 530 5
    15:36:59 10.44.104.108 [697]USER cch_mak_test 331 0
    15:36:59 10.44.104.108 [697]PASS - 530 5
    15:37:04 10.44.104.108 [698]USER cch_mak_test 331 0
    15:37:04 10.44.104.108 [698]PASS - 530 5

    The username and password are 100% correct. I have double checked these.

    Help please???

  • Hi Albert, (sorry for the delay in replying, I'm just catching up after a long trip)

    The 530 status code says that the user can't log in due to the username/password.

    It could also be that you have anonymous authentication enabled rather than basic auth.

    Or it may be that you need to authorize the user at the site (or subfolder) level in IIS7+, or maybe the user account has been disabled due to too many password attempts, or something along those lines.

  • This article is out of date or just plain wrong.

    Virtual directories have nothing to do with user names.

  • Hi Observer,

    I got a bunch of blog spam that I have to filter out so I'm not positive if your reply is legit or not but I'll let it through just in case.

    This article is still relevant, both in IIS6 but also for some of the FTP User Isolation settings (the three "User name directory" settings) in IIS 8 today. IIS FTP works largely by convention rather than configuration so it's an important concept in IIS FTP that when a user name matches a physical or virtual folder name then it will be caught and redirected accordingly.

  • Hi Observer,

    Indeed the concept seems counter-intuitive. However, this article is still relevant, both in IIS6 but also for some of the FTP User Isolation settings (the three "User name directory" settings) in IIS 8 today. IIS FTP works largely by convention rather than configuration so it's an important concept in IIS FTP that when a user name matches a physical or virtual folder name then it will be caught and redirected accordingly. Check out Part II and III for even more details.

Comments have been disabled for this content.