Mastering IIS FTP - Part 3 - The Doorway Folder Trick

Part 3: The Doorway Folder Trick

In the previous two parts we learned how to leverage virtual directories and physical folders to offer a lot of control from IIS FTP.  Now, what about when we want to have one site administrator have access to more than one, but not all, of the directories in a site?  How is this accomplished from within IIS FTP?

Objective: To create a customized login with access to some of the folders in a site. 

Note: For the purpose of Part 3, I’ve decided to standardize on the word “Folder” when referring to something at the disk level, and “Directory” when referring to something within IIS. 

Let’s view this visually so that it’s easier to see where we are heading.  Below is a picture of a fresh server build on Windows Server 2003 with the Default FTP Site. 

FTP_DefaultFTPView

I’ve changed the FTP root path to d:\domains which points to 7 sites that we'll pretend that I manage.  You can see the site names below.

FTP_DefaultFolderView

Now, in this illustration we have two different site administrators, Scott and Matt. Scott needs access to all 7 sites but Matt should only have access to microsoft.com and msn.com.


It is possible to do this using NTFS permissions at the disk level.  We simply give the Scott user read and write to all the folders and Matt read and write to microsoft.com and msn.com.  But, there are some disadvantages and security concerns using NTFS permissions alone. 

 

What if an administrator on the server changes the permissions on one of the directories by mistake, not realizing that they have given Matt access to a site he isn’t supposed to have access to? 

Or, even more subtle, what if we create an 8th site that Matt isn’t supposed to have permissions for?  When the 8th site is created, it will inherit its permissions from d:\domains which needs to at least have "List" permissions for Matt so that he can log in.  Now Matt has, at the very least, the ability to view all files and directories in the new directory, unless the administrator remembers to tighten the permissions every time.  (Yes, for those brave souls out there willing to work with and maintain more unique settings, you can set NTFS permissions so newly created sub-folders don’t inherit all permissions, but if you have more than one administrator on that server, it’s too easy to mess up at some point in the future.)  Maybe you trust yourself enough to always remember but I certainly don’t want to leave this up to me and the other administrators on this server to always do this correctly. 

Another disadvantage to doing it that way is that we might not want Matt to see all the folder names in the site, or maybe we just want things to be easy for Matt so he doesn’t have to worry about a large list of sites or folders that he doesn’t have access to anyway.


 

 

So, with that in mind, let’s create an FTP account for Matt.  We want one that only displays microsoft.com and msn.com in his FTP program.

It's actually quite simple really.  The trick is to create what I'll call a doorway folder.  (Note: If you haven’t read Part 1 and Part 2, I encourage you to do that now because we’ll utilize many rules and tips from there).

A doorway folder is simply a folder that will serve as the first step or the doorway for a particular user.  The trick is to create a set of “physical” folders and “virtual” directories that will work together to display to Matt what we want him to see.

First: Create the users

Depending on your situation, you may have existing Windows users set up for Scott and Matt already.  But, in case this is a new account for a new user, be sure to create a user called Matt and another called Scott.  These can be Local users from within Local Users and Groups or Active Directory users, depending on your environment.

Second: Create the “physical” folders

Next we’ll create a folder that holds the “physical”, but blank, sub-directory to match the real ones we want the user to have access to.  This is simply so that the FTP client program displays the two folders.  Let’s call the root folder FTProot and the subfolder Matt, although either of these folders could be named anything.  Now create two empty folders named microsoft.com and msn.com.  (See Part 2 if you're not sure why)  The security permissions on the folders need to give Matt at least List permissions.

FTP_UserFolderView

Don’t forget that Matt will need read and write permissions to d:\domains\microsoft.com and d:\domains\msn.com and he will need list permissions to d:\ftproot\dummyfolder and list permissions to d:\ftproot\matt.

Third: Create the “virtual” directories

Now we need to create the virtual directories that handle the redirecting.  First, before we forget, if you remember from Part 1, I recommend pointing the root FTP directory to a dummy folder.  So, let’s create a folder in d:\ftproot called dummyfolder.  Point the FTP root folder to this.  Next, to handle the Scott user, create a virtual directory called Scott that point to d:\domains.  Now, if Matt moves up a folder to the root folder, he won’t have access to d:\domains.  Instead he will be placed in d:\ftproot\dummyfolder which is a dead end.  See Part 1 for more on this.

Back to the virtual directories . . .

  • In IIS, create a virtual directory called Matt.
  • This should point to d:\ftproot\matt.
  • Off the Matt virtual directory, create 2 more virtual directories
    • microsoft.com should point to d:\domains\microsoft.com
    • msn.com should point to d:\domains\microsoft.com
    • Spelling on these virtual directory names needs to be identical to the folders created in the second step above.
  • Don’t forget to check read and write when creating the virtual directories if you want  Matt to be able to read and write to the FTP account.

FTP_FTPView

That’s it!!  I told you it was easy.  Let’s test it now. 

I’ll use WS_FTP to log in as the Matt user.  Here is what I see in the left column:

FTP_FTPClientView1

Likewise, when logging in as Scott, we see what he is supposed to see:

FTP_FTPClientView2

In this part we didn’t bring anything new to the table but we’ve shown that yet again MS FTP has the ability to do more than what first meets the eye.

Part 1 - Redirecting Users
Part 2 - Managing Virtual Directory / Physical Directories
Part 3 - The Doorway Folder Trick

15 Comments

  • How do the feature resume download work?

  • Great trick! Exactly what I was looking for! I've always thought that it was too difficult to control what folders a user sees upon login. Thanks for making it easy.

  • When are you going to post your article on User Isolation? I think I found a bug in user isolation on IIS6 in that it lists physical folders before virtual directories. When I switch off of user isolation IIS6 lists virtual directories before physical folders.

  • Credit, I know, I've been really slow on writing these. I hope to write the 4th part this week. This possible bug that you are referring to, is this from within the MMC snap-in or somehow from the FTP client that you're seeing a difference?

  • Hey Scott,

    I happened to find your weblog and I think it's fantastic. Your instructions were clear and I had success the first try. I will try part 2-3 and will come back for #4.



  • Brilliant!
    Just read Part 1 ~ 3 and I'm now feeling alot more comfortable with setting up an FTP Server. I was considering using a Third-party server, but after reading this I will definately be saving my pennies for something more usefull :)
    Keep up the great work

  • Is there a way to have local accounts login to FTP with out requring the machine or domain name? I.E. machine\user

    I get 530 errors if I login with out the machine name in front...

  • Is there a way to programmatically change the security settings for FTP frp, ASP.Net code? Such as add the IP of an ASP.Net logged in user to the list of allowed IP's for a site?

  • What happens in the case where Scott manually types in the directory \Matt\microsoft.com\ in his FTP application?
    I tried this while playing around and got access to Matts files (Read permissions only, but it does mean Scott could read all of Matts info)
    Is this where NTFS Security is needed or did I make an error somewhere :)

  • Amendment to above:
    What happens in the case where Matt manually types in the directory \Scott\cnn.com\ in his FTP application?
    Apologies for error in first question :)

  • I just tried to set this up and it works quite nicely... except for what Date Robinson said in his 2 posts above. In my setup, if Matt types in \Scott\cnn.com, he gets access to all the files, even though Matt doesn't have any permissions on cnn.com...

  • for now i reverted back to option one, (no user isolation). After properly setting NTFS permissions i managed to achieve all i wanted. Since having anonymous accessible FTP wasn't my goal, i'm pretty satisfied, tho now if i want to add annonymous FTP i might face the problem of ppl being able to see others directory structure which ofc i don't want.

    If for any reason i decide to allow Anonymous access i'll add another LAN adapter, exposing it with different IP address and solve any security issue that way.

  • I've been bashing my brain in for a week trying to understand how to implement this. All I wanted to do was set up an FTP server so that I could copy files between my house my work-based NT server.
    Thank you for writing in plain English.

  • Nice articles, but am woundering when part 4 is comming ;)

  • Great article. Thanks a lot for sharing your knowledge.

    Is there a chance that there will ever be a Part IV?

Comments have been disabled for this content.