IIS: FTP Setup - Isolated (no AD) Users

I'm trying to get the isolated user (no AD) configuration for FTP to work, but I keep running into directory inaccessible.

Now I setup the home for the ftp site as: c:\inetpub\ftproot\ and then created localuser under that and the user under localuser.

That fixed the error, but I need to be able to have the user access their web folder, which is m:\web\users\website. I've tried adding a virtual directory, but the virtual directory is ignored when the user folder is under localuser and gets the inaccessible error when the user folder doesn't exist (so it appears that the virtual directory is being ignored completely).

I've tried multiple setups, but haven't had any luck. I'm wondering what the proper way to set this up is so that the root directory is the web directory (m:\web\users\website).
Who is Participating?
If each user only has one web site, then the m:\web\localuser solution would be rather neat. Each user would have their own FTP folder immediately below m:\web\localuser and each web site could be pointed at the corresponding user's folder:

 However, if each user may have several web sites then it would be better to use:

In both cases I believe you would have to set the ftp root to m:\web (as you stated).
If two different users both need to access the same web site folder then neither of the above will work.

Regarding security on the web sites:
1. Check the tick boxes on the "Home Directory" tab of the web site properties in IIS Manager. There are 4 boxes together: Script source access, Read, Write and Directory browsing. It is usually sufficient on public web sites to just have the Read box ticked and none of the other three.
2. For the FTP site you have to allow read and write access (otherwise legitimate users would not be able to make changes to their web files). However, you can and should disable anonymous access if there is no need for it.
3. Further restrictions should be done using the folder permissions on the individual or parent folders. This is the best way to make your system secure, but a full set of instructions is way beyond the scope of this question.
4. Enable logging in both the Web and the FTP service and regularly check the log files to see if people are getting though your security.
5. Use a good firewall between your server and the Internet. Only allow the minimum access necessary for people to be able to use your services. If possible, restrict access to the FTP service based on the remote user's IP address (not always possible of course).
Assuming you are using IIS 6, virtual directories can be used with user isolation mode (non-AD). There are two possible issues:
1. FTP virtual directories in IIS 6 are hidden
2. You must have the correct access rights set on the real folder

To explain (1) a bit more:
Virtual directories do not appear in the list of files/folders below the user's root. You have to use the CD (change directory) command from your FTP client or specify the virtual directory's name as part of the FTP login. The name that you use is the one that is given as the "Alias" when you create the virtual directory. Your FTP users must know this name in advance - they cannot view a list of virtual directories using their FTP client.

Regarding access rights to the folder, I suggest that you start by testing a virtual directory that is hosted on the same server as the IIS service is running. Make sure the local user account has access permissions to that folder (the same local user that is used to login to the FTP site). Access to folders on other servers might be more complicated because, by definition, you are using local user accounts for your local user isolation mode.

There are two other options you could consider for linking your web directory to your FTP directory:
a) Change the home directory of the web site to point to the actual FTP folder of the user. For example, move all the web files to a folder below C:\intepub\ftproot\localuser\username\website. This will require a network share on the FTP server to allow the web server to gain access.
b) Use some kind of file/folder replication software to synchronise changes between the FTP folder and the web site home directory folder. For example, you can use the file replication feature in Windows server 2003 Distributed File System for this purpose. This method has the disadvantage that changes made via FTP may be delayed before they are seen on the web site.
ShroderAuthor Commented:
Sorry for the delay.

I think this is more of a case dealing with virtual directories being hidden. I haven't tried accessing the virtual directory yet though.

I keep thinking there must be a generic way to set this up for a server that is suppose to host both sites and allow the user to upload files to that website folder.

If there is not a generica way then hopefully I can work something out with my current setup.

So with my current setup my web directory (structure) is: m:\web\users\domain. While my ftp is c:\inetpub\ftproot\localuser\domain (from testing I found that would work).

Now I'm thinking... what if I put them in c:\inetpub\ftproot\localuser\domain (which works) if I could make the html folder a virtual directory that may work. But I'm not sure how I could link the html directory (still residing on the m drive) to the ftp directory.

I didn't want to move the web directory over to be in the same directory as the ftp (c drive) because I thought there was a security issue with serving the websites on the c drive.
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

There can be security issues if your web site is hosted on the C: drive, but the same also applies to hosting your FTP folders on the C: drive. When I inspect the IIS log files on my servers, I generally see more attempts to hack my FTP server than my web server.

Furthermore, relocating your root folders away from the default C:\inetpub folder is not enough on its own to make IIS secure. There are more important settings concerning user permissions and login authentication settings. Even when all of those are right, IIS security is still not 100% (but the same is true for other similar products).

You do not have to use C:\inetpub\ftproot as the root for all FTP folders. You could move it to another drive provided you also change the properties of your FTP site in IIS Manager to point to the right location. This is very similar to what you have already done for your web site to point to m:\web. Both FTP and Web can be told to use any folder as the home directory. Both will also support virtual directories, but it doesn't sound like virtual directories will be the magic solution to all your problems - in fact I think they will complicate your solution.

Can you clarify - do you have one server running both Web and FTP or have you got a server for each?
ShroderAuthor Commented:
This is just one server running both ftp and the web server.

I need to get this setup asap, so I'm going to give a little information and my thoughts. Basically I'm looking for an ideal solution for what I've stated earlier.

I'll need to focus on cracking down on the other security issues later. For now I just need to find the best way to setup the ftp service. :) Thank you for the heads up on that.

The m:\web directory setup was by default with the dedicated server company I got the server from.

Now, backing up a step, I setup a new site (on the same server) that didn't use isolated users. I ran into some security problems though. I could access other users folders. The only way I could deny access is if I set the permissions to deny read & execute, and read. The problem I had with this was that I couldn't view the folders as admin.

So even though non-isolated users gives me the functionality I want, it doesn't give me the security. So I assume that isolated users is the way I want to go.

Would the ideal setup be changing m:\web\users to m:\web\localuser and set m:\web as the ftp root? I didn't want to do that because I figured they (the dedicated server company) setup that directory structure for a reason.

If there is a better way please let me know.
ShroderAuthor Commented:
Some of that stuff I already have in place from other articles I've read. :) And I agree a full set of instructions is out of scope. All I'm really looking for is the norm in setting up a ftp service that allows users to access web user folders.

Thank you for pointing out adding the site folders under the user folder.

So I will try that out today, but I'm pretty sure that will work considering what I've already done. Now that I know how to do it I'm wondering if it is really that wise to give web users ftp access due to possible security problems with scripts.

So one last question, do you recommend not allowing users ftp access or is it not that big of a danger? The websites would need to be granted enough permissions to run asp scripts, but that is it.
I would say there are two different security issues:
1. Can you trust the "owners" of the web sites to not abuse the access that you can give them through FTP? Normally it is in their own interests to not break the web server because that would bring down their own web site. Also you can fairly easily identify who messed it up because they all log in under a different name and they should only be able to access their own sub-folders.
2. What are the risks of running public web sites hosted on your own server? To be honest I get the impression that you lack the experience to be very confident on this one and it would be painful to find that you left a huge security hole only when the hordes have already got through and trampled on everything. ...and be sure they will try.

A lot of web sites allow scripts to run, but that doesn't mean there is a security problem. The problem would only come if unauthorised people were able to load scripts onto your server or if some of the scripts that were loaded were flawed. Hosting your own web sites doesn't save you a fortune compared to using a hosted service and you don't have to worry about security when it's hosted on someone elses server. However, if you want to be able to run fancy ASP scripts with database access and all that stuff, then the hosted services get more expensive. You can also learn a lot from hosting your own - just be prepared for some painful mistakes, keep good backups and monitor the IIS logs.

You'll have to weigh up all the factors and draw your own conclusions.

Good luck.
ShroderAuthor Commented:
There is a bit of a story behind why I need my own dedicated server. With my questions I'm trying to be open minded, which probably comes across and not being confident. I'm not going to try hosting hundreds of sites though this is for something a little lower scale.
A majority of my experience lies in the linux side of web services, so I'm just trying to find out what the norm is with IIS web services instead of trying to do it my own way.

Either way, thank you for your time.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.