We help IT Professionals succeed at work.

How FTP do accounts work in IIS 6?


I've worked a lot with IIS and web sites but not too much with FTP sites.

Does anyone have a quick guide on how to use IIS 6 with FTP sites? Is it true that in order to have an FTP site with a login, you have to have a corresponding Windows account? How do you secure that account to prevent security breaches the computer? Is there any way to get around this without using third-party software? Is there any way to setup multiple IIS FTP sites on the standard port 21 without having multiple public IP addresses (since it doesn't support FTP host headers)?

Any other tips are appreciated!

Watch Question

Yes, you need to have a windows account if you want to have authentication on the FTP server.

For security, you can create a security group like FTPUser and add this group to  "Deny Logon Locally" list.

To do this open gpedit.msc from the run menu then under

Computer configuration\Windows Settings\Security Settings\Local Policies\User Right Assignment

there is a entry "Deny Logon Locally", just double click it and then add the FTPUser group to it.
By doing this, user in this group won't be able to login to the system locally.

You can have only one FTP server on a given port.


Cool, that's what I figured. I've actually already created a group and set those settings up in the GP editor. Does the deny logon locally also deny logon for a TS session, or do I need to set that up seperately?

Also, just another question, is there any way to make it so you don't have to manually setup NTFS permissions for each user's homefolder on an FTP server? It's a pain in the butt and a waste of time (albeit a few seconds!). For example, is there any way to get it to "just work" by checking the read/write box in the directory security tab of the FTP site?

forgot to mention that "Deny Logon Locally" doesn't apply to TS session. For that you will have to set the policy "Deny logon through terminal services"

For you second question, I am not sure if can be done in easy way. :(


Is there anyone you can refer me to that might know? You still get points for answering my first question!
actually there exists a way but with 2 flaws...

lets say you set your FTP root folder as c:\FTPRoot

now, you can let the users create their own folder under this folder.....

So, you need to set the security permission on this FTPRoot folder as

1) Remove the inheriting security permission by un-checking the checkbox in the advanced security configuration page. When it asks to remove, copy, Cancel. Choose 'Remove'

2) Add the "CREATOR OWNER" group to the list and from the advanced security configuration page give it full permission and make sure that the combo box for "Apply onto" displays "Subfolder and files only"...for this all the check box Allow should be selected.

3) Add the FTPUser group to the list and the then set 'Apply onto' to 'This folder only' and under Allow select only
 - Traverse Folder/Execute Files
 - List Folder/ Read Data
 - Read Attributes
 - Read extended Attributes
 - Create Folders/ Append Dat
 - Read Permission
4) [OPTIONAL - For management] you can add administrator user or administrtors group also to the list with full permission for management.

Problems in this approach
1) A user can create any number of folder under the FTP root, though folder created by a user won't be accessible to another
2) A user can create folder with any name



Haha, I just thought of an easier way to do it - just assign the parent folder of the home dirs an NTFS permission property that gives the correct permissions to the FTP_USRS group and have the home dirs inherit the permissions - that gives the accounts the ability to read/write/etc. remotely via FTP and prevents me from having to do more work other than add new accounts to the group!!

Thanks at any rate!


Also, does port 20 have to be open also? Or just 21? I hear different stories all the time. What is correct?
no, you don't need to open port 20. It is required only if the FTP uses Active mode....even passive mode works fine. so, no problem

have a look at

Explore More ContentExplore courses, solutions, and other research materials related to this topic.