In our webhosting business, we have many customers who require FTP access to their files. Our need then, is to create a single FTP site that allows many different customers the ability to manage their web content, keep other FTP users out, and be easy for us to manage. This is the process we use:
-
Create a local 'FTP Users' group
-
Grant that group the right (found within the local security policy) to Log On Locally.
-
Create a folder on a data drive, which must be formatted with NTFS. This will become the root of your new FTP site. (Your web content should always be on a drive without any executable or OS code on it. This prevents directory traversal flaws from affecting you.)
-
On that folder, break inheritance (Properties | Security | Advanced.) Remove the existing permissions.
-
Add these account permissions back to the folder:
-
Administrators (full control)
-
IUSR_machine (read) and
-
FTP Users (Read)
-
You may need to add the IWAM account with the same permissions as the IUSR account, depending on whether you're using multiple app pools or not.
-
Set the FTP users right to apply to this folder only.
-
Install the FTP service (Control Panel | Add/Remove Programs | Application Server | Internet Information Server | FTP Service)
-
In the properties of the new Default FTP site, go to the Security Accounts tab and disable anonymous connections.
-
On the Home Directory tab, point the default FTP sites' home directory at the folder you've created. Make sure that the Read, Write, and Log visits check boxes are all checked.
-
The Messages tab has four boxes; the Banner message is displayed prior to authentication and is the place for any sort of security message. The Welcome box can contain any usage notes or instructions to users.
At this point, we have the server prepared for use; now we have to set up a user:
-
For each customer, create a local user account.
-
Set the account to have a non-expiring password and clear the Must Change Password box.
-
Make them a member of the FTP users group.
-
Create a folder under the FTP home directory, with this folder name identical to the username that will use it. It can inherit rights from the parent folder.
-
Double check to make sure the FTP Users group doesn't have any rights within the folder. If it does, inheritance isn't correctly set up for that group on the parent folder.
-
Take the user account you've created and give it Modify rights on their folder and all subfolders.
Some admins use Windows Quotas to ensure that the drive isn't filled, either intentionally or unintentionally. To test the setup, log into the ftp site with the new username and password. A failure to log in could be one of these things:
-
The password is set to change on next login,
-
The user isn't a member of the FTP Users group
-
The permissions on "their" folder aren't right.
You should also confirm that you can both upload a file and then delete it.
You should remember that both the username and the data tranferred between sites is unencrypted -- IIS has no facility to do so. Sensitive data should be transmitted in an already encrypted form. We have a couple of customers who use PGP on their files prior to transmitting; a scheduled job on our servers unencrypts them and moves the data to its final destination. There are third-party servers such as Ipswitch's WS_FTP Server that do have encryption at the FTP application level.
In conclusion, IIS can be used to create a flexible, easy to administer, and secure FTP server.