The official blog for Windows Server Essentials and Small Business Server support and product group communications.
[Today's post comes to us courtesy of Wayne McIntyre]
IIS 6.0 introduced a new feature for companies hosting an FTP site on their server to isolate users so they are “locked” in to their home directory and cannot browse the root of the FTP server. There are two ways of accomplishing this goal with user isolation, one method is to isolate users by creating a folder structure which has their username and another method is using Active Directory attributes to isolate the user(s). Here are the steps for configuring AD Isolation mode.
1. Install the FTP Service from add/remove windows components.
2. Open IISManager
3. Delete the Default FTP Site as it does not get created in isolation mode by default
4. Create a New FTP Site by right clicking FTP Sites and going to new FTP Site
5. This will launch the FTP Site Creation Wizard, Click Next
6. Enter a Description for Your FTP Site
7. Set the IP address and Port to use for your FTP Site
*note if you have ISA 2000/2004 installed on this server do not select All Unassigned, select the internal IP address only.
8. Next screen will be the FTP User Isolation options, Select Isolate users using Active Directory
9. Next you will need to select a User that has Access to Active Directory, any domain admin account will suffice. Click Next and re-enter password to Confirm
10. Select the required Permissions and click Next and then Click Finish
11. The IIS portion is now finished and now on to AD.
12. There are 2 schema attributes in AD that reside in the User Class that will allow us to define the users home directory for FTP. They are msIIS-FTPRoot which defines the root of the FTP server and msIIS-FTPDir which defines the users Home Directory. The problem here is that there is no GUI interface to define these attributes so for the purpose of this demonstration I will use ADSIEDIT from Support tools to modify these attributes, however you can also run the below script to do it as well.
Iisftp.vbs /SetADProp UserName FTPRoot Server\Share
Iisftp.vbs /SetADProp UserName FTPDir Directory
13. Load Up Adsiedit and drill down to the user account you want to isolate and go to the properties of that account and modify the 2 attributes mentioned above
14. Now whenever that user connects to your FTP server the user will be isolated to the Home Directory that was defined in Active Directory.
Today's SBS blog moment is brought to you by Wayne McIntyre The Official SBS Blog : Active Directory
Admittedly, FTP is really an old and insecure protocol that you shouldn't use unless you have to. But, in those cases where you have to, I read this great article on limiting the scope of user access by manipulating their user object's Active Directory