Active Directory FTP User Isolation Mode (IIS 6.0)

Active Directory FTP User Isolation Mode (IIS 6.0)

  • Comments 2
  • Likes

[Today's post comes to us courtesy of Wayne McIntyre]

**DISCLAIMER
FTP is an older protocol which has been replaced with better methods of hosting files. FTP is also unsecure and your username/passwords are sent in clear text which poses a major security risk. For a list of better methods in lieu of FTP please consider using a secure SharePoint site, a secured website, or Secure FTP to host and share files. However, if you have no choice but to use FTP and need to isolate Users continue reading.

IIS 6.0 introduced a new feature for companies hosting an FTP site on their server to isolate users so they are “locked” in to their home directory and cannot browse the root of the FTP server. There are two ways of accomplishing this goal with user isolation, one method is to isolate users by creating a folder structure which has their username and another method is using Active Directory attributes to isolate the user(s). Here are the steps for configuring AD Isolation mode.

1. Install the FTP Service from add/remove windows components.

2. Open IISManager

3. Delete the Default FTP Site as it does not get created in isolation mode by default

4. Create a New FTP Site by right clicking FTP Sites and going to new FTP Site

clip_image001[1]

5. This will launch the FTP Site Creation Wizard, Click Next

6. Enter a Description for Your FTP Site

clip_image002[1]

7. Set the IP address and Port to use for your FTP Site

*note if you have ISA 2000/2004 installed on this server do not select All Unassigned, select the internal IP address only.

clip_image003[1]

8. Next screen will be the FTP User Isolation options, Select Isolate users using Active Directory

clip_image004[1]

9. Next you will need to select a User that has Access to Active Directory, any domain admin account will suffice. Click Next and re-enter password to Confirm

clip_image005[1]

10. Select the required Permissions and click Next and then Click Finish

clip_image006

11. The IIS portion is now finished and now on to AD.

12. There are 2 schema attributes in AD that reside in the User Class that will allow us to define the users home directory for FTP. They are msIIS-FTPRoot which defines the root of the FTP server and msIIS-FTPDir which defines the users Home Directory. The problem here is that there is no GUI interface to define these attributes so for the purpose of this demonstration I will use ADSIEDIT from Support tools to modify these attributes, however you can also run the below script to do it as well.

Iisftp.vbs /SetADProp UserName FTPRoot Server\Share

Iisftp.vbs /SetADProp UserName FTPDir Directory

13. Load Up Adsiedit and drill down to the user account you want to isolate and go to the properties of that account and modify the 2 attributes mentioned above

clip_image007

14. Now whenever that user connects to your FTP server the user will be isolated to the Home Directory that was defined in Active Directory.

Additional Resources

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/b63de8ef-e3c5-456d-a8ca-7af4198819d4.mspx?mfr=true

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/b63de8ef-e3c5-456d-a8ca-7af4198819d4.mspx?mfr=true

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/b63de8ef-e3c5-456d-a8ca-7af4198819d4.mspx?mfr=true

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Comments
  • Today's SBS blog moment is brought to you by Wayne McIntyre The Official SBS Blog : Active Directory

  • Admittedly, FTP is really an old and insecure protocol that you shouldn't use unless you have to. But, in those cases where you have to, I read this great article on limiting the scope of user access by manipulating their user object's Active Directory