Configuring an FTP Server with User Isolation on Windows Server 2016 / 2012 R2

The FTP protocol is likely one of the oldest protocols (it’s greater than 40 years previous), however it’s nonetheless broadly used the place a easy file switch protocol is required. It is feasible to put in an FTP server on any model of Microsoft operation system. Last deep modernization of the ftp service was made in Windows 7 / Server 2008 R2 (really the service code has nearly been written from scratch). The safety of the service has considerably improved and a lot of new options have appeared. In specific, FTP server on Windows means that you can configure FTP consumer isolation. It permits to limit entry of many customers to their very own folders on a single FTP server.

Due to the isolation, customers can work solely with their folders and may’t go up within the FTP listing tree (the consumer’s high ftp degree listing is displayed as the foundation of the FTP server). Thus, the entry to the info of different customers on the FTP server will be prevented. FTP consumer isolation is broadly utilized by ISP/internet hosting suppliers when it’s mandatory to supply particular person entry to a single file storage for various customers.

Like in earlier Windows variations, the FTP service in Windows Server 2016 / 2012 R2 (don’t confuse it with and ) relies and deeply built-in into the IIS service and has a single administrative administration interface.

In this text we’ll present easy methods to set up an IIS-based FTP server on Windows Server 2016/2012 R2 and configure the FTP consumer isolation (this handbook additionally applies to Windows 10 and eight.1).

How to Install the FTP Server Role on Windows Server 2016/ 2012 R2?

You can set up the FTP service utilizing the Server Manager console by checking the choice FTP Service and FTP Extensibility within the part Web Server(IIS) -> FTP Server.

Also you possibly can set up the FTP server function with a single PowerShell command:
Install-WindowsCharacteristic Web-FTP-Server

To set up the FTP server administration console, run the next command:

Install-WindowsCharacteristic -Name "Web-Mgmt-Console"

Creating an FTP Site, Managing FTP User Permissions

Start the Server Manager and open the IIS administration console (Internet Information Service Manager).

Create a brand new FTP website (Sites ->Add FTP Site).

The title of the FTP website: MyTestSite

The root listing of the FTP website: C:inetpubftproot

To shield the FTP knowledge transmitted over the community, it’s doable to configure (on this case, all the info and passwords/accounts despatched by ftp customers throughout session will probably be encrypted), however in our demonstration this isn’t mandatory. All different settings are left default.

You can handle your FTP website utilizing the PowerShell module WebAdministration. For instance, to create a brand new FTP website, simply run the instructions:

Import-Module WebAdministration
# Set the FTP website title
$FTPSiteName = 'CORP_FTP'
#FTP folder
$FTPRoot = 'D:wwwFTPRoot'
#FTP port
$FTPPort = 21
New-WebFtpSite -Name $FTPSiteName -PhysicalPath $FTPRoot -Port $FTPPort

Select a brand new FTP website and disable the Anonymous Authentication within the FTP Authentication part. Basic Authentication should be enabled.

The FTP service on Windows Server 2016/2012 R2 can use two account sorts: area or native. Depending on the account sort, there are some variations within the construction of FTP directories and consumer isolation settings. To make it simpler to explain, we’ll use native Windows accounts.

Create some FTP customers, suppose, these are ftp_user1, ftp_user2 and ftp_user3. Also create a bunch ftp_users which incorporates these customers. You can create native customers within the Local Users and Groups part of the Computer Management console.

You also can create native customers and teams from the command immediate (or utilizing ). Create a neighborhood group:
web localgroup ftp_users /add

Create a brand new native consumer:
web consumer ftp_user1 /add *

Add consumer to group:
web localgroup ftp_users ftp_user1 /add

Create the 2 different customers in the identical method.

Assign the Read&Write permissions on the listing C:inetpubftproot for the ftp_users group.

Create a listing with the title LocalUser (the title should be the identical, it’s necessary!!!) within the folder C:inetpubftproot. Then make three directories beneath with the names ftp_user1, ftp_user2, ftp_user3 within the folder C:inetpubftprootLocalUser.

NoteDepending on the account sort, you must create the next listing constructions (beneath %FtpRoot% we imply the foundation of the FTP website; in our case it’s C:inetpubftproot):

Account Type Syntax of Home Directory Naming
Anonymous customers %FtpRoot%LocalUserPublic
Local Windows account %FtpRoot%LocalUser%UserName%
Domain Windows account %FtpRoot%%UserDomain%%UserName%
Special IIS Manager or ASP.NET accounts %FtpRoot%LocalUser%UserName%

Return to the IIS console and create a brand new rule (Add AllowRules) in FTP Authorization Rules part of the positioning. Specify that ftp_users group should have the learn and write permisions.

How to Configure FTP User Isolation on Windows Server 2016/2012 R2?

Let’s transfer to configuring FTP consumer isolation. The isolation of FTP customers is configured on the FTP website degree, not the whole server. FTP consumer isolation means that you can arrange your ftp-home folder for every consumer.

Open FTP User Isolation within the settings of the FTP website.

This part incorporates a number of settings. The first two of them don’t recommend consumer isolation:

  1. FTP root listing (an FTP session of a consumer begins within the root listing of the FTP website);
  2. User title listing (the consumer begins with bodily/digital listing with the username. If the listing is lacking, a session begins within the root FTP listing of the positioning).

The subsequent three choices are totally different modes of consumer isolation:

  • User title listing (disable international digital directories) means that the ftp session of a consumer is remoted in a bodily/digital listing that has the identical title because the ftp consumer. Users see solely their very own listing (it’s their root ftp-directory) and can’t transcend it (to the higher listing of the FTP tree). Any international digital directories are ignored;
  • User title bodily listing (allow international digital directories) means that the ftp session of a consumer is remoted in a bodily listing that has the identical title because the title of the ftp consumer account. A consumer can not go above its listing. However, all created international digital directories can be found to the consumer;
  •  FTP residence listing configured in Active Directory – an FTP consumer is remoted inside his residence listing specified within the settings of his Active Directory account (FTPRoot and FTPDir properties).

Important. If the worldwide digital directories are lively, all customers can entry all digital directories set within the root of the FTP website (if they’ve the suitable NTFS permissions).

Select the required isolation mode (I take advantage of the second choice to isolate ftp customers).

It is advisable to restart the Microsoft FTP service (FTPSVC) with any modifications to the FTP website settings.

Configuring Windows Firewall Rules to Access the FTP Server

When you put in the FTP server function, all mandatory guidelines which might be wanted for customers to entry FTP are routinely activated within the Windows Firewall settings.

For FTP to work accurately in passive FTP mode, customers want to connect with the RPC port vary (1025-65535). In order to not open all these ports on an exterior firewall, you possibly can restrict the vary of dynamic TCP ports used for FTP knowledge transmission.

  1. Open the FTP Firewall Support part in FTP website settings and within the Data Channel Port Range discipline specify the port vary that you just wish to use for FTP connections. For instance – 50000-50100;
  2. Save the modifications and restart IIS (iisreset);
  3. Open the Windows Control Panel and go to the Control PanelSystem and SecurityWindows FirewallAllowed apps;
  4. Make certain that the listing of functions which might be allowed entry by means of the firewall incorporates permissions for the FTP Server function.

Then test that the next guidelines are enabled within the settings of Windows Firewall with Advanced Security:

  • FTP Server (FTP Traffic-In) – TCP protocol, port 21;
  • FTP Server Passive (FTP Passive Traffic-In) – native port tackle 1024-65535 (50000-50100 in our case);
  • FTP Server Secure (FTP SSL Traffic-In) –port 990 (when utilizing FTP with SSL);
  • FTP Server (FTP Traffic-Out) – port 20;
  • FTP Server Secure (FTP SSL Traffic-Out) –port 989 (when utilizing FTP with SSL).

Accordingly, these ports should be opened on your router (gateway, firewall) in order that exterior FTP customers can hook up with your website.

Testing an FTP Server Connection from Windows

You can test the provision of ports on an FTP server utilizing the cmdlet:

Test-WebConnection -ComputerName yourftpservername -Port 21

Or utilizing the ftp command:

ftp yourftpservername

Try to connect with your FTP website with any FTP shopper or immediately from File Explorer (specify ftp://yourservername/ within the tackle bar).

Enter the consumer title and password.

And now you could have entry to the house listing with the consumer’s flies (which is the foundation of the FTP website for the consumer). As we will see, the consumer session is remoted and the consumer sees solely his information on the ftp server.

Tip. If you wish to use nameless entry (All nameless Users), any customers will be capable to hook up with your FTP server utilizing the credentials: nameless or visitor because the username and e-mail tackle as password. If you hook up with an FTP website anonymously, the session will probably be restricted to the LocalUserPublic listing (it’s apparent, the Public listing should be created prematurely).

You can use FTP logs to view details about consumer entry to the FTP server. The log information are saved by default within the c:inetpublogslogfiles folder within the u_exYYMMDD.log information.

To view the lively consumer connections to your FTP server, you need to use the values of the or the “Current FTP Sessions” part within the IIS console. In this console, you possibly can view the names and the IP tackle of the FTP consumer’s and disconnect the ftp-session if mandatory.

So, we now have checked out easy methods to configure an FTP website with the consumer isolation based mostly on Windows Server 2016 / 2012 R2. In the isolation mode the customers are authenticated on FTP utilizing their native or area credentials to entry their root listing similar to the username.

Check Also

How to Enable and Configure MPIO on Windows Server 2016/2012R2?

In this text we’ll contemplate how to set up and configure MPIO on Windows Server …

Leave a Reply

Your email address will not be published. Required fields are marked *