FTP User Isolation In IIS

Adrian Jenkins
4 min readMay 18, 2022

--

In this article, we will explore some of the options of the FTP User Isolation module in IIS Manager.

For Authentication purposes, I have the following:

For Authorization purposes I have the following:

Domain account: “main\adrian” is a member of “FTP_Users”.

And this is the Physical Path of my FTP Site:

FTP root directory

With this option, all FTP sessions will start in the root directory for the FTP site.

Notices how both (anonymous and domain account) began at the root directory of the FTP site.

User name directory

This option specifies that all FTP sessions will start in the physical or virtual directory with the same name as the currently logged-on user if the folder exists; otherwise, the FTP session will start in the root directory for the FTP site.

For this, we need to create the proper folder structure. Inside “adrian” folder, there is a file called “adrianFile.txt”.

When entered with “adrian” account it is possible to navigate the directory tree.

User name directory (disable global virtual directories)

This option specifies that you want to isolate FTP user sessions to the physical or virtual directory with the same name as the FTP user account. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the physical or virtual directory tree. Any global virtual directories that are created will be ignored.

We need to have the proper folder structure:

LocalUser\Public => for anonymous users.

%domain%\%username%=> for each domain user account.

If you are dealing with local Windows accounts, the format is the following:

LocalUser\%username%

Folder structure

Let us test:

If you do not have a folder for the account that you are trying to log in, you will receive 530:

User name physical directory (enable global virtual directories)

This option specifies that you want to isolate FTP user sessions to the physical directory with the same name as the FTP user account. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the physical directory tree. Any global virtual directories that are created will apply to all users.

Folder structure same as before:

Let us test:

FTP Home directory configured in Active Directory

This option specifies that you want to isolate FTP user sessions to the home directory that is configured in the Active Directory account settings for each FTP user.

Conclusions

  • The <userIsolation> element is used to start or restrict FTP clients in specific sections of an FTP site.
  • For each option, you need the proper folder structure in order to work.

Resources

--

--