Isolating FTP Users

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008

FTP user isolation is a solution for Internet service providers (ISPs) and application service providers who want to offer their customers individual FTP directories for uploading files and Web content. FTP user isolation prevents users from viewing or overwriting other users' Web content by restricting users to their own directories. Users cannot navigate higher up the directory tree because the top-level directory appears as the root of the FTP service. Within their specific site, users have the ability to create, modify, and delete files and folders.

FTP user isolation is a site property, not a server property. It can be turned on or off for each FTP site.

FTP user isolation supports the following three isolation modes, each of which enables different levels of isolation and authentication:

  • Do not isolate users: This mode does not enable FTP user isolation. It is designed to work similarly to earlier versions of IIS.

  • Isolate users: This mode authenticates users against local or domain accounts before they can access the home directory that matches their user name.

  • Isolate users using Active Directory: This mode authenticates user credentials against a corresponding Active Directory container, rather than searching the entire Active Directory, which requires large amounts of processing time.


    This mode requires an Active Directory server running on an operating system in the Windows Server 2003 family. A Windows 2000 Active Directory can also be used but requires manual extension of the User Object schema. To learn more about setting up an Active Directory server, see Help and Support Center for Windows Server 2003.

In this section: