FTP User Isolation
Applies To: Windows Server 2012 R2, Windows Server 2012
Use the FTP User Isolation feature page to define the user isolation mode for your FTP site. FTP user isolation is a solution for internet service providers (ISPs) who want to offer their customers individual FTP directories for uploading content. FTP user isolation prevents users from viewing or overwriting other users' content by restricting users to their own directories. Users cannot navigate higher up the directory tree because their top-level directory appears as the root of the FTP service. Within their specific site, users can create, modify, or delete files and folders.
Related scenarios
In this document
UI Elements for FTP User Isolation
The following tables describe the UI elements that are available on the feature page and in the Actions pane.
Feature Page Elements
Element Name |
Description |
||
---|---|---|---|
Do not isolate users. Start users in: FTP root directory |
Select this option to specify that you do not want to isolate users. All FTP sessions starts in the root directory of the FTP site.
|
||
Do not isolate users. Start users in: User name directory |
Select this option to specify that you do not want to isolate users. All FTP sessions starts in the physical or virtual directory with the same name of the currently logged-on user if the folder exists; otherwise, the FTP session starts in the root directory of the FTP site. Note To specify the starting directory for anonymous access, create a physical or virtual directory folder named default in the root directory of the FTP site. Warning If they have sufficient permissions, any FTP user can potentially access the content of any other FTP user. |
||
Isolate users. Restrict users to the following directory: User name directory (disable global virtual directories) |
Select this option to specify that you want to isolate FTP user sessions to the physical or virtual directory with the same name of the FTP user account. The user sees only their FTP root location and is restricted from navigating higher up the directory tree. Note To create home directories for each user, you first must create a physical or virtual directory under your FTP server's root folder that is named after your domain or named LocalUser for local user accounts. Next, create a physical or virtual directory for each user account that accesses your FTP site. The following lists the home directory syntax for the authentication providers that are included with the FTP service:
Note %FtpRoot% is the root directory for your FTP site: for example, C:\Inetpub<EM>Ftproot. Important Global virtual directories are ignored. No FTP users can access virtual directories that are configured at the root-level of your FTP site. All virtual directories must be defined explicitly under a user’s physical or virtual home directory path. |
||
Isolate users. Restrict users to the following directory: User name physical directory (enable global virtual directories) |
Select this option to specify that you want to isolate FTP user sessions to the physical directory with the same name of the FTP user account. The user sees only their FTP root location and is restricted from navigating higher up the directory tree. Note To create home directories for each user, you first must create a physical directory under your FTP server's root folder that is named after your domain or named LocalUser for local user accounts. Next, create a physical directory for each user account that accesses your FTP site. The following lists the home directory syntax for the authentication providers that are included with the FTP service:
Note %FtpRoot% is the root directory for your FTP site; for example, C:\Inetpub\Ftproot. Important Global virtual directories are enabled. All virtual directories that are configured at the root-level of your FTP site can be accessed by all FTP users, if those users have sufficient permissions. Warning When global virtual directories are enabled, all FTP users can potentially access the content of other FTP users, if those users have sufficient permissions. |
||
Isolate users. Restrict users to the following directory: FTP home directory configured in Active Directory |
Select this option to specify that you want to isolate FTP user sessions to the home directory that is configured in the Active Directory account settings for each FTP user. When a user's object is located in the Active Directory container, the FTPRoot and FTPDir properties are extracted to provide the full path of the user's home directory. If the FTP service can successfully access the path, the user is positioned within their home directory, which represents their FTP root location. The user sees only their FTP root location and is restricted from navigating higher up the directory tree. The user is denied access if either the FTPRoot or FTPDir property do not exist, or, if these two together do not form a valid and accessible path. Note This mode requires an Active Directory server that runs using the Windows Server 2003 operating system or a later operating system. A Windows 2000 Active Directory can also be used but requires manual extension of the User Object schema. |
||
Custom |
This option specifies that you want to isolate FTP user sessions by using a custom provider. Important This option is an advanced feature that can be selected only by modifying the FTP configuration settings in your ApplicationHost.config file. |
Actions Pane Elements
Element Name |
Description |
---|---|
Apply |
Saves the changes that you have made on the feature page. |
Cancel |
Cancels the changes that you have made on the feature page. |
Set Credentials Dialog Box
Use the Set Credentials dialog box to specify the Active Directory credentials for your FTP server to use when it contacts your Active Directory server to retrieve FTP home directory settings.
Element Name |
Description |
---|---|
User name |
Specifies the user account that the FTP server uses to contact your Active Directory server. |
Password |
Specifies the password for the user account. |
Confirm password |
Confirms the password for the user account. |