Iis – Combining AD permissions with FTP

We're using Windows Server 2008 with Active Directory controlling access to a network share. We've setup FTP so that people can access that share from outside (we used to use the PPTP VPN but for various reasons we need to switch to FTP). So far here is what we've managed to implement on the FTP:

-The network share is used as the FTP root (defined as a UNC) and that is working fine.
–AD authentication is working fine (wrong password and you stay out, good password you're in, password management in AD correctly synched with the FTP).
–AD permissions are failing: the AD permissions on the content of the FTP root are ignored: it's either a user only has read or write access, but this applies to the whole FTP root, which obviously isn't suitable since that FTP root is initially our network share and files/folders have different AD permissions depending on people's groups…

Whether we set the permissions through the share OR the FTP management interface, AD permissions are never enforced.

Q1: Is that normal?
Q2: If so what solutions exist to combine AD permissions with FTP on MS server 2008?
Q3: If not, where should I look to fix the configuration?

1st update:
Following MarkM's answer I did the following:
-Set the NTFS permissions on the share (which is also the FTP root) to List folder contents for Domain users
-Set the FTP Authorization Rules to Specified roles or user groups=Domain Users with Permissions=Read (before write was also enabled hence why NTFS permissions were probably overwritten).

I then created 3 folders with the following NTFS permissions:
–folderA: inheritable, nothing else
–folderB: not inheritable, Full control to Domain users
–folderC: not inheritable, no permissions for Domain users

Via FTP, the NTFS read permisisons are properly enforced, however the write permissions aren't:
–folderA: can see the folder, can open it and download it's content, can't upload to it
–folderB: can see the folder, can open it and download it's content, can't upload to it (NTFS write permission is NOT enforced)
–folderC: can't even see the folder (NTFS read permission is properly enforced)

Q4: What other settings should I be looking at?

Best Answer

Q1
No, that's not normal, unless you have anonymous FTP access turned on in IIS. If you disable this, then access is evaluated based on NTFS ACLs and SMB Share ACLs. Best practices are to give Everyone Full Control on the Share ACLs and control access through the NTFS permissions. I think this might be what's tripping you up. Chances are, your NTFS permissions give Users (or some other widely populated group) R/W at the root of the share. Consider just giving them Traverse Directory and List Folder Contents instead. FTP (and anything else that isn't SMB) ignores Share ACLs. Triple check your NTFS ACLs and make sure that they are in order.

Q2
This is natively supported

Q3
See above answsers.

Best Answer

Related Solutions

Security – Hiding subfolders from users with Windows Server security

Linux – NTFS and Linux Permissions

Related Topic