We are trying to setup the FTP on our stand-alone dedicate Windows Server 2003 (Standard, 32bit, SP2) IIS6. We are NOT using AD.
It is NOT setup for user isolation, as I need the "administrator" account to be able to access any part of the D: drive (which the FTP has setup as it's root).
I want to be able to restrict a single user account (created on the local box) to only be able to access a particular sub-sub-directory structure on the drive. I do not want to allow this user to read/write/navigate to any other part of the D: drive. If necessary I can accept directory listings, but certainly nothing more than that.
In IIS6 I have created a virtual directory using the username (as the user mentioned above) as the alias – logging into FTP using the credentials puts them straight into the directory, which is correct and what I'm after. But I cannot find any way of blocking them from navigating outside of "their" structure.
I have tried Denying them permission at the root of the D: drive, but of course the Deny overrides any attempt to Allow them permission in "their" directory.
I have also tried creating a group, so that should I need to I can add other users into this group and they will also be denied access to anything that isn't their directory structure.
As you might have gathered, I'm not a Network Admin by trade, so please be gentle!
Best Answer
You would do this through NTFS permissions on the drive. This requires the drive be formatted with the NTFS file system and you setting the security settings on all the folders to be the appropriate settings.
You should seriously reconsider this design though, as logging into a FTP with root access to a drive with an administrator account is bad security practice. Hopefully at least you have installed a SSL certificate and are using ftps instead of unencrypted ftp.