We'd like to set up an IIS 7 FTP server with non-Windows user accounts. We've heard that FTP Server v7.5 supports this, but the documentation is talking about "IIS Manager Accounts" and implies that these accounts have the ability to configure sites and applications. We want low-privilege accounts that only have the ability to read and write files in their home directories. Is there a way to accomplish this?
Iis – How toIS FTP 7.5 User accounts work
ftpiisiis-7.5windows-server-2008
Related Solutions
The correct practice you will use depends on the software you use.
If you know all your users, then I'd say using chroot is not a big deal. If you are giving accounts to people you don't if you can trust, then you may not want to.
You may want to also take a look at pureftpd and it's "chroot" options:
Apart from the "-a" flag, Pure-FTPd has another way to fine-tune chroot() rules. Let's take an /etc/passwd entry:
mimi:x:501:100:Mimi:/home/mimi:/bin/zsh
Without any special rule, mimi will be able to log in and to retrieve any public-readable file in the filesystem. Now, let's change a bit of its home directory:
mimi:x:501:100:Mimi:/home/mimi/./:/bin/zsh
So what? Mimi's home directory is still the same and common applications shouldn't notice any difference. But Pure-FTPd understands "chroot() until /./". So when mimi next carries out a FTP log in, only the /home/mimi directory will be reachable, not the whole filesystem. If you don't like the "-a" and its trusted gid thing, this is a good way to only chroot() some users.
http://download.pureftpd.org/pub/pure-ftpd/doc/README
Of course please do your research concerning security issues. Don't take anyones word for it.
You don't need to use chroot to achieve isolation. That just makes it look nice for the user and the ignorant will think there are no other files on the server. You could also use file permissions to keep users from snooping around. You could also run your ftp daemon in a VM and reduce the risk further.
I will describe how I do isolated setup of FTP server. This works fine for our needs (1 (or more) user per website). I understand that there maybe much better/quicker/secure setup, but that is what I have been using all the time without any issues so far (Keep in mind -- I'm programmer and not an pro admin and will be grateful for any comments and advices).
Create new user: IUSR_ftpacc (will be used to run app pool).
- Set "Deny this user permissions to log on to Terminal Services"
- Member Of: remove "Users"; add "IIS_IUSRS"
Create new user(s) that will be used to access FTP service: e.g. ftpuser
- Set "Deny this user permissions to log on to Terminal Services"
- Member Of: I always remove "Users" and add "FTP" group (which you have to create separately -- all users in FTP group will be allowed to use FTP later)
Create folder for FTP: D:\websites\FTP and grant Read & Execute right to this folder.
Create 2 subfolders: "localuser" (for user folders -- must be this name) and "logs" (for logs).
Create individual folders inside
D:\websites\FTP\localuser
for each FTP account (folder must match user account): e.g. ftpuser, and grant Modify permission.Open IIS Manager and create new Application Pool: FTPServiceApp. Advanced Settings -> Identity -- set it up to use
IUSR_ftpacc
account.Sites -> Add FTP Site..
- FTP site name: FTP
- Physical path: D:\websites\FTP
- Authentication: Basic
- Allow access to: Specified roles or user groups; FTP (the group mentioned in #2)
- Permissions: Read & Write
Select newly created ftp site -> Actions -> Basic Settings: Change Application Pool to the one created at #6 (
FTPServiceApp
). If all setup properly you will see 2 green marks when clicking "Test Settings.." button. "Connect as.." should have "Application user (pass-through authentication)" selected by default.FTP User Isolation -- I'm always choosing "User name physical directory".
The "FTP Authorisation Rules" should be configured already (from wizard step). "FTP Logging" -- set to write logs into
D:\websites\FTP\logs
folder.
If I need user to access some website (which located in D:\websites\mywebsite
, for example) I create symlink (or directory junction) instead of folder at step #5.
Best Answer
IIS 7 introduces IIS Manager accounts which can be used for a number of things, including FTP.
Note that once you grant them IIS Manager Permissions, they will be able to manage their site using IIS Manager, as long as you also turn on the Management Service (WMSvc) at the top level.
Additionally, you can then grant that user access to FTP.
Here are the key steps:
Everything else is the same as you would setup a Windows user for FTP.