Iis – How toIS FTP 7.5 User accounts work

The correct practice you will use depends on the software you use.

If you know all your users, then I'd say using chroot is not a big deal. If you are giving accounts to people you don't if you can trust, then you may not want to.

You may want to also take a look at pureftpd and it's "chroot" options:

Apart from the "-a" flag, Pure-FTPd has another way to fine-tune chroot() rules. Let's take an /etc/passwd entry:

mimi:x:501:100:Mimi:/home/mimi:/bin/zsh

Without any special rule, mimi will be able to log in and to retrieve any public-readable file in the filesystem. Now, let's change a bit of its home directory:

mimi:x:501:100:Mimi:/home/mimi/./:/bin/zsh

So what? Mimi's home directory is still the same and common applications shouldn't notice any difference. But Pure-FTPd understands "chroot() until /./". So when mimi next carries out a FTP log in, only the /home/mimi directory will be reachable, not the whole filesystem. If you don't like the "-a" and its trusted gid thing, this is a good way to only chroot() some users.

http://download.pureftpd.org/pub/pure-ftpd/doc/README

Of course please do your research concerning security issues. Don't take anyones word for it.

You don't need to use chroot to achieve isolation. That just makes it look nice for the user and the ignorant will think there are no other files on the server. You could also use file permissions to keep users from snooping around. You could also run your ftp daemon in a VM and reduce the risk further.

I will describe how I do isolated setup of FTP server. This works fine for our needs (1 (or more) user per website). I understand that there maybe much better/quicker/secure setup, but that is what I have been using all the time without any issues so far (Keep in mind -- I'm programmer and not an pro admin and will be grateful for any comments and advices).

1. Create new user: IUSR_ftpacc (will be used to run app pool).

   • Set "Deny this user permissions to log on to Terminal Services"
   • Member Of: remove "Users"; add "IIS_IUSRS"

2. Create new user(s) that will be used to access FTP service: e.g. ftpuser

   • Set "Deny this user permissions to log on to Terminal Services"
   • Member Of: I always remove "Users" and add "FTP" group (which you have to create separately -- all users in FTP group will be allowed to use FTP later)

3. Create folder for FTP: D:\websites\FTP and grant Read & Execute right to this folder.

4. Create 2 subfolders: "localuser" (for user folders -- must be this name) and "logs" (for logs).

5. Create individual folders inside D:\websites\FTP\localuser for each FTP account (folder must match user account): e.g. ftpuser, and grant Modify permission.

6. Open IIS Manager and create new Application Pool: FTPServiceApp. Advanced Settings -> Identity -- set it up to use IUSR_ftpacc account.

7. Sites -> Add FTP Site..

   • FTP site name: FTP
   • Physical path: D:\websites\FTP
   • Authentication: Basic
   • Allow access to: Specified roles or user groups; FTP (the group mentioned in #2)
   • Permissions: Read & Write

8. Select newly created ftp site -> Actions -> Basic Settings: Change Application Pool to the one created at #6 (FTPServiceApp). If all setup properly you will see 2 green marks when clicking "Test Settings.." button. "Connect as.." should have "Application user (pass-through authentication)" selected by default.

9. FTP User Isolation -- I'm always choosing "User name physical directory".

10. The "FTP Authorisation Rules" should be configured already (from wizard step). "FTP Logging" -- set to write logs into D:\websites\FTP\logs folder.

If I need user to access some website (which located in D:\websites\mywebsite, for example) I create symlink (or directory junction) instead of folder at step #5.