I'm using windows server 2012 R2 as an FTP server. I added an FTP site MyFtpServer. The application pool it uses is MyFtpServerAppPool. The AppPool uses ApplicationPoolIdentity as identity. If I use ftp from the commandline to log in, I get the following result:
530-User cannot log in.
Win32 error: Access is denied.
Error details: Filename: \\?\C:\Windows\system32\inetsrv\config\redirection.config
Error: Cannot read configuration file due to insufficient permissions
When I add permission to \windows\system32\inetsrv\config folder by adding Network Services identity with read access…. then the FTP login proceeds without error.
But what I read about using Network Services like this, is that security wise, this would be 2 steps back. The 'best practice' solution I found was to add permissions using the IIS AppPool\MyFtpServerAppPool identity. However if I do that, then the FTP login fails again with same error message.
So my question is, what would be best way to solve this issue? Obviously, I want the FTP functionality to work, but I don't want to revert back to measures which are no longer considered best practice security wise.
Any ideas?
Added: I'm using IIS Manager Users
Best Answer
The IIS FTP server by defaults runs under
Network Service
, I think changing the Application pool identity is not helpful, because the FTP services doesn't even use the application pools or thew3wp.exe
processes.Some people recommend to use a specific account to run the FTP service and then assign permissions to that account.
You do that in the
Component Services
mmc, see a Microsoft blog post, I tried that but I didn't even see theFTP...
node underCOM+ Applications
It took a while to find out that I have to install the
FTP Extensibility
Windows feature in Server Manager.After that you should see the
Microsoft FTP Publishing Service Extensibility Host
node. Open properties and change the Identity to a custom account.I just wrote a PowerShell script that enables FTP, creates a site and a user and sets the identity for the FTP service. Set ACLs for the new account on the configuration files and the ftp root.
New-DemoFTPSite.ps1