What is FTP User Isolation?
FTP user isolation is an IIS feature that allows users to have an individual FTP directory for uploading the website contents. It prohibits users from viewing or overwriting other users' content by restraining users from their directories.
In the FTP user isolation, the users can not drive to the upper level of the directory because their high-level directory shows as the root of the FTP service. Users can tweak, append, or remove the files or folders within their FTP directory.
Uses of the FTP user isolation:
It restricts the FTP user from viewing or modifying other FTP accounts' content.
It allows you to malleable the configuration of the FTP server. For example, allocate virtual space for different users, enable anonymous access, and configure permissions.
How to configure FTP user Isolation in Windows Server 2012/2016/2016?
Below are the steps on how to configure the FTP user isolation in Windows Server 2012/2016/2019.
Step 1: Open Internet Information Service (IIS) Manager.
If you are using Windows Server 2012 R2:
Go to the taskbar -> click Server Manager -> click Tools -> click Internet Information Services (IIS) Manager.
If you are using Windows Server 2016 or Windows Server 2019,
Click the Search icon -> Search Internet Information Service (IIS) Manager.
Step 2: In the connections pane, expand the server name. Expand the Sites and click on the Default FTP Site.
Step 3: Double-click on the FTP User Isolation option in the default FTP Site Home window to open the FTP User Isolation window.
Step 4: You will get different 5 options in the window. You need to select the appropriate isolation mode for your FTP account. We have explained all the options in detail below.
Here, we have selected the second option in the Isolate users section.
Important Note: It is desirable to restart the FTP service to apply the changes you have made in the FTP site settings.
Do not isolate the user. Start users in
1) FTP root directory: - You can pick this option if you do not want to isolate users. In the FTP root directory, the FTP session of the user will start in the root directory of the FTP site.
Drawback: If the users have enough permission, they can probably access the data of other FTP users.
2) Username directory: You can elect this option if you do not want to isolate users and need to start the FTP session in the physical or virtual directory with the same username through which you are login in if the directory exists. If the directory doesn't exist, the FTP session will initiate in the root directory of the FTP site.
Important Note: For anonymous (unknown) users, you need to create a physical or virtual directory folder with the name default in the root directory of the FTP site.
Drawback: If the users have enough permission, they can probably access the data of other FTP users.
Isolate users. Restrict users to the following directory
1) User name directory (disable global virtual directory): You can choose this option if you want to isolate the FTP user session in the physical or virtual directory with the same name as the FTP user account. The user can see only their FTP root location and is prohibited from driving the directory tree's upper level.
Important Note:
Here, Global virtual directories are neglected. All users can not access virtual directories configured at the root level of the FTP site. They must be defined clearly under a user's physical or virtual home directory path.
2) User name physical directory (enable global virtual directories): Choose this option if you want to isolate the FTP user session to the physical or virtual directory that has the same name as the name of the FTP user account. Here, the user can't go above its directory.
Important Note:
Here, Global virtual directories are permitted. If the FTP users have enough permission, then all virtual directories which are configured at the root level of the FTP site can be accessible.
Drawback:
When global virtual directories are enabled, all FTP users can likely access the content of other FTP users if they have enough permission.
3) FTP home directory configured in Active Directory: Choose this option if you want to solitude the FTP user session to the home directory configured in the Active Directory account settings for the individual FTP user.
Important Note:
It is a leading feature in FTP user isolation. If you want to use it, you need to modify the FTP configuration setting in the application host.config file.
