Active Directory FTP User Isolation Mode (IIS 6.0)
[Today's post comes to us courtesy of Wayne McIntyre]
**DISCLAIMER
FTP is an older protocol which has been replaced with better methods of hosting files. FTP is also unsecure and your username/passwords are sent in clear text which poses a major security risk. For a list of better methods in lieu of FTP please consider using a secure SharePoint site, a secured website, or Secure FTP to host and share files. However, if you have no choice but to use FTP and need to isolate Users continue reading.
IIS 6.0 introduced a new feature for companies hosting an FTP site on their server to isolate users so they are “locked” in to their home directory and cannot browse the root of the FTP server. There are two ways of accomplishing this goal with user isolation, one method is to isolate users by creating a folder structure which has their username and another method is using Active Directory attributes to isolate the user(s). Here are the steps for configuring AD Isolation mode.
1. Install the FTP Service from add/remove windows components.
2. Open IISManager
3. Delete the Default FTP Site as it does not get created in isolation mode by default
4. Create a New FTP Site by right clicking FTP Sites and going to new FTP Site
![clip_image001[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/sbs/WindowsLiveWriter/ActiveDirectoryFTPUserIsolationModeIIS.0_109AD/clip_image001%5B1%5D.jpg)
5. This will launch the FTP Site Creation Wizard, Click Next
6. Enter a Description for Your FTP Site
![clip_image002[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/sbs/WindowsLiveWriter/ActiveDirectoryFTPUserIsolationModeIIS.0_109AD/clip_image002%5B1%5D.jpg)
7. Set the IP address and Port to use for your FTP Site
*note if you have ISA 2000/2004 installed on this server do not select All Unassigned, select the internal IP address only.
![clip_image003[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/sbs/WindowsLiveWriter/ActiveDirectoryFTPUserIsolationModeIIS.0_109AD/clip_image003%5B1%5D.jpg)
8. Next screen will be the FTP User Isolation options, Select Isolate users using Active Directory
![clip_image004[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/sbs/WindowsLiveWriter/ActiveDirectoryFTPUserIsolationModeIIS.0_109AD/clip_image004%5B1%5D.jpg)
9. Next you will need to select a User that has Access to Active Directory, any domain admin account will suffice. Click Next and re-enter password to Confirm
![clip_image005[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/sbs/WindowsLiveWriter/ActiveDirectoryFTPUserIsolationModeIIS.0_109AD/clip_image005%5B1%5D.jpg)
10. Select the required Permissions and click Next and then Click Finish
11. The IIS portion is now finished and now on to AD.
12. There are 2 schema attributes in AD that reside in the User Class that will allow us to define the users home directory for FTP. They are msIIS-FTPRoot which defines the root of the FTP server and msIIS-FTPDir which defines the users Home Directory. The problem here is that there is no GUI interface to define these attributes so for the purpose of this demonstration I will use ADSIEDIT from Support tools to modify these attributes, however you can also run the below script to do it as well.
Iisftp.vbs /SetADProp UserName FTPRoot Server \ Share
Iisftp.vbs /SetADProp UserName FTPDir Directory
13. Load Up Adsiedit and drill down to the user account you want to isolate and go to the properties of that account and modify the 2 attributes mentioned above
14. Now whenever that user connects to your FTP server the user will be isolated to the Home Directory that was defined in Active Directory.
Additional Resources