As I wrote in the article on installing FTP 7 on IIS 7.0, Microsoft completely rewrote the FTP service code for Server 2008. Included in this update were a number of ways to secure your FTP server against intrusion. One of the easiest ways to secure your FTP site is to have users authenticate instead of allowing anonymous access, and that’s what we’ll look at today.
For this article I will assume that you already have Server 2008, IIS 7, and FTP installed and ready to go. Now let’s secure your FTP servers.
User Authentication in FTP 7 on IIS 7
In our first article on FTP, I showed you how to install and then configure an anonymous public site. This allowed anyone to get the files located in those directories.
While this is great for a certain type of site, if you require greater security you can setup authentication for your FTP site. We are going to look at two types of user authentication, one using Windows users and another using IIS Manager authentications.
Windows Users FTP Authentication
This type of user authentication allows the FTP site to use the local Server user accounts/groups for access to the FTP site.
This example assumes you already have a user created for this purpose and given the account access to the FTP directory; we are using the account FTPUser.
1. Start by opening IIS Manager
2. Right click on Sites, and then click on Add FTP Site …
3. Fill in the site name and path to the directory that will hold the files. We are using WindowsFTPuser.com and C:\inetpub\privateftp for our example. Click Next when done.
4. Choose an IP for this FTP site to use, and change the radio button to Allow SSL. Leave the rest of the setting alone for now.
5. In this window we will specify what users are allowed access and Read/Write permissions will be assigned to those users.
Check the box next to Basic, set the dropdown to Specified users, under that type in the user name (in our case FTPUser), and check Read & Write. Click Next after you enter all the information.
6. That ends the FTP site wizard, if you want to add or remove users after the initial setup, in the IIS Manager click on the site you want to manage and then click on FTP Authorization Rules.
7. In this pane you can select to Add Allow Rule …, Add Deny Rule …, and Remove. This allows you to manage access to your ftp site through basic Windows authorization.
With this configuration only those users assigned to the FTP site will be allowed access. Please note that you can also use Group permissions the same way.
IIS Manager Authentication
For a long time compared to *nix implementations of FTP, Windows was sorely lacking. One of the biggest hurdles was the fact that if you had site managers who wanted to give access to certain users there would have to be a corresponding account setup for them on the local server. Not the best situation from a security or administration standpoint.
With the release of FTP 7 and IIS 7 this has been corrected by the use of IIS 7 Management Service. In this example, I’m going to setup the service and apply the users to the domain we setup earlier.
1. We have to grant special permissions to the Network Service to be able to use this Service so open up a command prompt.
2. Type the following:
CACLS “%SystemDrive%\Windows\System32\inetsrv\config” /G “Network Service”:R /E
CACLS “%SystemDrive%\Windows\System32\inetsrv\config\administration.config” /G “Network Service”:R /E
CACLS “%SystemDrive%\Windows\System32\inetsrv\config\redirection.config” /G “Network Service”:R /E
Now we have to give rights to the Network Service to the root FTP folder, in our instance this is C:\inetpub\privateftp. When you run this command replace the directory with your own.
3. Open Command Prompt
4. Type the following:
CACLS “%SystemDrive%\inetpub\privateftp” /G “Network Service”:C /T /E
Next we need to install the IIS 7.0 management service on the server.
5. Open Server Manager
6. Open the Roles, find the Web Server (IIS) role, and click on Add Role Services.
7. In the Select Role Services window scroll down till you find Management Service, if it is unchecked then place a check mark next to it and click Next.
If there are any required features that also need to be installed you will be prompted to install those also.
8. Next you will have a summary screen of everything that is going to be installed, click Install to start the process.
9. The next window will show you the progress of the installation process.
10. Installation Results window will appear when the installation is finished, click on Close when done.
11. Open IIS Manager
Select the server in IIS Manager; in our case, TSTEST, and scroll down in the center pane to Management Service and click on it.
12. In the Management Service pane, look for the Identity Credentials box and select Windows credentials or IIS Manager credentials, then click Apply.
13. In the connections pane select the server you are working on, and double click on IIS Manager Users.
14. Click on Add User … in the Actions pane.
15. Now you will create a user account that can be used, in our case I am going to add Gomer and enter a password for that user.
16. You will now see that the user is created and you can do some limited administration in this panel for those users, including Disable User and Change Password.
17. Now click the site you want to configure to use IIS 7 Manager Authentication in the connections pane, choose FTP Authentication in the center pane
18. Click on Custom Providers in the action pane.
19. In the Custom Providers dialog window place a check next to IisManagerAuth, then click Ok.
20. Now let’s add the user we created earlier by selecting the FTP site in the connections pane and then select IIS Manager Permissions in the center panel.
21. Click on Allow User … in the Actions pane
22. The Allow User … dialog box now shows both types of users, Windows & IIS Manager. In our case we are going to click the Select … button.
23. In the Users dialog select the user, (Gomer in our case) and click OK.
24. Click Ok to continue and add the user to IIS Manager Permissions.
25. Now we have to add an authorization rule, so let’s choose the site again in the connection pane, then FTP Authorization Rules, in the central pane.
26. Select Add Allow Rule … in the actions pane.
27. The Add Allow Authorization Rule dialog box is next, so select Specified users and type the users’ names in, separated by commas. Place a check next to either or both Read/Write permissions, and click OK.
We have now setup this site to use both types of users Windows and IIS Manager Users. You can use these in conjunction with each other or completely independent of the other — all depending on the needs of your organization.
I couldn’t use the code that you post. It requires to change to ICACLS. But then there is no /G and then another problem that it couldn’t under stand “network service”
I have the same issue as Trung sadly.
there is an error with your cacls cmd, and icacls has no /g… I tried /grant but still no luck.
would love an update as I really found the iis user auth. VERY helpful!
I have users created, etc… but they can’t connect as i’m lacking the permissions from the cacls cmds
thx
jeff
ok, so i stopped being a monkey just blindly doing copy/paste and actually looked at what the cacls cmds were doing…
easy… just giving read access to a folder and 2 files… and then read/write/delete/whatever you want to the ftp root folder you are using.
I manually did that, restarted the ftp site (not sure if it was needed or not) and now i’m good to go!!
thanks Dave!!!
I’m implementing my first 2008 server and the disk image I’m installing comes with IIS7 for web, but FTP6, I find a x86 version of IIS7 FTP, but no 64 bit however I do see RC0 x64 some places…
Anyone please have a link
I have had a problem configuring a simple FTP site with the IIS6 version of the tool to give a isolated environment on a stand alone server.
OK I retract that
I missed the download links in your other article first scan through!!
Thank you
everything worked, except when I try to access the ftp site, the directory cannot be listed and I get a timeout.
when I try testing the connection from ISS I get this
cannot verify access to path
“The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again. ”
Please any help would be greatly appreciated.
How can we type the following commands with Icalcs?
Because CALCS is not working anymore
CACLS “%SystemDrive%\Windows\System32\inetsrv\config” /G “Network Service”:R /E
CACLS “%SystemDrive%\Windows\System32\inetsrv\config\administration.config” /G “Network Service”:R /E
CACLS “%SystemDrive%\Windows\System32\inetsrv\config\redirection.config” /G “Network Service”:R /E
CACLS “%SystemDrive%\inetpub\privateftp” /G “Network Service”:C /T /E
any help wil be highly appreciated
Hey guys!
It works for me this way:
ICACLS C:\Windows\System32\inetsrv\config /grant NETZWERKDIENST:R
ICACLS C:\Windows\System32\inetsrv\config\administration.config /grant NETZWERKDIENST:R
ICACLS C:\Windows\System32\inetsrv\config\redirection.config /grant NETZWERKDIENST:R
I suggest you replace NETZWERKDIENST with “Network Service” because I’m from Austria
greetings
I forgot one…
ICACLS C:\inetpub\privateftp /grant NETZWERKDIENST:M /T
I suggest you replace NETZWERKDIENST with “Network Service”, again =)
Happy ftping!
Great Article!
I’m testing this out on a Windows Server 2008 box and found I couldn’t run the calcs command portion, got the following. I ended up just using the GUI to apply speacial permissions but wanted to see if there was another way to use the command line with ICALCS.
C:\>CACLS “%SystemDrive%\Windows\System32\inetsrv\config\administration.config”
/G “Network Service”:R /E
Invalid arguments.
NOTE: Cacls is now deprecated, please use Icacls.
Thanks,
-Dave
I too followed all the steps, but recieved a “550 No such host is known” when trying to connected. Any help would be appreciated. Thanks, Adam
Hi
Great Article
I run into the issue with CACLS and the fix (for me) was simply making sure you have spaces before any backslash options and I replaced %system drive% with c:
So I ended up with
CACLS c:\Windows\System32\inetsrv\config\redirection.config /G “Network Service”:R /E
MAKING SURE THERES A SPACE BETWEEN THE ‘R’ and ‘/E’
Hope this might help someone out
Tino (an old DOS hand at heart)
Oh come on guys… shame on you
in command promt you should use quotes such as these ” instead of the quotes used in the article: “ and ”
Replace those and everything will work just fine.
heh, this blog automatically messes up the quotes. When pasting CACLS commands into command promt replace the quotes manually.
Can anyone help me how to set a domain\user1 account for anonymous authentication please?
I was be able to do that for IIS6 but not IIS7. whenever I entered the domain\user1 and pw, it said the pw is invalid….
Thanks a lot
I used these commands instead of the CACLS posted above and they worked perfectly.
ICACLS “%SystemDrive%\Windows\System32\inetsrv\config” /grant “Network Service”:R
ICACLS “%SystemDrive%\Windows\System32\inetsrv\config\administration.config” /grant “Network Service”:R
ICACLS “%SystemDrive%\Windows\System32\inetsrv\config\redirection.config” /grant “Network Service”:R
ICACLS “%SystemDrive%\inetpub\ftproot” /grant “Network Service”:(M,W)
I used the following, but it gives me a error on the last command:
C:\Users\Administrator>ICACLS “%SystemDrive%\Windows\System32\inetsrv\config” /grant “NETWORK SERVICE”:R
processed file: C:\Windows\System32\inetsrv\config
Successfully processed 1 files; Failed processing 0 files
C:\Users\Administrator>ICACLS “%SystemDrive%\Windows\System32\inetsrv\config\administration.config” /grant “NETWORK SERVICE”:R
processed file: C:\Windows\System32\inetsrv\config\administration.config
Successfully processed 1 files; Failed processing 0 files
C:\Users\Administrator>ICACLS “%SystemDrive%\Windows\System32\inetsrv\config\redirection.config” /grant “NETWORK SERVICE”:R
processed file: C:\Windows\System32\inetsrv\config\redirection.config
Successfully processed 1 files; Failed processing 0 files
C:\Users\Administrator>ICACLS “F:\” /grant “NETWORK SERVICE”:(M,W)
Invalid parameter “SERVICE:(M,W)”
I’m think the space in the phase NETWORK SERVICE is the problem, but I put quotes around it. Any takers?
Note: I’m on Windows Server 2008 and I have F:\ setup just for web and ftp site
I ran:
ICACLS F:\ /grant “NETWORK SERVICE”:M /T
and it seemed to recurse though all the files:
it outputed:
Successfully processed 5292 files; Failed processing 0 files
But still get a 530 error when I try to connect
Response: 220 Microsoft FTP Service
Command: USER jason
Response: 331 Password required for jason.
Command: PASS *****
Response: 530 User cannot log in.
Running WS 2008 x64.
I get up through step 16 and all is fine. I set up C:\FTP as my FTP directory, or the root of my ftp directories. I set up a user, did everything else.
In step 17, when I expand “Sites” all I see is a Default Web Site. There is no WindowsFTPuser.com listed.
What did I miss??
I get this error after following thru these steps. Am able to bring up the ftp site and log in but this comes up:
550 The system can not find the file specified.
Anyone can have an insight on this?
I forgot to mention that I setup the ftp folder on a d:\download and I ran this in the terminal:
C:\Userss\Administrator>ICACLS D:\download /grant “NETWORK SERVICE”:M /T
processed file: D:\download
Successfully processes 1 files; Failed processing 0 files
Hi,
Can anyone tell me if this is also possible with active directory accounts and NTFS security?
Thanks!
Best writeup yet. Gave me exactly what I needed. Thanks for taking the time to compile an accurate and thorough walk through.
How do you go about creating different Usernames and Passwords on the same FTP server that have access to only to specific folders each one?
i.e. the FTP server is http://ftp.7bpm.com and User1 (with Pass1) when is logging in can olny see and access folder c:/intepub/ftproot/user1folder but User2 (with Pass2) can only see and access folder c:/intepub/ftproot/user2folder…
I followed this guide and it says.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>cd\
C:\>ftp 127.0.0.1
Connected to 127.0.0.1.
220 Microsoft FTP Service
User (127.0.0.1:(none)): user ftpmanager
331 Password required for user ftpmanager.
Password:
530-User cannot log in.
Win32 error: Logon failure: unknown user name or bad password.
Error details: An error occured during the authentication process.
530 End
Login failed.
ftp>
I succefully run the following command lines on Windows Server 2008 (x64) R2 + IIS7.5:
ICACLS C:\Windows\System32\inetsrv\config /grant networkservice:R
ICACLS C:\Windows\System32\inetsrv\config\administration.config /grant networkservice:R
ICACLS C:\Windows\System32\inetsrv\config\redirection.config /grant networkservice:R
ICACLS C:\FTPSites /grant networkservice:M /T
excelent thread
many thanks for all guys
Thank you so much for this article, it helped me a lot
I used Windows Users FTP Authentication and worked almost fine, i had some trouble accessing to the folder assigned to the user (probably because i’m new in this) but i solved it as follows:
1. Right click to the user folder -> Properties
2. In the security tab go to Edit, then Add
3. Select the location (ftp server) then you can select advanced and find now, select the user
4. Give full control to the user
With this you won’t have any problem to access with a FTP client.
I hope this helps somebody
I have created the FTP folder in the IIS and given the username and password for it. But I cannot login into the folder using filzilla. Can you please help me.
In Filezilla (and probably other FTP clients) username must be in format: site|username, i.e
http://ftp.site.com|user
HTML wrongly formatted username…
“ftp.site.com|user”
(without quotations)
Hi,
when i use IIS manager authentication , will a CAL be used when a user tries to access FTP from internet.
I have Windows server 2008 with IIS7 . each user is configured to access only specific folder
i have tested the above command which Wael described and they are working fine but still problem is this that IIS user can not log through ftp still pass failed and bad password message appears why is this happening? any help it works fine with windows users but not with those created through IIS manager Aunthentications
If you get 530 error when trying to login, be sure you have installed also the FTP EXTENSIBILITY in the Select role services dialog.
It took me a long time to find it
Thank you for the information! This solution helped me connect Dreamweaver CS4 to a website hosted on a Windows 2008 R2 server. I had been unable to connect to the root directory of the site and now that I found this all is working. Also thanks to Haraken for posting the correct ICALCS for my server as the ones in the article did not work.
It’s working like a charm.
For the issues with cacls, type the whole syntax by hand! IT WILL WORK!!!
See Wael’s comment above if you are using 2008 R2. In addition, I had to right click on the shortcut that opens my command line, and choose “run as administrator, as I was getting an “Access denied” message.
i had configured as shown but i am unable to run icacls command can any body help the pre requirement regarding this
For those that are having issues running the CACLS and ICACLS, if you’re in a rush go to the following folders listed in teh command (C:\windows\system32) and browse to the appropriate folders and files and manually grant the Network Service account the rights as stated – all but full control). This will get you through the dilemma unless you scroll back up and read teh post by the Australian contributor – I had already manually configured it prior to the end of the post so I hadn’t tested that contributors method. All is working for me – I’m now implementing some advanced FTP tricks/methods. Enjoy!
Thank you very much it worked for me..
ICACLS C:\Windows\System32\inetsrv\config /grant networkservice:R
ICACLS C:\Windows\System32\inetsrv\config\administration.config /grant networkservice:R
ICACLS C:\Windows\System32\inetsrv\config\redirection.config /grant networkservice:R
ICACLS C:\FTPSites /grant networkservice:M /T
Hi, very good article. I was wondering if you could advise on creating users and locking them down to certain folders. IE customer1 logs into the server with credentials that we provide and can only download/upload files from/to their own area? Any help is appreciated.
Thanks
David
Hello,
I tried the above steps in the screenshots and also I did
ICACLS C:\Windows\System32\inetsrv\config /grant networkservice:R
ICACLS C:\Windows\System32\inetsrv\config\administration.config /grant networkservice:R
ICACLS C:\Windows\System32\inetsrv\config\redirection.config /grant networkservice:R
ICACLS C:\FTPSites /grant networkservice:M /T
the commands in cmd. It also worked well.
I tried to connect ftp in web browser like
ftp://www.mydomain.com
Credential dialog opens.
I entered the user name and password that I created in IIS Manager User.
I get the error.
530 Valid host name is expected.
Kindly help me for this issue