Tuesday, May 19, 2015

windows server 2008 - How to isolate users in virtual ftp website




I have IIS7 and I am using IIS6 ftp to manage my ftp website.
I have the default website and I created under it some virtual directories.
Now what I want to do is to give ftp users access to just one virtual directory i select, and prevent them from reading or writing to any other folders in the Default ftp site.
I don't want them to navigate through the ftp websites, just want them to access their place.



How i can do that in steps?


Answer



You need to implement FTP jailing. An overview:




  • Create a new folder somewhere, call it DEADEND (or something similar). In IIS, set the FTP root folder to point at this folder


  • All user folders will actually be located in a different place - so pick another folder for this (hell, use the original ftproot if you like)



  • Each local user on your server will have the path to their actual folder specified in the Local Path setting of the user account


  • In IIS, you will create a virtual directory for each user, pointing to their own folder.




So, some details:




  1. Create the users home folder (NOT IN DEADEND), and make sure it matched exactly the users username (eg. d:\data\ftproot\bloggs)


  2. Create the user account, (in this case the username is bloggs, and set the users Local Path setting to his home folder (eg. d:\data\ftproot\bloggs)


  3. Create the virtual directory for the user in the FTP site, setting the alias to be exactly the same as the username (eg. bloggs), and set the path to the users home directory (eg. d:\data\ftproot\bloggs)



  4. Adjust the physical home directory folder permissions (in the security permissions, untick the Full Control option for the user)




When a user they log in, they are taken directly to their home folder (d:\data\ftproot\bloggs). If they manage to break out of their home folder, they are taken to the FTP sites root folder, which is the DEADEND folder you set earlier, which has nothing in it. (I tend to keep a text file in there saying "NAUGHTY!")


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...