Configure Virtual FTP sites in IIS 5.0

Virtual FTP sites allow you to have segregated content based on user ID.  Directory listing and downloading is restricted to that specific user. 
To create security on an FTP site you must depend entirely on NTFS.  If you want to have a "Super-User" account that can access all the folders, create a user that will be the "all-powerful" admin account. Do NOT use a real account (Administrator) since this password is going to be passed in cleartext most of the time.

This example shows a user named FTPAdmin for this purpose.

Create users.  One example here is a user named maildrop.

Create 2 groups - one for "FTP-Admins" and one for "FTP-Users".  Put the Admin user you created earlier in the Admin Group, and all future FTP users must go into the FTP-Users group.

This example shows FTP-Admins and FTP-Users

Now - Setup the basic FTP Server. 
Open up Internet Services Manager or use Computer Management.  Select IIS and the default FTP site as you see here.
The FTP Site tab allows you to set up specifics of the site.  Enabling logging is a good idea, but you'll probably want to change the directory.  Click PROPERTIES to set this.
I usually put the logs inside the same root that I've created for the data.  Extended properties gives you options for what you want to log.
Set the site Security to look like so.
Configure your desired message.  This applies to all sites.
Under Home Directory you'll see the default location.  You should use this so that your multiple users can't cd .. down into an actual root and see folder structures and so forth.  A cd .. from a virtual to this location will not show them anything useful.  Proper NTFS will prevent them from doing a cd .. and then a cd \ into something they shouldn't see.

ALL users must have at least LIST on this folder to be able to log into their virtual directory.

If you set directory security to deny a machine access at this level it CAN affect all sites above, but even if you don't set that - they won't even be able to log in if they are denied.  Set this on the virtual directory.

 

Now, setup the file structure. 
Create the root of your FTP structure (C:\FTPRoot in this example) and set NTFS security as:

Administrators= Full
FTP-ADMINS = Modify
System = Full

Set the permissions to propagate down.

Create directories as you desire under the folder.  The name does not have to match the virtual directory - but why confused yourself?

Set NTFS security to inherit and ADD the specific user in with the rights you want.  Only READ allows this user to only pull data down, etc.  

*It is possible to set up multiple users (Virtual directories) pointing to the same file location (One reason to have slightly different folder names vs. Virtual directory) so that a customer can have 1 ID and the Support team has another.  Set the permissions accordingly for each group.

This example shows a folder named FTPTEST with a user named FTPTEST having read/write permissions.

Now, setup the Virtual directory. 
 

Right click on the FTP Site and select NEW > Virtual Directory

 

Enter the Alias of the site.  This MUST match the USER ID that will be used to log on.
Enter the folder location.

* This demo was built on a standalone server.  This WILL work using UNC paths if you want to deliver content from a front-end server to a direct file system.  That usually confuses the heck out of users, however.

Here's a simple way to restrict reading and writing, but still use NTFS.
Test!  Try logging in (from the same server, for security safety) using a different username and then browsing to the folder you created.

Tip: You can embed a username/password in an FTP call to a browser like so:  ftp://user:password@ftpsite.domain.com .  The browser will parse this as "log onto ftpsite.domain.com using USER and PASS as my password. 

If you found this document useful, please let me know - drop me a quick email.