How To Create FTP Isolation Accounts on Windows Server 2012R2
STEP 1 - Set Up: For the purposes of this discussion we assume your server has a c drive and an e drive on your windows 2012R2 web server for all the web sites since that usually is the bigger hard drive. As you create e:/Sites folder , look at the c:/inetpub/wwwoot properties, security tab and make sure all the permissions are the same in the e:/Sites folder as usually people forget to add the IIS_IUSRS(servername\IIS_IUSRS) group. So all web sites will have their own folder under the e:/Sites folder
STEP 2 - Adding FTP ACCOUNTS: In windows 2012R2 you have a nice tools icon in the bottom of your tray Called the SERVER MANAGER. Click on that ICON to start the program then click on tools menu and then select the second one down called COMPUTER MANAGEMENT and open up the Local Users and Groups folder. Clock on the USERS folder and right click and choose New USER.. option and add the following 5 new FTP Accounts as many as needed: FTPMain, FTP1, FTP2, FTP3, and FTP4. In real life you would create longer Usernames than just FTP1 etc for security reasons. Record the passwords for each new FTP account your create. When done, close out then click each of the5 new users you just added, select properties and remove from USERS group in "member of tab" of the properties windows.
STEP 3- Adding folders on your e drive for web site containers:
Using windows Explorer, Create on e:drive this folder structure e:sites/FTPROOT/FTP1/WebSite1
Good to put a simple hello world index.htm file in the each of these WebSite folders with html contents in to say "Hello world from WebSite 1", "Hello world from WebSite 2", "Hello world from WebSite 3" and "Hello world from WebSite 4" respectively so you know you are on what website when finished.
STEP 4- Adding permissions on e drive for web site containers you just added in above step. Set up permissions(in windows explorer, right click on properties and select the Security tab and add the FTP accountd to the corresponding folders they are allowed to access. So on all the folders with FTPMain corresponds to FTPROOT and subfolders and then FTP1 read/write on e:sites/FTPROOT/FTP1/WebSite1 and do the same for FTP2, FTP3, and FTP4 respectively for all 4 site folders where the web files will exist.
STEP 5- Linking IIS FTP accounts to these folders you set up in previous steps. In windows 2012R2 you have a nice tools icon in the bottom of your tray Called the SERVER MANAGER. Click on that ICON to start the program then click on tools menu and then select the second one down called INTERNET INFORMATION SERVICES Also called IIS and open up the folders on the top left so you see the SITES folder. Right click on the SITES folder and choose the Add FTP Site menu item. Call it FTPMain and point it to e:sites/FTPROOT as you created it uncheck the https option and select the BASIC option and then select the rest of defaults.
After creating this new FTPMain , click on it and you will see FTP Isolation icon on the right panel. Click on that FTP Isolation icon and click on the first radio button choice 8) Right click on the new FTPMain folder on the left of your screen in IIS and select the "Add Virtual Directory" option and call LocalUser and point to e:sites/FTPROOT
Right Click on the LocalUser on the left side of your screen in IIS and in the same manner, create a new FTP virtual directory (selecting "Add Virtual Directory") add FTPRoot and point it to e:sites/FTPROOT. Click on the FTPMain new icon on the left of your screen and you will see on the right panel the option to set FTP Authroized Users. Click on the FTP Authorization Rules (Keys ICON) and Add the new rule(See top right corner link to ADD ALLOW RULE) of FTPMain one and enter only FTPMain in the box that says specific for that user only for access and check both read and write check boxes to allow FTP access to read and write. This is the main FTP admin account so that person needs to be able to look at all the accounts. The rest of the accounts below are isolated.
Then right click on the LocalUser folder on your left and choose Add Virtual Directory menu option and and you will do this 4 times to match the EXACT same ACCOUNT FTP USERNAMES as step 2. So you are creating 4 new FTP virtual directories called the EXACT same name as step 2 FTP1 and point to e:sites/FTPROOT/FTP1 respectively for each of the 4 different web site containers.
STEP 6- Setting up IIS FTP permissions to read and write.
For each of the 4 new FTP1, FTP2, FTP3, and FTP4 virtual directories you created in the above step, you need to give the the correct read and write permission as you did in the above step for the FTPMain account. So start by right clicking on the FTP1 folder in the left side of IIS, and you will see the FTP Authorize Rules icon with the KEYS ICON in the right screen. Click on Add the new rule(See top right corner link to ADD ALLOW RULE) link and enter FTP1 as the user access read and write access. Then do the same for adding a rule for the FTMain account to have read and write access as that is the main admin so that person needs access to all the FTP account files.. So when you are finished with FTP1. Do the same steps in the above sentences for the FTP2, FTP3 and FTP4 accounts making sure you only give permissions for FTP2 to user FTP2 to access only e:sites/FTPROOT/FTP2/WebSite2
Remember again these short FTP names where used for this discussion. You would have longer FTP names in real life in step 2 and they would have to match exactly in step 5 for the IIS Virtual Directory names..
STEP 7- Test with some FTP program.
Test all 5 cases with a tool like Filezila(Free downloadable FTP Program) and your are done!