Mastering IIS FTP

The Doorway Folder Trick

In the previous two parts we learned how to leverage virtual directories and physical folders to offer a lot of control from IIS FTP. Now, what about when we want to have one site administrator have access to more than one, but not all, of the directories in a site? How is this accomplished from within IIS FTP?

Objective: To create a customized login with access to some of the folders in a site.

Note: For the purpose of Part 3 and Part 4, I've decided to standardize on the word “Folder” when referring to something at the disk level, and “Directory” when referring to something within IIS.

Let's view this visually so that it's easier to see where we are heading. Below is a picture of a fresh server build on Windows Server 2003 with the Default FTP Site.

I've changed the FTP root path to d:\domains which points to 7 sites that we'll pretend that I manage. You can see the site names below.

Now, in this illustration we have two different site administrators, Scott and Matt. Scott needs access to all 7 sites but Matt should only have access to and

So, with that in mind, let's create an FTP account for Matt. We want one that only displays and in his FTP program.

It's actually quite simple really. The trick is to create what I'll call a doorway folder.

A doorway folder is simply a folder that will serve as the first step or the doorway for a particular user. The trick is to create a set of “physical” folders and “virtual” directories that will work together to display to Matt what we want him to see.

First: Create the users

Depending on your situation, you may have existing Windows users set up for Scott and Matt already. But, in case this is a new account for a new user, be sure to create a user called Matt and another called Scott . These can be Local users from within Local Users and Groups or Active Directory users, depending on your environment.

Second: Create the “physical” folders

Next we'll create a folder that holds the “physical”, but blank, sub-directory to match the real ones we want the user to have access to. This is simply so that the FTP client program displays the two folders. Let's call the root folder FTProot and the subfolder Matt, although either of these folders could be named anything. Now create two empty folders named and (See Part 2 if you're not sure why) The security permissions on the folders need to give Matt at least List permissions.

Don't forget that Matt will need read and write permissions to d:\domains\ and d:\domains\ and he will need list permissions to d:\ftproot\dummyfolder and list permissions to d:\ftproot\matt.

Third: Create the “virtual” directories

Now we need to create the virtual directories that handle the redirecting. First, before we forget, if you remember from Part 1, I recommend pointing the root FTP directory to a dummy folder. So, let's create a folder in d:\ftproot called dummyfolder. Point the FTP root folder to this. Next, to handle the Scott user, create a virtual directory called Scott that point to d:\domains. Now, if Matt moves up a folder to the root folder, he won't have access to d:\domains. Instead he will be placed in d:\ftproot\dummyfolder which is a dead end. See Part 1 for more on this.

Back to the virtual directories . . .

  • In IIS, create a virtual directory called Matt .
  • This should point to d:\ftproot\matt.
  • Off the Matt virtual directory, create 2 more virtual directories
  • should point to d:\domains\
  • should point to d:\domains\
  • Spelling on these virtual directory names needs to be identical to the folders created in the second step above.
  • Don't forget to check read and write when creating the virtual directories if you want Matt to be able to read and write to the FTP account.

That's it!! I told you it was easy. Let's test it now.

I'll use WS_FTP to log in as the Matt user. Here is what I see in the left column:

Likewise, when logging in as Scott , we see what he is supposed to see:

In this part we didn't bring anything new to the table but we've shown that yet again MS FTP has the ability to do more than what first meets the eye.

In Part 4 we'll cover User Isolation, a new feature of IIS6.0. (Coming soon!)

You might also like...



Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“Debugging is anticipated with distaste, performed with reluctance, and bragged about forever.” - Dan Kaminsky