Windows FTP Server Permissions



  • So this new company has very bad IT, and someone needed a secure FTP drop-box for a client to drop files into. After a horrible back and forth with some horrible outsource IBM tech support nightmare, I just grabbed a cloud server and made one myself.

    My only problem is with permissions.

    Say we have three FTP users:

    Admin
    Foo
    Bar

    All belonging to a FTPUsers group.

    And the FTP folder structure looks like:

    FTP
    \_ Foo
    \_ Bar

    I currently have the permissions set as follows:

    FTP: FTPUser has "List Folder Contents" permission
    FTP: Admin has "All" permissions
    Foo: Foo user has "All" permissions
    Bar: Bar user has "All" permissions

    This works in that Foo can't write into the base directory and Foo can't write into Bar, and Bar can't write into Foo but Admin can read and write everywhere. So far so good.

    What I'd like to do though is to make it so Foo can't see Bar's folder, and vice-versa. There is an NTFS permission for this, but it looks like I'd need to deny Bar permissions on Foo, and deny Foo permissions on Bar. With two users, this isn't a big deal, but when there's 25 users this is going to be a HUGE pain in the ass to maintain.

    Question: is there a way to set up permissions so that when I add a new FTP user I only have to add them to the FTPUsers group and to the folder(s) they have permission to see?


  • Grade A Premium Asshole

    @blakeyrat said in Windows FTP Server Permissions:

    What I'd like to do though is to make it so Foo can't see Bar's folder, and vice-versa. There is an NTFS permission for this, but it looks like I'd need to deny Bar permissions on Foo, and deny Foo permissions on Bar. With two users, this isn't a big deal, but when there's 25 users this is going to be a HUGE pain in the ass to maintain.

    You are correct. Deny permissions are completely undefined in most cases. (what happened to autocomplete on emojis???)

    Do they ever need to read from the directory? It sounds like you just need a place for them to dump large files? What about giving FTPUsers write permissions but nothing else? Then they can upload, but no one can read? Seems like it might solve your issues, as long as they do not need to read the folder for downloads.

    Alternatively you could set FTP admins and such to have global permissions on the home folder, define nothing else (remove the "All" permissions) and only assign the users permissions to their own folders. More manageable. You only have to set their permissions in one place. By default no permissions at all are functionally deny permissions


  • Notification Spam Recipient

    @polygeekery said in Windows FTP Server Permissions:

    what happened to autocomplete on emojis???

    Fully quit Chrome and open it again.



  • @polygeekery FtpUsers group needs file list permissions on parent folder at minimum. Otherwise users get a big ass error when they connect.

    Other than that,your plan makes sense.


  • Grade A Premium Asshole

    @blakeyrat I can't tell how much sarcasm is in that reply.

    When we have had to FTP files to another party we never have read permissions to the directory (that's not entirely true, we once did and shouldn't have and were able to download a database file that was an identity thieves' dream, but that's another story). Permissions should be the absolute minimum to do the job. If they only need to upload don't let them read. Assign permissions and avoid denying them wherever possible. Deny permissions are unmanageable.

    The only time I recall using deny permissions was when an executive director was on her way out and being replaced. It was easier to slap some deny permissions on her account than other methods. It was for two weeks. Then never used again.



  • @polygeekery said in Windows FTP Server Permissions:

    I can't tell how much sarcasm is in that reply.

    Zero.

    If a FTP user logs in, and they don't have at least "list folder contents" permission in the parent folder, they see nothing but a big-ass "can't list files!!!" error from their FTP client. That's why your solution doesn't work.

    So they do need "list folder contents" permission, but then they need to be "deny" on every individual folder (except their own) so that client Foo can't see the folder for client Bar. This is exactly the problem I need to solve, because it sucks and is unmaintainable.

    @polygeekery said in Windows FTP Server Permissions:

    When we have had to FTP files to another party we never have read permissions to the directory (that's not entirely true, we once did and shouldn't have and were able to download a database file that was an identity thieves' dream, but that's another story).

    But you did have "list folder contents" permissions.

    @polygeekery said in Windows FTP Server Permissions:

    Permissions should be the absolute minimum to do the job. If they only need to upload don't let them read. Assign permissions and avoid denying them wherever possible. Deny permissions are unmanageable.

    Ok; but how does this get us any closer to answering my question?


  • Impossible Mission Players - A

    It sounds like you're looking for FTP User Isolation, with the added benefit that admins can enter in all other folders.
    Which FTP service are you using, IIS?

    That would get you to the point of automatic restriction for the normal users, I'm not entirely sure how to allow admin access to other directories for other users (I think a virtual global directory might do the trick, but I'd have to play with it).



  • @tsaukpaetra said in Windows FTP Server Permissions:

    It sounds like you're looking for FTP User Isolation, with the added benefit that admins can enter in all other folders.

    Exactly. I tried and eliminated that because the admin account didn't/couldn't work.

    The other problem I had with this is the folder has to be named after the user account, which doesn't work right in our use-case. Especially since some clients will need access to multiple folders.

    @tsaukpaetra said in Windows FTP Server Permissions:

    Which FTP service are you using, IIS?

    Correct.

    @tsaukpaetra said in Windows FTP Server Permissions:

    I'm not entirely sure how to allow admin access to other directories for other users (I think a virtual global directory might do the trick, but I'd have to play with it).

    Hm... possibly?


  • Impossible Mission Players - A

    @blakeyrat said in Windows FTP Server Permissions:

    @tsaukpaetra said in Windows FTP Server Permissions:

    It sounds like you're looking for FTP User Isolation, with the added benefit that admins can enter in all other folders.

    Exactly. I tried and eliminated that because the admin account didn't/couldn't work.

    The other problem I had with this is the folder has to be named after the user account, which doesn't work right in our use-case. Especially since some clients will need access to multiple folders.

    Ah, yeah... that's... dumb.

    Come to think of it, isn't it possible to set the permission "List contents" and have it not inherit on subfolders?

    I.e.

    0_1510893645509_2b3bf5ed-0c1b-457e-9a25-08cb7fd6a568-image.png

    (And obviously removing the inheriting permission that allows everyone to read and list contents)



  • @tsaukpaetra said in Windows FTP Server Permissions:

    Come to think of it, isn't it possible to set the permission "List contents" and have it not inherit on subfolders?

    Possibly? Gives me something to try tomorrow morning at least.


  • Impossible Mission Players - A

    @blakeyrat said in Windows FTP Server Permissions:

    @tsaukpaetra said in Windows FTP Server Permissions:

    Come to think of it, isn't it possible to set the permission "List contents" and have it not inherit on subfolders?

    Possibly? Gives me something to try tomorrow morning at least.

    Yeah, I think I created what you're looking for, I set the FTP root drectory permissions like so:

    0_1510897233784_0fda5bdd-cd19-4ac7-96b5-c7900225df72-image.png

    The important thing is that I cut the default inheritance (converting the existing permissions to local or whatever the first option was). In your case, your FTPUsers group should be given Read & Execute for "This folder only", while admins get Full Control for the folder and everything under it.
    To be nice I added the permission for "Owner Rights" to Full Control for the subfolders and files, so for individual's folders I can set an owner and that account automatically gets access to that folder. Otherwise you can add a full control permission for a given user or group of users.



  • @tsaukpaetra Cool thanks. I'll try it tomorrow and confirm it works.



  • Does NTFS allow you to make non-inherited permissions? Or maybe tell the subfolders not to inherit permissions?


  • Impossible Mission Players - A

    @ben_lubar said in Windows FTP Server Permissions:

    Does NTFS allow you to make non-inherited permissions? Or maybe tell the subfolders not to inherit permissions?

    Yes, that's what I did.



  • @tsaukpaetra said in Windows FTP Server Permissions:

    @ben_lubar said in Windows FTP Server Permissions:

    Does NTFS allow you to make non-inherited permissions? Or maybe tell the subfolders not to inherit permissions?

    Yes, that's what I did.

    In my defense I didn't read the topic before I posted that.


  • Impossible Mission Players - A

    @ben_lubar said in Windows FTP Server Permissions:

    @tsaukpaetra said in Windows FTP Server Permissions:

    @ben_lubar said in Windows FTP Server Permissions:

    Does NTFS allow you to make non-inherited permissions? Or maybe tell the subfolders not to inherit permissions?

    Yes, that's what I did.

    In my defense I didn't read the topic before I posted that.

    Free pass with ID: 91187 has been marked Consumed. 👍



  • @tsaukpaetra Reading this again, I'm unclear on how this prevents Foo from seeing Bar's folder when they log in.

    Foo is part of FTPUsers and so still would see the entire folder listing of the parent folder with Read & Execute rights, yes?



  • @tsaukpaetra Yeah, I set FTPUsers to "this folder only" and it didn't change the behavior I'm seeing. Foo can still see Bar's folder. (Although he can't get a listing of it or upload into it.) Still a good change in the interests of "keeping permissions as small as possible" I suppose.


  • Impossible Mission Players - A

    @blakeyrat said in Windows FTP Server Permissions:

    Foo from seeing Bar's folder when they log in.

    Ah, I didn't recognize that we one of the requirements... Um... Yeah, I'm not sure of an easy and maintainable way to do that while keeping the rest of the requirements.

    Closest I would come is enabling the user isolation thing and.... Um, not sure.


  • Impossible Mission Players - A

    @blakeyrat

    I know that Access Based Enumeration definitely works in network file shares (it's part of my stock server setup these days). I haven't tried it on an FTP deploy, but the answer on that thread is from an actual Microsoftie, so it might be worth a try.



  • @blakeyrat said in Windows FTP Server Permissions:

    The other problem I had with this is the folder has to be named after the user account, which doesn't work right in our use-case. Especially since some clients will need access to multiple folders.

    The user's home folder should be transparent to them. It's just the folder they're in when they log in, and they shouldn't be able to go up to folders above it.

    For the users who need access to other folders (outside their home folder), would symlinks work?



  • @anotherusername said in Windows FTP Server Permissions:

    The user's home folder should be transparent to them. It's just the folder they're in when they log in, and they shouldn't be able to go up to folders above it.

    Right; but FTPUsers -> File Drop Folders is a many->many relationship, unfortunately.

    @anotherusername said in Windows FTP Server Permissions:

    For the users who need access to other folders (outside their home folder), would symlinks work?

    Well symlinks wouldn't, because NTFS doesn't have them. It does have Junctions? Seems that's no more maintainable though.



  • @blakeyrat What about setting the login directory to be common to a group. You could then have the subfolders (per user) below that. (Just a wild-as-guess since I really don't know ftp admin...)



  • @dcon I'm not sure how that's different than what I put in the OP...


    FYI before someone suggests it, I did try creating multiple FTP Sites, but IIS only allows one FTP Site per network adapter, and this server only has one network adapter. In any case we'll eventually have about 25 users on this server, and 25 network adapters is pretty crazy.



  • @blakeyrat said in Windows FTP Server Permissions:

    Seems that's no more maintainable though.

    I can't see it being much more or less maintainable than any other way of setting up a many-to-many relationship.

    At least with symlinks (okay, junctions, whatever) you just have to create junctions to the folder(s) each user does need access to.



  • @izzion Interesting solution.

    He essentially creates a fileshare, installs the Access-Based Enumeration feature (which works for fileshares, but not for FTP shares), then connects the FTP server to the Localhost fileshare instead of the physical folder.

    Seems hacky, but not hard to maintain at least.

    The directions are all for Server 2003, I hope that shit all still works in 2016. Well, I won't be able to try it until Monday anyway.


  • Impossible Mission Players - A

    @blakeyrat said in Windows FTP Server Permissions:

    Well symlinks wouldn't, because NTFS doesn't have them

    .....



  • @Tsaukpaetra Thank you for that thoughtful contribution to the discussion.



  • @blakeyrat said in Windows FTP Server Permissions:

    Well symlinks wouldn't, because NTFS doesn't have them.

    NTFS has two kinds of symlinks. And if you use the wrong one, you get "permission denied".


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.