Problem with FTP (U...
 
Notifications
Clear all

Problem with FTP (User Isolation Mode: IsolateAllDirectories)

2 Posts
2 Users
0 Reactions
1,784 Views
Posts: 15
Topic starter
(@ricardolerma)
Active Member
Joined: 8 years ago

Hello,

I'm having trouble setting up FTP: User Isolation Mode: IsolateAllDirectories in IIS 8.5 with Windows Server 2012 R2

When creating a user it can not get access by issuing the following error:

530-User cannot log in, home directory inaccessible.
Win32 error:
Error details: File system returned an error.
530 End
Logon Failure.

 

The user structure is configured as shown below in IIS:

User permissions have already been configured correctly on IIS and on the file system, because without user isolation mode FTP works normally.

I looked into the problem on several sites and managed to isolate users by following tutorials on Microsoft's own website. The solution was to create the visual directories that correspond to the names of the users, within the LocalUser folder. This causes FTP to work properly, but the problem is that SolidCP creates users under "Default FTP Site", not within the LocalUser folder as recommended by Microsoft.

My question is how do SolidCP work with user isolation correctly? Because I could not get IIS to create the users correctly.

Thanks any help, thank you!

1 Reply
Posts: 1967
Admin
(@m-tiggelaar)
Noble Member
Joined: 9 years ago

Hello,

I don't think SolidCP is designed to use the isolation mode you selected.

What we have on our servers is pretty straight forward: User Name Directory selected.

Basic auth enabled, Anon auth disabled.

You will then segregate by user permissions.

So it's quite important you do some basic server hardening (not just for FTP but also for properly isolating your sites, so not 1 infects all as per windows default).

The main thing to keep in mind is that per windows default the users group has read + execute rights on the disks it self. You will need to remove this group from C disk, create an administrator file access group and add your administrators to this group,

Add the following 2 users to C: Local Service, Network Service With Read & Execute, List folder contents and Read

Once that is set your sites can not read/ infect eachother, aswell as FTP isolation working as desired without a chance to walk out of their directories.

Regards,

Marco

Reply
Share: