2

Can I limit a user so they can only access my FTP server from a set IP address whist allowing other users to access the FTP from anywhere?

I have a Windows Server 2019 server running IIS 10 with an FTP site setup on it. the FTP server has Ftp User Isolation set to Username physical directory.

The server has several FTP users setup on it all mapping to their own folder, and I would like to limit some of them to only be accessible from within my workplace (not the same network as the server) whist still allowing the other users to be accessible from anywhere.

I have tried to use FTP IP Address and Domain Restrictions to accomplish this but can not get it to work at the user level.

I have tried setting Access for unspecified restrictions to Allow at the site level and Deny at the user level, with an allowed IP address at the user level, but this still allows access from all IPs.

I have also tried setting Access for unspecified restrictions to Deny at the site level and allow at the user level, and this block access from all IPs.

enter image description here

I can only get the FTP IP Address and Domain Restrictions options to work at the top level or site level in IIS, but not on any sub folders under the site. Although the option is showing for the sites sub folders which leads me to believe this must be possible and I am just missing something.

Is this possible and if so can anyone point me in the right direction?

Amirhossein
  • 107
  • 6
Re0sless
  • 123
  • 5
  • I belive you have an [X-and-Y-Problem](https://meta.stackexchange.com/q/66377/189912) what are you trying to solve? – djdomi Jul 22 '21 at 05:19
  • I have 2 FTP users, one to access the websites files and one to access a folder with files needed by people outside our company (updates, drivers, manuals etc). I want to lock down the website user so that it can only be accessable from within our company whilst still allowing the other user to login from the out side world. – Re0sless Jul 22 '21 at 10:23

1 Answers1

2

You don't have much flexibility when using the default IIS providers and settings.

Instead, to achieve the level of control you wanted, you have to write your own authentication provider with IP checks, and Microsoft has an article with a similar case,

https://docs.microsoft.com/en-us/iis/develop/developing-for-ftp/how-to-use-managed-code-c-to-create-an-ftp-authentication-provider-with-dynamic-ip-restrictions

Lex Li
  • 912
  • 6
  • 10
  • that is what i knowed about, thanks for re-providing me that information for my private KB ;) – djdomi Jul 22 '21 at 10:32
  • This looks to be the way to do it. I decided against it in the end as any security I would gain, would likely be offset by me building my own IFtpAuthenticationProvider – Re0sless Jul 28 '21 at 12:28