Since last week I am working on a project for setting up a Shared FTP Server for a Shared Web Server based on Windows Server 2008 R2 platform. I have already published an article to Install IIS on Windows Server 2008. While writing an article on how to install and configure a shared FTP Server, I came across a few challenges and solutions which I thought is better to discuss in a separate post, so, here we go.
When I read details about FTP authentication in Microsoft FTP 7.5, I came to know about FTP User Isolation concept using which we can provide access to the folder created with the same name as a Windows Local User account.
Create Windows Local User Account
Create Local User using GUI:
- Press Windows Key + R. In the Run window type lusrmgr.msc and press enter.
- Right click on Users and then click New User.
- User name: Enter username i.e. client1
- Full name: Enter full name of the user. This is optional.
- Description: A short description about this user.
- Password: Enter password for the user.
- Confirm Password: Re-enter password.
- Deselect User must change password at next logon
- Select Password never expires.
- Click Create button to create the user account.
Create Local User using CLI:
- Launch Command Prompt as an Administrator (Start >> All Programs >> Accessories. Right click Command Prompt and then click Run as administrator).
- At Command Prompt type net user /ADD client1 * /expires:never. Replace client1 with the actual username you want to create. Now press Enter key. Type a password when prompted for and then retype the password to confirm.
Create Local Group
In Microsoft Windows when we create a local user it is by default added to Users group and by default members of Users group are allowed to logon locally on the system and those users also appear on logon screen. To create more secure environment for shared hosting server (shared FTP/Webserver) we should deny all FTP Users from logging locally on server system. To accomplish this we should create a local group i.e. FTPUsers and add all FTP Users to this group. This can be done by following below steps.
Create Local Group using GUI
- Press Windows Key + R. In the Run window type lusrmgr.msc and press enter.
- Right click on Groups and then click New Group...
- Group name: Enter Group Name i.e. FTPUsers
- Description: Type a short description for this group. This is optional.
- Add members to this group by clicking Add button and then selecting local users that will belong to this group. I added client1 and client2 to this group.
- Click Create button to create the group.
Create Local Group using CLI
- Launch Command Prompt as an Administrator (Start >> All Programs >> Accessories. Right click Command Prompt and then click Run as administrator).
- At Command Prompt type net localgroup FTPUsers /add. Replace FTPUsers with the actual Group name you wish to create. Press enter key.
Adding Local Users to Local Group
- Launch Command Prompt as an Administrator (Start >> All Programs >> Accessories. Right click Command Prompt and then click Run as administrator).
- Type net localgroup FTPUsers client1 client2 /add at Command Prompt and then press enter key to add client1 and client2 local users to FTPUsers group.
- Type net localgroup Users client1 client2 /delete and press enter key to delete local users client1 and client2 from local group Users.
Denying FTPUsers to Logon locally on Server
Once we delete user accounts from Users group those user will not be visible on the Windows logon screen, this is because by default only members of Administrators, Backup Operators and Users groups are allowed to logon locally. However to confirm this do as per below steps:
Check who is allowed to Logon locally
- Press Windows Key + R. In the Run window type secpol.msc and press enter.
- In the Local Security Policy window go to Local Policies >> User Right Assignment
- Find Allow logon locally, and there must be only Administrators, Backup Operators and Users group are listed.
Add FTPUsers group to Deny log on locally list by following steps. This needs to be done to strengthen security against a mis-configuration between two settings Allow logon locally and Deny log on locally. Since Deny logon locally supersedes Allow logon locally settings, it will prevent users from logging on locally if they are also in Allow logon locally list. This will help if we created a new local user account and forget to remove from Users group, however since it is in FTPUsers group those users will not be allowed to log on locally on the server machine.
Deny FTPUsers to logon locally (more restrictive)
- Press Windows Key + R. In the Run window type secpol.msc and press enter.
- In the Local Security Policy window go to Local Policies >> User Right Assignment
- Find Deny log on locally. It may be blank initially. Add FTPUsers group here.
Denying FTPUsers to Logon through Remote Desktop Services
We must deny FTPUsers group from logging on through Remote Desktop Services even though by default only Administrators and Remote Desktop Users groups are allowed to log on through Remote Desktop Services because a more restrictive settings alway helps against a silly mis-configuration.
Checking who is allowed to Logon through Remote Desktop Services
- Press Windows Key + R. In the Run window type secpol.msc and press enter.
- In the Local Security Policy window go to Local Policies >> User Right Assignment
- Find Allow logon through Remote Desktop Services and there must be only Administrators, Remote Desktop Users groups are listed.
For adding FTPUsers to Deny log on through Remote Desktop Services list follow below steps. Doing more restrictive settings always help against mis-configurations.
Deny FTPUsers to logon through Remote Desktop Services (more restrictive)
- Press Windows Key + R. In the Run window type secpol.msc and press enter.
- In the Local Security Policy window go to Local Policies >> User Right Assignment
- Find Deny logon through Remote Desktop Services. It may be blank initially. Add FTPUsers group here.
I do not know this much about local policy till today. It has also clear some concept about local security policy. I am glade to read this article. Thanks again.