Microsoft Windows IIS FTP Part 3 - The Doorway Folder Trick

Objective: To create a customized login with access to some of the folders in a site.

In the previous two parts we learned how to leverage virtual directories and physical folders to offer a lot of control from IIS FTP. Now, what about when we want to have one site administrator have access to more than one, but not all, of the directories in a site? How is this accomplished from within IIS FTP?

Note: For the purpose of this discussion, "Folder" and "Directory" are same thing . So let us call "Folder" when referring to something at the disk level, and "Directory" when referring to something within IIS.

Letís view this visually so that itís easier to see where we are heading. Below is a picture of a fresh server build on Windows XP with the Default FTP Site. In this example I have used FTP root path as D:\SSGWeb\ftproot\DummyFolder which points to 6 sites that we'll pretend that I manage. You can see the site names below.

Now, in this illustration we have two different site administrators, Scott and Matt. Scott needs access to all 6 sites but Matt should only have access to microsoft.com and ibm.com.

It is possible to do this using NTFS permissions at the disk level. We simply give the Scott user read and write to all the folders and Matt read and write to microsoft.com and ibm.com. But, there are some disadvantages and security concerns using NTFS permissions alone.

What if an administrator on the server changes the permissions on one of the directories by mistake, not realizing that they have given Matt access to a site he isnít supposed to have access to?

Or, even more subtle, what if we create an 7th site that Matt isnít supposed to have permissions for? When the 7th site is created, it will inherit its permissions from D:\SSGWeb\ftproot\DummyFolder which needs to at least have "List" permissions for Matt so that he can log in. Now Matt has, at the very least, the ability to view all files and directories in the new directory, unless the administrator remembers to tighten the permissions every time. (Yes, for those brave souls out there willing to work with and maintain more unique settings, you can set NTFS permissions so newly created sub-folders donít inherit all permissions, but if you have more than one administrator on that server, itís too easy to mess up at some point in the future.) Maybe you trust yourself enough to always remember but I certainly donít want to leave this up to me and the other administrators on this server to always do this correctly.

Another disadvantage to doing it that way is that we might not want Matt to see all the folder names in the site, or maybe we just want things to be easy for Matt so he doesnít have to worry about a large list of sites or folders that he doesnít have access to anyway.


For next part of tutorial just forget the physical and logical structure we created so far. Let us set up from scratch for Matt and Scott . They need very customized setup.

So this that kind of requirement in mind , letís create an FTP account for Matt. We want one that only displays microsoft.com and ibm.com in his FTP program.

It's actually quite simple really. The trick is to create a doorway folder. A doorway folder is simply a folder that will serve as the first step or the doorway for a particular user. The trick is to create a set of "physical" folders and "virtual" directories that will work together to display to Matt what we want him to see.

First: Create the users

Depending on your situation, you may have existing Windows users set up for Scott and Matt already. But, in case this is a new account for a new user, be sure to create a user called Matt and another called Scott. These can be Local users from within Local Users and Groups or Active Directory users, depending on your environment.

Second: Create the "physical" folders

Next weíll create a folder that holds the "physical", but blank, sub-directory to match the real ones we want the user to have access to. This is simply so that the FTP client program displays the two folders. Letís call the root folder FTProot and the subfolder Matt, although either of these folders could be named anything. Now create two empty folders named microsoft.com and ibm.com. The security permissions on the folders need to give Matt at least List permissions.

Donít forget that Matt will need read and write permissions to d:\ SSGWeb\ftproot\Matt\microsoft.com and d:\ SSGWeb\ftproot\Matt\ibm.com and he will need list permissions to d:\SSGWeb\ftproot\dummyfolder and list permissions to d:\ SSGWeb\ftproot \matt.

Third: Create the "virtual" directories

Now we need to create the virtual directories that handle the redirecting. I recommend pointing the root FTP directory to a dummy folder. So, letís create a folder in d:\ SSGWeb\ftproot called dummyfolder. Point the FTP root folder to this. Next, to handle the Scott user, create a virtual directory called Scott that point to d:\ myftp\matt. Now, if Matt moves up a folder to the root folder, he wonít have access to d:\myftp. Instead he will be placed in d:\ SSGWeb\ftproot\dummyfolder which is a dead end. Back to the virtual directories ..

  • In IIS, create a virtual directory called Matt.
  • This should point to d:\ SSGWeb\ftproot\matt.
  • Off the Matt virtual directory, create 2 more virtual directories
    • microsoft.com should point to d:\ SSGWeb\ftproot\dummyfolder\microsoft.com
    • ibm.com should point to d:\SSGWeb\ftproot\dummyfolder\ibm.com

    • Spelling on these virtual directory names needs to be identical to the folders created in the second step above.
  • Donít forget to check read and write when creating the virtual directories if you want Matt to be able to read and write to the FTP account.

Thatís it!! I told you it was easy. Using any FTP client you suhold be able to browse this ftp site differently for Matt and Scott users.

In this part we didnít bring anything new to the table but weíve shown that yet again MS FTP has the ability to do more than what first meets the eye.

Did this tutorial help a little? How about buy me a cup of coffee?

Buy me a coffee at ko-fi.com

Please feel free to use the comments form below if you have any questions or need more explanation on anything. I recommend thoroughy testing on a production-like test system first before moving to production.