- Create a custom role with Azure role-based access control (Azure RBAC) using PowerShell - Wed, Jan 20 2021
- Step by step Deploying Docker Container to Azure using Azure CLI - Wed, Sep 2 2020
- Install Docker offline on Windows Server 2016 - Thu, Dec 6 2018
Install the FTP feature
Before you can begin configuring your FTP server, you first need to install the required Windows features: FTP, the Web Server (IIS), and the Management Tools to administer it with PowerShell.
# Install the Windows feature for FTP Install-WindowsFeature Web-FTP-Server -IncludeAllSubFeature Install-WindowsFeature Web-Server -IncludeAllSubFeature IncludeManagementTools
Install the FTP feature
After the installation completes, import the WebAdministration module. This will map an Internet Information Services (IIS) drive (IIS:\) through which we will configure our FTP site later in this article.
# Import the module Import-Module WebAdministration
Configuring the site name, port, and root folder
Now you can create a new FTP site using the New-WebFtpSite cmdlet by providing an FTP site name, root folder for your FTP site, and port number. I'm choosing port 21, which is the default FTP port, but you can also specify any custom port for your FTP site.
# Create the FTP site $FTPSiteName = 'Default FTP Site' $FTPRootDir = 'D:\FTPRoot' $FTPPort = 21 New-WebFtpSite -Name $FTPSiteName -Port $FTPPort -PhysicalPath $FTPRootDir
Create the FTP site
After running the cmdlet, you'll see the FTP site and bindings in IIS Manager.
The FTP site in IIS
Create FTP users
After creating a new FTP site, you can create a Windows user or group through which you can control the access to the FTP server. Let's first create the Windows local group:
# Create the local Windows group
$FTPUserGroupName = "FTP Users"
$ADSI = [ADSI]"WinNT://$env:ComputerName"
$FTPUserGroup = $ADSI.Create("Group", "$FTPUserGroupName")
$FTPUserGroup.SetInfo()
$FTPUserGroup.Description = "Members of this group can connect through FTP"
$FTPUserGroup.SetInfo()
Then we will create a new local FTP user with a username and password:
# Create an FTP user
$FTPUserName = "FTPUser"
$FTPPassword = 'P@ssword123'
$CreateUserFTPUser = $ADSI.Create("User", "$FTPUserName")
$CreateUserFTPUser.SetInfo()
$CreateUserFTPUser.SetPassword("$FTPPassword")
$CreateUserFTPUser.SetInfo()
Later we will add the FTP user to the Windows group:
# Add an FTP user to the group FTP Users
$UserAccount = New-Object System.Security.Principal.NTAccount("$FTPUserName")
$SID = $UserAccount.Translate([System.Security.Principal.SecurityIdentifier])
$Group = [ADSI]"WinNT://$env:ComputerName/$FTPUserGroupName,Group"
$User = [ADSI]"WinNT://$SID"
$Group.Add($User.Path)
Create FTP group and users
Authenticating FTP users to access FTP server data
Now we enable basic authentication on the FTP site and authorize the Windows group that contains the FTP user so it can access the FTP site.
# Enable basic authentication on the FTP site
$FTPSitePath = "IIS:\Sites\$FTPSiteName"
$BasicAuth = 'ftpServer.security.authentication.basicAuthentication.enabled'
Set-ItemProperty -Path $FTPSitePath -Name $BasicAuth -Value $True
# Add an authorization read rule for FTP Users.
$Param = @{
Filter = "/system.ftpServer/security/authorization"
Value = @{
accessType = "Allow"
roles = "$FTPUserGroupName"
permissions = 1
}
PSPath = 'IIS:\'
Location = $FTPSiteName
}
Add-WebConfiguration @param
Enable basic authentication and an authorization rule
You can also check these settings under IIS Manager > FTP Site > FTP Authorization Rules.
Authorization rule in IIS
SSL policy and NTFS permissions to the FTP root folder
Next, we change the SSL policy from Require SSL to Allow SSL connections.
$SSLPolicy = @(
'ftpServer.security.ssl.controlChannelPolicy',
'ftpServer.security.ssl.dataChannelPolicy'
)
Set-ItemProperty -Path $FTPSitePath -Name $SSLPolicy[0] -Value $false
Set-ItemProperty -Path $FTPSitePath -Name $SSLPolicy[1] -Value $false
Setting the SSL policy
The commands below set the NTFS permissions on the FTPRoot folder to allow the FTP user group to access the files.
$UserAccount = New-Object System.Security.Principal.NTAccount("$FTPUserGroupName")
$AccessRule = [System.Security.AccessControl.FileSystemAccessRule]::new($UserAccount,
'ReadAndExecute',
'ContainerInherit,ObjectInherit',
'None',
'Allow'
)
$ACL = Get-Acl -Path $FTPRootDir
$ACL.SetAccessRule($AccessRule)
$ACL | Set-Acl -Path $FTPRootDir
SSL policy and NTFS permissions
You can verify this from the FTP root folder properties under the Security tab.
NTFS Permissions on the folder
After all the configurations are complete, it is advisable to restart the FTP site:
# Restart the FTP site for all changes to take effect Restart-WebItem "IIS:\Sites\$FTPSiteName" -Verbose
You can then test the FTP server, which should allow you to access files, content, and directories under the FTP root folder.
Subscribe to 4sysops newsletter!
Testing the FTP server
Conclusion
Setting up an FTP server on a Window server requires configuration at many levels. With PowerShell you can install Windows FTP features and create the FTP server with the detailed configuration very easily. You can also create new FTP users and authorize them to access the FTP root directory in an automated fashion. This can come in handy if you have to apply the same settings for several machines.
Excellent post, thank you very much. I had some problems creating the local group, the local user and adding it to the group, I used these commands for that:
# Create the local Windows group
$FTPUserGroupName = “FMS FTP Users”
New-LocalGroup -Name $FTPUserGroupName -Description “Members of this group can connect throgh FTP”
# Create an FTP user
$FTPUserName = “FtpManager”
$FTPPassword = ConvertTo-SecureString “p@ssw0rd” -AsPlainText -Force
New-LocalUser -Name $FTPUserName -Password $FTPPassword -Description “User account to access FMS FTP” -PasswordNeverExpires -UserMayNotChangePassword
# Add an FTP user to the group FTP Users
Add-LocalGroupMember -Name $FTPUserGroupName -Member $FTPUserName
The was fantastic and very detailed. I am going through trying to automate many repetitive tasks and setting up an FTP server was the next one in line. This is a huge help!
I just tried to make a comment on this article.
I don't think that [ ADSI ]"WinNT://$Etc" works when you have LSA disabled, which I do. Because apparently when you're in the world of Cyber Security… it's a good way to get trolled… learned my lesson with that one.
At any rate… I have reworked this script. I included the local user parameters that Nelson suggested, as that is definitely easier to manage than using the shellsharpnet method that the author originally used.
I've had issues using both methods. Despite that, I have a script in a testable format, feel free to scope it out and see if it works for you.
I was looking to add a GUI module, but it's not high on my priority list at the moment.
https://github.com/mcc85s/PSD-Remaster/blob/master/Provision-FTPServer.ps1
Is there a way to set SSL to No SSL in Binding and SSL settings screen please.
Hi ,
Please let me know change FTP password in powershell script.
Thanks
Sriram
This guide is poisonous. It is entitled “Install and configure an FTP server with PowerShell”, but provides instructions which install a full blown web server with way more features than is necessary for an FTP Server to run.
The line
“Install-WindowsFeature Web-Server -IncludeAllSubFeature -IncludeManagementTools” adds way too much unnecessary stuff for an FTP-only server.
Good article but some problem on Windows 10.
Have you updated the script for Windows 10?
best regards