This article describes how to build an FTP site on a Windows ECS instance. This method is applicable to Windows Server 2008 and later versions. In this article, Windows Server 2008 R2 is used.
The procedure for building an FTP site on a Windows ECS instance is as follows:
- Step 1. Add IIS and FTP service roles
- Step 2. Create FTP username and password
- Step 3. Set permissions for shared files
- Step 4. Add and configure an FTP site
- Step 5. Configure a security group and firewall
- Step 6. Test
Step 1. Add IIS and FTP service roles
You must install IIS and FTP services before building an FTP site.
To install IIS and FTP services, follow these steps:
Click the Server Manager icon.
In the left-side navigation pane, click Roles, and then click Add Roles.
In the Add Roles Wizard window, click Next.
Select Web Server (IIS), and then click Next.
Select IIS Management Console and FTP Server, and then click Next.
Step 2. Create FTP username and password
If you want to allow anonymous users to access the FTP, skip this step.
To create a Windows username and password to be used by the FTP, follow these steps:
Click the Server Manager icon.
In the left-side navigation pane, select Configuration > Local Users and Groups, and then double-click Users.
Right click the blank space, and then select New User.
On the New User dialog box, type the new user information. For example, ftptest is used in this article.
Note: The password must contain a mixture of upper-case letters, lower-case letters, and numbers. Otherwise, the password is invalid.
Step 3. Set permissions for shared files
You must set permissions to read, write, or execute for folders shared to users on the FTP site.
Create a folder for the FTP site, right click the folder, and then select Properties.
Click Security, select Users, and then click Edit.
Edit Permissions for Users. In this example, we grant all permissions.
Step 4. Add and configure an FTP site
Follow these steps to install an FTP site.
Select Start > Administrative Tools > Internet Information Services (IIS) Manager.
On the left-side navigation pane, click the instance ID, and then right click Sites and click Add FTP Site.
In the Add FTP Site wizard, specify the FTP site name and the physical path of the shared folder, and then click Next.
Use the default value for the IP address, and then type the port number of this instance. The default FTP port number is 21.
Select SSL settings, and then click Next.
- Allow SSL: Allows the FTP site to support both non-SSL and SSL connections with the client.
- Require SSL: Requires SSL encryption for communication between the FTP server and the client.
- No SSL: No SSL encryption is required.
Select one or more authentication methods.
- Anonymous: Allows any user to access the shared content, by entering the username anonymous or ftp.
- Basic: Requires users to enter the valid username and password before they can access the shared content. The basic authentication method transmits the unencrypted password through the network. Therefore, use this authentication method only when you are sure that the connection between the client and the FTP server is secure, for example, when SSL is used.
Select one of the following options from the Authorization list, and set permissions.
- All users: All users (both anonymous and identified users) can access the relevant content.
- Anonymous users: Anonymous users can access the relevant content.
- Specified roles or user groups: Only members of the specific role group or user group can access the relevant content. Enter the role group or user group in the corresponding field.
- Specified users: Only the specified users can access the relevant content. Enter the username in the corresponding field.
Step 5. Configure a security group and firewall
After building the FTP site, you must add a rule in the security group to allow inbound traffic on the FTP port. For more information, see Add a security group rule.
By default, TCP port 21 is open on the server firewall by default for the FTP service. If you have entered another port number, you must add an inbound rule to open this port on the firewall.
Step 6. Test
On your local computer, access the FTP site by using
ftp://IP address:FTP port (the default port 21 is used if you do not enter the port). For example, you could enter
ftp://0.0.0.0:20. You are prompted for your username and password if the configuration was successful. After entering the username and password correctly, you can perform the relevant FTP file operations according to your permissions.
Note: If you use this method to access the FTP site from the client, you must adjust the Internet Explorer settings to open FTP folders. Open Internet Explorer, and then select Tools > Internet Options > Advanced. Select Enable folder view for FTP sites, and then clear Use Passive FTP.
You can take actions to improve your FTP service security. For more information, see FTP anonymous logon and weak password vulnerabilities.