IIS FTP Home Directory Isolation Using Symbolic Links

When selecting the isolate users options as shown below in IIS there is an unwritten requirement to put all user folders under the FTP site root directory in a folder called “LocalUser”. This can cause issues, let me explain why…

When enabling this setting it will lock users into a directory named as their username which it will search for under the ftp site root directory + \LocalUser\ e.g for user mhosker the path would be C:\inetpub\ftproot\LocalUser\mhosker assuming the default C:\inetpub\ftproot\ site directory binding was used.

This is great if you can easily setup the directory structure in that way. In my case the requirement was for the user home directories to be under the ftproot folder due to some previously developed automation scripts that had a hard coded absolute path to access those directories.

So, we have user home directories in one location (in my case the ftp root, although this could be anywhere on the server or even an SMB share from another server) and a requirement that they be available via the absolute path of C:\inetpub\ftproot\LocalUser in order for the FTP user isolation to work. Moving the directories was not an option as this would break the automation scripts referencing the absolute path. The answer? A symbolic link…

A symbolic link will allow a windows shortcut to be created but will mask the path vs a standard windows shortcut which would redirect to the target path.

If we run the below powershell command:

New-Item -Path "C:\inetpub\ftproot\LocalUser" -ItemType SymbolicLink -Value "C:\inetpub\ftproot"

We will see the following result in Windows explorer:

What we see above is actually C:\inetpub\ftproot\ however the symlink is displaying its contents with the required \LocalUser\ included in the path.

Using symlinks can be particularly helpful if you need to store content on a remote server, in which case the symlink value could point to a remote SMB share.