Introduction
In this article, we are going to discuss step by step installation and configuration of the FTP server using PowerShell and IIS from installing the required Windows features, setting up sites, ports, and root folder to creating FTP users and authenticating them on FTP site to allow access to the FTP servers.
Before we can jump into the details, please note that all the examples demonstrated in this article are tested on Windows Server 2016
and Windows PowerShell 5.1
.
[Announcement] PowerShell to C# and back Book
This book bridges concept and knowledge the gap between a scripting language like PowerShell and modern programming language like C#, which is a natural language of choice for People who know PowerShell.
An increase in adoption of software development inside Infrastructure teams makes this the perfect time to get started with a programming language and C# is a natural choice for people using PowerShell today. As it fits best with the basket of matching skillsets like Azure, Azure DevOps which will add value in your career.
Download the FREE Book Sample from the book web page which covers all basics of C# within 50 pages – https://leanpub.com/powershell-to-csharp 👇 👇 👇
What is FTP and FTP Servers
FTP or File Transfer Protocol is a standard network protocol developed in the 1970s, which is used to transfer files between a client and a server over a network. One computer act as a server or the FTP server and one or more FTP clients are allowed to upload and download files from this centralized location on the FTP server. FTP server listens mainly on port 21
for all incoming connections of FTP clients.
FTP connections have two separate channels:
- Control – To transfer commands and get back the response
- Data – To transfer data from client to the server and vice-versa
FTP Client Server
Installing FTP feature and Importing IIS module in PowerShell
First thing first, we need to install the following Windows features, which is a requirement to configure the FTP server and work with it:
- Web Server (IIS)
- FTP Server
Run the following commands from a PowerShell console with administrative privileges to install the above-mentioned features.
#Install IIS Feature
Install-WindowsFeature -Name Web-Server -IncludeManagementTools
#Install FTP feature
Install-WindowsFeature -Name Web-Ftp-Server -IncludeAllSubFeature -IncludeManagementTools -Verbose
Once the IIS and FTP Windows features are installed, then please import the PowerShell module for IIS in the current session to administer the IIS and FTP through PowerShell:
#Importing Web administration module
Import-Module WebAdministration -Verbose
You can also view the list of available cmdlets in the module using the PowerShell cmdlet Get-Command as shown in the following example:
#List cmdlets in the Web administration module
Get-Command -Module WebAdministration
Configuring FTP Server Site Name, Port and Root folder
Now that all the required features are installed, and WebAdministration
Module imported, we can proceed with the creation of our first FTP site using PowerShell. In order to create a new FTP site, we need to provide a site name, a port number that we can keep default to port 21
and the path of the root folder where all the files reside once FTP is setup.
#Creating new FTP site
$SiteName = "Demo FTP Site"
$RootFolderpath = "C:\DemoFTPRoot"
$PortNumber = 21
if (!(Test-Path $RootFolderpath)) { # if the folder doesn't exist
New-Item -Path $RootFolderpath -ItemType Directory # create the folder
}
New-WebFtpSite -Name $SiteName -PhysicalPath $RootFolderpath -Port $PortNumber -Verbose -Force
NOTE: You can change the values of the variables in the above code sample as per your requirement, for e.g. change the value of $RootFolderPath
to the path of the folder you want to point, and that will become Root FTP folder. Also, If the root folder path does not exist, the above script will create the folder. After the creation of the FTP site from the command line, we can cross-verify that by launching Internet Information Services (IIS) Manager GUI as demonstrated in the following example.
Creating FTP users and group
As we have the FTP site created now, let’s move to the next step of creating Windows users and groups who can connect to the FTP server and access the files residing in the root directory. Use the following script to create a new local group on Windows, if you look closely in the code sample it also checks if the group exists on the computer or not, and only creates if it doesn’t exist.
#Creating the local Windows group
$FTPUserGroupName = "Demo FTP Users Group"
if (!(Get-LocalGroup $FTPUserGroupName -ErrorAction SilentlyContinue)) { #if the group doesn't exist
New-LocalGroup -Name $FTPUserGroupName `
-Description "Members of this group can connect to FTP server"
}
Once we are done with the group lets create a user and add it to this group. To create a new local user runs the following commands in the PowerShell console, which utilizes the New-LocalUser
cmdlet to create the user account, as shown in the following figure.
# Creating an FTP user
$FTPUserName = "FtpUser"
$FTPPassword = ConvertTo-SecureString "p@ssw0rd" -AsPlainText -Force
if (!(Get-LocalUser $FTPUserName -ErrorAction SilentlyContinue)) {
New-LocalUser -Name $FTPUserName -Password $FTPPassword `
-Description "User account to access FTP server" `
-UserMayNotChangePassword
}
Now that we have the local group and user-created, let’s add the user to the group using the Add-LocalGroupMember
cmdlet, which will enable users to be authenticated through this group.
# Add the created FTP user to the group Demo FTP Users Group
Add-LocalGroupMember -Name $FTPUserGroupName -Member $FTPUserName
Let’s quickly verify that from Group properties, using the GUI approach: Local Users and Groups > Groups > Double click on ‘Demo FTP Users Group’
to launch the properties as shown in the following Figure.
Authentication of Users on FTP site
Now let us enable the authentication mechanism (Basic Authentication) which is recommended for protected communication when authorized user attempt to access the FTP site:
# Enabling basic authentication on the FTP site
$param = @{
Path = 'IIS:\Sites\Demo FTP Site'
Name = 'ftpserver.security.authentication.basicauthentication.enabled'
Value = $true
Verbose = $True
}
Set-ItemProperty @param
Then, let’s authorize the group of users to be able to access the FTP site by creating an authorization rule:
# Adding authorization rule to allow FTP users
# in the FTP group to access the FTP site
$param = @{
PSPath = 'IIS:\'
Location = $SiteName
Filter = '/system.ftpserver/security/authorization'
Value = @{ accesstype = 'Allow'; roles = $FTPUserGroupName; permissions = 1 }
}
Add-WebConfiguration @param
Access granted in the above code sample, using the ‘permissions’ attribute can have 3 different values, which are the following:
Permission | Attribute Value |
Read | 1 |
Write | 2 |
Read and Write | 3 |
Once the permissions are granted, it can be verified from the GUI, please go to IIS Manager > Sites > Click on ‘Demo FTP Site’ > which will open the site home on right-hand side > Click on ‘FTP Authorization Rules’
.
Changing the SSL policy of the FTP site
FTP is a client-server protocol that has two different SSL channels i.e. Control
and Data
. The Control channel is responsible for the communication between the client and the server and the Data channel is responsible for uploading and downloading data. So, using the following code snippet we will change the SSL policy for both control and data from Require
SSL to Allow
SSL connections, which means client request may use SSL but it is not mandatory.
# Changing SSL policy of the FTP site
'ftpServer.security.ssl.controlChannelPolicy', 'ftpServer.security.ssl.dataChannelPolicy' |
ForEach-Object {
Set-ItemProperty -Path "IIS:\Sites\Demo_FTP_Site" -Name $_ -Value $false
}
Granting NTFS permissions on the FTP root folder
As the last configuration step, let’s grant the users NTFS permissions to access the FTP root folder, using the following code snippet:
# Granting NTFS permissions to the FTP root folder
$ACLObject = Get-Acl -Path $RootFolderpath
$ACLObject.SetAccessRule(
( # Access rule object
New-Object System.Security.AccessControl.FileSystemAccessRule(
$FTPUserGroupName,
'ReadAndExecute',
'ContainerInherit,ObjectInherit',
'None',
'Allow'
)
)
)
Set-Acl -Path $RootFolderpath -AclObject $ACLObject
And once the access is granted successfully, we can also verify the same from PowerShell as demonstrated in the following example and screenshot.
# Checking the NTFS permissions on the FTP root folder
Get-Acl -Path $RootFolderpath | ForEach-Object Access
Accessing FTP Server
Now before we test the FTP access, please do make sure that the port specified for the FTP connection is open on your firewall. In our case, it’s 21. Once done, please run below commands to test your FTP access:
# Test FTP Port and FTP access
Test-NetConnection -ComputerName localhost -Port 21
ftp ComputerName
Full PowerShell Script
Author of “PowerShell Guide to Python“, “Windows Subsystem for Linux (WSL)” and currently writing the most awaited book: “PowerShell to C# and Back” !
Related posts
3 Comments
Leave a ReplyCancel reply
Categories
Author of Books
Awards
Open Sourced Projects
Author at
Blog Roll
Mike F RobbinsDamien Van Robaeys
Stéphane van Gulick
Kevin Marquette
Adam Bertram
Stephanos Constantinou
Francois-Xavier Cat
Ravikanth Chaganti
Roman Levchenko
Blog Stats
- 1,132,491 People Reached
This is a beautiful piece of information. Author has described each step with clarity what provides ease in understanding and entire script could be used to prepare an automation runbook.
Thank you
[…] Setup FTP Server with PowerShell […]
Everything works BUT I cannot connect from another client computer. I can use external IP and URL locally on the server. IIS generated Firewall rules and I didn’t change anything concerning the ports. Any ideas?