Introduction

In this article, we are going to discuss step by step installation and configuration of the FTP server using PowerShell and IIS from installing the required Windows features, setting up sites, ports, and root folder to creating FTP users and authenticating them on FTP site to allow access to the FTP servers.

Before we can jump into the details, please note that all the examples demonstrated in this article are tested on Windows Server 2016 and Windows PowerShell 5.1.

[Announcement] PowerShell to C# and back Book

This book bridges concept and knowledge the gap between a scripting language like PowerShell and modern programming language like C#, which is a natural language of choice for People who know PowerShell.

An increase in adoption of software development inside Infrastructure teams makes this the perfect time to get started with a programming language and C# is a natural choice for people using PowerShell today. As it fits best with the basket of matching skillsets like Azure, Azure DevOps which will add value in your career. 

Download the FREE Book Sample from the book web page which covers all basics of C# within 50 pages – https://leanpub.com/powershell-to-csharp 👇 👇 👇

What is FTP and FTP Servers

FTP or File Transfer Protocol is a standard network protocol developed in the 1970s, which is used to transfer files between a client and a server over a network. One computer act as a server or the FTP server and one or more FTP clients are allowed to upload and download files from this centralized location on the FTP server. FTP server listens mainly on port 21 for all incoming connections of FTP clients.

FTP connections have two separate channels:

1. Control – To transfer commands and get back the response
2. Data – To transfer data from client to the server and vice-versa

FTP Client Server

Installing FTP feature and Importing IIS module in PowerShell

First thing first, we need to install the following Windows features, which is a requirement to configure the FTP server and work with it:

1. Web Server (IIS)
2. FTP Server

Run the following commands from a PowerShell console with administrative privileges to install the above-mentioned features.

#Install IIS Feature
Install-WindowsFeature -Name Web-Server -IncludeManagementTools

#Install FTP feature
Install-WindowsFeature -Name Web-Ftp-Server -IncludeAllSubFeature -IncludeManagementTools -Verbose

Once the IIS and FTP Windows features are installed, then please import the PowerShell module for IIS in the current session to administer the IIS and FTP through PowerShell:

#Importing Web administration module
Import-Module WebAdministration -Verbose

You can also view the list of available cmdlets in the module using the PowerShell cmdlet Get-Command as shown in the following example:

#List cmdlets in the Web administration module

Get-Command -Module WebAdministration

Configuring FTP Server Site Name, Port and Root folder

 Now that all the required features are installed, and WebAdministration Module imported, we can proceed with the creation of our first FTP site using PowerShell. In order to create a new FTP site, we need to provide a site name, a port number that we can keep default to port 21 and the path of the root folder where all the files reside once FTP is setup.

#Creating new FTP site
$SiteName = "Demo FTP Site"
$RootFolderpath = "C:\DemoFTPRoot"
$PortNumber = 21

if (!(Test-Path $RootFolderpath)) { # if the folder doesn't exist
            New-Item -Path $RootFolderpath -ItemType Directory # create the folder
}

New-WebFtpSite -Name $SiteName -PhysicalPath $RootFolderpath -Port $PortNumber -Verbose -Force

NOTE:  You can change the values of the variables in the above code sample as per your requirement, for e.g. change the value of $RootFolderPath to the path of the folder you want to point, and that will become Root FTP folder. Also, If the root folder path does not exist, the above script will create the folder. After the creation of the FTP site from the command line, we can cross-verify that by launching Internet Information Services (IIS) Manager GUI as demonstrated in the following example.

Creating FTP users and group

As we have the FTP site created now, let’s move to the next step of creating Windows users and groups who can connect to the FTP server and access the files residing in the root directory. Use the following script to create a new local group on Windows, if you look closely in the code sample it also checks if the group exists on the computer or not, and only creates if it doesn’t exist.

#Creating the local Windows group
$FTPUserGroupName = "Demo FTP Users Group"

if (!(Get-LocalGroup $FTPUserGroupName  -ErrorAction SilentlyContinue)) { #if the group doesn't exist

New-LocalGroup -Name $FTPUserGroupName `
               -Description "Members of this group can connect to FTP server" 

}

Once we are done with the group lets create a user and add it to this group. To create a new local user runs the following commands in the PowerShell console, which utilizes the New-LocalUser cmdlet to create the user account, as shown in the following figure.

# Creating an FTP user
$FTPUserName = "FtpUser"
$FTPPassword = ConvertTo-SecureString "p@ssw0rd" -AsPlainText -Force

if (!(Get-LocalUser $FTPUserName -ErrorAction SilentlyContinue)) {

New-LocalUser -Name $FTPUserName -Password $FTPPassword `
              -Description "User account to access FTP server" `
              -UserMayNotChangePassword
}

Now that we have the local group and user-created, let’s add the user to the group using the Add-LocalGroupMember cmdlet, which will enable users to be authenticated through this group.

# Add the created FTP user to the group Demo FTP Users Group
Add-LocalGroupMember -Name $FTPUserGroupName -Member $FTPUserName

Let’s quickly verify that from Group properties, using the GUI approach: Local Users and Groups > Groups > Double click on ‘Demo FTP Users Group’ to launch the properties as shown in the following Figure.

Authentication of Users on FTP site

 Now let us enable the authentication mechanism (Basic Authentication) which is recommended for protected communication when authorized user attempt to access the FTP site:

# Enabling basic authentication on the FTP site
$param = @{
             Path    = 'IIS:\Sites\Demo FTP Site'
             Name    = 'ftpserver.security.authentication.basicauthentication.enabled'
             Value   = $true
             Verbose = $True
}

Set-ItemProperty @param

Then, let’s authorize the group of users to be able to access the FTP site by creating an authorization rule:

# Adding authorization rule to allow FTP users
# in the FTP group to access the FTP site

$param = @{
             PSPath = 'IIS:\'
             Location = $SiteName
             Filter = '/system.ftpserver/security/authorization'
             Value = @{ accesstype = 'Allow'; roles = $FTPUserGroupName; permissions = 1 }
}

Add-WebConfiguration @param

Access granted in the above code sample, using the ‘permissions’ attribute can have 3 different values, which are the following:

Once the permissions are granted, it can be verified from the GUI, please go to IIS Manager > Sites > Click on ‘Demo FTP Site’ > which will open the site home on right-hand side > Click on ‘FTP Authorization Rules’.

Changing the SSL policy of the FTP site

FTP is a client-server protocol that has two different SSL channels i.e. Control and Data. The Control channel is responsible for the communication between the client and the server and the Data channel is responsible for uploading and downloading data. So, using the following code snippet we will change the SSL policy for both control and data from Require SSL to Allow SSL connections, which means client request may use SSL but it is not mandatory.

# Changing SSL policy of the FTP site

'ftpServer.security.ssl.controlChannelPolicy', 'ftpServer.security.ssl.dataChannelPolicy' |
ForEach-Object {
          Set-ItemProperty -Path "IIS:\Sites\Demo_FTP_Site" -Name $_ -Value $false
}

Granting NTFS permissions on the FTP root folder

As the last configuration step, let’s grant the users NTFS permissions to access the FTP root folder, using the following code snippet:

# Granting NTFS permissions to the FTP root folder

$ACLObject = Get-Acl -Path $RootFolderpath
$ACLObject.SetAccessRule(
   ( # Access rule object
      New-Object System.Security.AccessControl.FileSystemAccessRule(
      $FTPUserGroupName,
      'ReadAndExecute',
      'ContainerInherit,ObjectInherit',
      'None',
      'Allow'
      )
   )
)

Set-Acl -Path $RootFolderpath -AclObject $ACLObject

And once the access is granted successfully, we can also verify the same from PowerShell as demonstrated in the following example and screenshot.

# Checking the NTFS permissions on the FTP root folder
Get-Acl -Path $RootFolderpath | ForEach-Object Access

Accessing FTP Server

Now before we test the FTP access, please do make sure that the port specified for the FTP connection is open on your firewall. In our case, it’s 21. Once done, please run below commands to test your FTP access:

# Test FTP Port and FTP access

Test-NetConnection -ComputerName localhost -Port 21

ftp ComputerName

Full PowerShell Script

Author of “PowerShell Guide to Python“, “Windows Subsystem for Linux (WSL)” and currently writing the most awaited book: “PowerShell to C# and Back” !