FTP is a famous network protocol to transfer files internally and externally over the TCP protocol. When you have a Windows 2016 or 2019 server on your environment, you may need to set up FTP site and configure proper permissions to make the file transfer simple, faster and secure. The below step by step guide explains how to install and configure FTP service on Windows 2012 R2 (and later versions) servers. Also, the reference links show how to enable FTP incoming packets in the Windows firewall without disabling firewall services completely.
Windows 2012 R2 has Internet Information Services (IIS) version 8.5 with several improvements. The later Windows Server Operating Systems such as 2016 and 2019 has the latest IIS. FTP server settings are available under IIS service, hence the IIS role needs to be installed before setting up FTP site on the Windows server.
Steps to Install and Configure FTP on Windows Server
1) Let us install the web service (IIS) role first.
Open server manager and select Add Roles and Features.
Click Next and select Role-based installation, to install any roles or features on Windows server this should be selected.
Select the local server and click Next.
2) Select Web Server (IIS) and all recommended features in the popup screen as below.
3) It is not required to select any other features in the Features page.
When you reached the Web server Role features, select FTP services and FTP extensibility (optional only) features.
4) Confirm the selection and click Install to start the installation.
Once the FTP server role has been installed, you can access the IIS (Internet Information Services Manager) from server manager from Windows 2012 R2.
5) It will open the IIS settings where you can host the www websites and FTP sites. But for this demonstration purpose, we will create and set up an FTP site only.
Few things you need to consider before implementing an FTP server setup.
- Are you going to use SSL (Certificate) or Non-SSL security settings on your FTP site?
- SSL is more secured and the traffic will be encrypted. But you need to have a valid internal or external certificate for this purpose if you select SSL.
- How users will be authenticated? Is it local or integrated with Active Directory?
- How are you going to manage read-only and write access to your FTP site?
- If the server has multiple network cards and IPs, on which IP do you want to publish your FTP site? Based on these points, you have to bind the FTP service to particular IP (NIC) in Windows server.
Once you have decided above points, go to our earlier guide, which shows how to install and setup FTP on Windows 10 OS. The settings and configuration steps are very similar.
Remember, setting up the permission for your FTP site is very important. Because we do not need to give write access to all users and in most of the time, none of the users should read the files on the FTP site without authentication (that means, no anonymous access).
Must Do Steps
You will be needing to set up and allow FTP traffic through the Windows firewall or any other specific firewall/Antivirus software you have installed. Once you have done all setup, you can check the connectivity, permission and access level by using any FTP client program, like Filezilla.
Yeah, this and every website like this DOES NOT WORK! Re loaded OS, IIS and FTP roles over and again, reloaded AD re did network shares etc. So let me break it down like this…
I have a HOST SERVER (SERVER01) and it has a RAID5 that is immense and should hold all data redundantly (inetpub, etc.)
It HOSTS 2 VM’s! (Server01A, and Server01B)
Server01A – DNS, DHCP, AD (Regular old AD)
Server01B – IIS (WWW, FTP, Murmur voice chat)
I have ALREADY LEARNED NOT TO ATTEMPT TO ‘USE A MAPPED DRIVE FOR HOSTING!’ (If you think your IIS truly understands “P:…….” you’re wrong. It will ONLY REACT POSITIVELY TO “\SERVERNAMESHARED-DIR” so, time for you to stop chasing your tail over that, now….
The problem is, my UNC (the Raid5 on Host box) Has FTP Read/Write through IIS on the VM, you can read and execute… no issues…. You are an ADMINISTRATOR (or DOMAIN ADMIN) and you FTP in (e.g. you are PART of a group (OU) that can work on the domain AND in a separate FTP group for the ppl I only want to give Up and download access to) no worries. You log in, download, upload to the folder (and amongst ALL folders I mean… you ARE an ADMIN)
You log in as Joe-Average, FTP schmuck… You may read and execute… YOU CANNOT WRITE TO THIS NON-INHERITING COMPLETELY SEPARATED FOLDER THAT HAS ‘Everyone’ AUTHORIZED WITH A $100 BILL PINNED TO ITS ASS SCREAMING ‘VICTIM HERE! VICTIM HERE!!’ ACROSS MY NETWORK AND OUT MY FIREWALL…
I have changed Shares, Permissions, ACLs, Inheritances, I have read and re read MCSA books etc and WTF….
WHY!?!?!?!?!