How to enable access to redirection.config

security ftp iis

I'm using windows server 2012 R2 as an FTP server. I added an FTP site MyFtpServer. The application pool it uses is MyFtpServerAppPool. The AppPool uses ApplicationPoolIdentity as identity. If I use ftp from the commandline to log in, I get the following result:

530-User cannot log in.
 Win32 error:   Access is denied.
 Error details: Filename: \\?\C:\Windows\system32\inetsrv\config\redirection.config
 Error: Cannot read configuration file due to insufficient permissions

When I add permission to \windows\system32\inetsrv\config folder by adding Network Services identity with read access.... then the FTP login proceeds without error.

But what I read about using Network Services like this, is that security wise, this would be 2 steps back. The 'best practice' solution I found was to add permissions using the IIS AppPool\MyFtpServerAppPool identity. However if I do that, then the FTP login fails again with same error message.

So my question is, what would be best way to solve this issue? Obviously, I want the FTP functionality to work, but I don't want to revert back to measures which are no longer considered best practice security wise. Any ideas?

Added: I'm using IIS Manager Users


Solution 1:

The IIS FTP server by defaults runs under Network Service, I think changing the Application pool identity is not helpful, because the FTP services doesn't even use the application pools or the w3wp.exe processes.

Some people recommend to use a specific account to run the FTP service and then assign permissions to that account.

You do that in the Component Services mmc, see a Microsoft blog post, I tried that but I didn't even see the FTP... node under COM+ Applications

It took a while to find out that I have to install the FTP Extensibility Windows feature in Server Manager.

After that you should see the Microsoft FTP Publishing Service Extensibility Host node. Open properties and change the Identity to a custom account.

I just wrote a PowerShell script that enables FTP, creates a site and a user and sets the identity for the FTP service. Set ACLs for the new account on the configuration files and the ftp root.

New-DemoFTPSite.ps1

Related

SAS drive replacement in Proliant server and compatible drives
What does this svnadmin dump warning mean: "referencing data in rX, which is older than the oldest dumped revision rY"?
Postfix bounce sent twice (double-bounce)
authz_core keeps denying access
FreeNAS Web UI not responding
atop configuration file location on CentOS 7.x
QEMU cannot find device nor node_name
Azure VM Nested Hyper-V VM Network Configuration
Unable to resize logical volume
How to use a variable in a regular expression in nginx?
ip rule shouldn't beat ip route
Server 2012 R2: World Wide Web Publishing service is failing to start