Here is some up front detail.
System:
- Windows Server 2012 R2 Standard (VM)
- Build 6.3.9600
- IIS Version 8.0
- Build 8.5.9600.16384
Current Configuration:
- Locally stored and managed FTP site bound to port 990
- Managed Pipeline Mode: Integrated
- .NET CLR Version: v4.0.30319
- Identity: ApplicationPoolIdentity
- Users are domain accounts, they are also isolated to the hosting system.
Desired Function:
- Isolate application users by physical (local) directories.
- Segregate access via multiple parameters.
- ACL’s.
- Folder security settings.
- FTP Authorization.
- Deny all IP’s from targeted folder (except whitelisted IP’s)
- Isolate users via physical directories.
Current Issue:
- I am not isolating users but starting them in a user name directory.
- This causes more administrative work refining security items.
- This also allows for a crafted attack to scan for directories (with non-blocking requests) for a server response for directory names.
- How to do this without having a goofy FTP layout.