×

Installing a Secure FTP Server on Windows Using IIS

Last Updated: June 22nd, 2024 by in Guides

Installing a Secure FTP Server on Windows Using IIS

FTP stands for File Transfer Protocol. It is primarily used to either store files or edit your website hosted on the IIS (Internet Information Services). In this guide, we will cover installing a secure FTP server on Windows using IIS, installing IIS, creating a certificate for your FTPS server, allowing the FTP server to go through firewalls, adding the FTP to a site, creating a standalone FTP site, and connecting to your FTPS server.

Installing an FTP Server

  1. Open the Windows server manager, navigate to the dashboard, and run Manage – Add Roles and Features.
  2. In the Add Roles and Features wizard, follow the Installation Type step and choose either Role-based or Feature-based installation.
  3. Go to the Server Roles step if you have already installed IIS, the Web Server role will be automatically checked. If not, confirm to install the IIS Management Console too.
  4. Navigate to Web Server Role (IIS) – Role Services, and check the FTP service role. Uncheck the Web Service role if you don’t require it.
  5. Navigate to the end of the wizard and click Install.

Managing the IIS

There are two possibilities here, you have IIS already installed, and you do not have it currently installed. We will cover both of these possibilities for multiple systems.

If You Currently Have IIS Installed on Windows Server 2008 R2

  1. In Server Manager, navigate to the Roles node, and in Web Server (IIS) – Role Services, click Add Role Services. A new wizard will open up.
  2. In the wizard, check the FTP Server – FTP Service role service box.
  3. Also, take note that the Management Service – IIS Management Console is also checked. Click on next.
  4. Finish the wizard and click Install.

If You Don’t Have IIS Installed on Windows Server 2008 R2

This process is very similar to the previous ones with a few changes.

  1. In the Windows Server Manager, navigate to the Roles node, and in the Roles Summary panel, click on Add Roles.
  2. Navigate to the Role Services step and check the FTP Server – FTP Service Role checkbox.
  3. If you don’t need the Web Service role service, uncheck it.
  4. Make sure that the Management Service – IIS Management console role service is also checked.
  5. Navigate to the end of the wizard and install.

If You Are on Windows Vista, Windows 7, Windows 8, Windows 10, Windows 11

  1. Navigate to Control Panel – Programs – Programs and Features – Turn Windows Features on and off.
  2. On the Windows Features window, do the following.
  3. Expand the Internet Information Services tab – FTP Server and check the FTP Service checkbox.
  4. Expand the Internet Information Services tab – Web Management Tools and check the  IIS Management Console.
  5. Confirm everything by clicking on the OK button.

Creating the Certificate for Your FTPS Server

You will need a TLS/SSL certificate to secure your FTPS server. What this means is that you take your standard FTP server and add a layer of extra security. In conjunction with the certificates, your FTP server will allow the sessions to be encrypted between the FTP client and a server. This is not to be confused or mistaken for SFTP (SSH File Transfer Protocol) which is a subsystem for the SSH protocol and is not supported by IIS. You can acquire your certificate from a certificate authority or you can create a self-signed certificate locally. If you do opt for the self-signed version, your FTPS server will be warned when connecting to the server.

How to Create a Self-Signed Certificate

  1. Open the IIS Manager
  2. Navigate to IIS – Server Certificates and click on Create Self-Signed Certificate.
  3. Input a name for your FTP Server and click OK.

Note that Self-Signed certificates from older versions of IIS Manager won’t work on FTPS clients that check for key usage violations. You will need to create a certificate with proper key usage using Windows Powershell to solve this issue.

Resolving an External Firewall/NAT Issue

You will need to allocate your FTP server an external IP address to allow passive mode connections. Go to the IIS Manager, open FTP – FTP Firewall Support, and specify your server’s external IP address. You will need to open up the ports for data connections. Configure the Data Channel Port Range to use the range of the firewall since you don’t want to open it up to all channels. Every time you change this range, restart your FTP service for it to take effect. To restart the FTP service, go to Control Panel – System and Security – Administrative Tools (Windows Tools on Windows 11) and open Services. Find the Microsoft FTP Service and restart it.

Adding the FTP Server to a Website

If you want to add your FTP server to an existing website do the following:

  1. Open IIS Manager and find your website node.
  2. Click on the Add FTP Publishing action.
  3. In the Add FTP Site Publishing wizard, do the following.
  4. You will find yourself on the Binding and SSL Settings step, select Require SSL to allow non-encrypted certificates, and find the one we made previously.
  5. On the Authentication and Authorization step, navigate to the Basic authentication and make sure that anonymous authentication isn’t selected.
  6. Select which accounts you want to connect with the server, just make sure you don’t tick the anonymous one.
  7. Click Finish.

Adding a Standalone FTP Site

Adding a standalone FTP server to store or exchange files is easy, all you have to do is:

  1. Open IIS Manager and find your site node.
  2. Click on Add FTP Site, you will be presented with a wizard.
  3. On the Initial Site Information step, give it a name and specify a path to a folder on your server that will be accessing the FTP.
  4. On the Authentication and Authorization step, same as before, make sure that anonymous isn’t checked and check all the users to which you wish to give access.
  5. Click finish.

Connecting to the FTP Server

You will need to start WinSCP. You will be presented with a Login Dialog.

  1. Select FTP protocol and TLS/SSL Explicit Encryption.
  2. Under Host Name, input your Windows server hostname, don’t use an IP address so WinSCP can check your certificate, if you have a self-signed certificate, this isn’t applicable.
  3. Input your username and password. Input the full username with the format domain\username.
  4. Optionally, save your session details.
  5. Press Login.
  6. If you are using a self-signed certificate, accept the prompt.

Summary

We have covered a lot of ground in this guide on how to get your FTP service running using Windows IIS. Hopefully, this answered all the questions you’ve had and you found the solution that you were looking for.