FTP access permissions with IIS on Windows and virtual directories

I've been having a few issues with users being able to access other folder on one of my server. This is a BIG security issues, and it's taken me a little while to figure out what was going on. It turns out to be a permissions issue.

I have one FTP site with lots of virtual directories.

In windows explorer, when I right click on the folder that the virtual directory is pointing to (i.e. d:\ftpFolder\bob\), and click the Security tab, I see that the 'Users' group has permission on the folder.

Now, my user 'Bob' is strictly not a member of the 'Users' group, he would appear at first glance, not to have any permissions on the folder.

However, any user that successfully authenticates with a correct username and password becomes part of the Windows group 'Authenticated Users', and 'Authenticated Users' is a member of 'Users'.

So, to resolve this issue, I needed to remove the 'Users' group from any folder referenced by a virtual directory in IIS FTP. Removing the 'users' group will lock down the access.

Note: even as members of authenticated users, the ftp user will not be able to jump out of the ftp root to other areas of the server, so you only need to look at folders that are virtual directories in the FTP site.

So to confirm, if you remove the "user" group from the security permissions on the folder which the virtual directory points to, you will prevent any "un-authenticated users" from accessing that folder.