Setting up FTP on Windows: server, permissions, and basic security

  • Windows includes an FTP server integrated into IIS that can be activated without installing additional software.
  • The security of the service depends on limiting users, adjusting permissions, and, if necessary, enabling SSL/TLS.
  • For external access, it is essential to open port 21 in the firewall and forward it in the router to the server's IP address.
  • IIS's advanced options allow you to isolate users, filter requests, and log all FTP activity.
Lorena Figueredo

14 minutes

Configure FTP in Windows

Setting up your own FTP server on Windows is a very easy way to have a kind of private cloud at home or in the office. Thanks to this service you can share large files without size limitsMove data between computers on your local network and even access it from outside using the internet. If you're going to transfer a lot of data, you can also optimize the transfers using compression and decompression programs.

Furthermore, a properly configured FTP server allows you to have the Full control over who enters, what they can see, and what they can upload or delete.You don't depend on third-party services, you can create multiple user accounts, define specific folders for each one and, if needed, add encryption to ensure secure connections.

What is FTP and what do you need before you start?

FTP (File Transfer Protocol) is a classic file transfer protocol It typically operates over TCP ports 20 (data) and 21 (control). Despite being around for decades, it remains a very practical solution for setting up a small file server on a home network or in a simple professional environment.

In its basic form, traditional FTP send username, password and data “in plain text”Without encryption, this means that if someone intercepts the traffic, they could read what is being transmitted. In home networks or isolated environments, this is not usually a serious problem, but on the internet or in work networks, it is much more advisable to use secure alternatives such as SFTP or FTP over SSL/TLS.

Windows includes, by default, in both desktop and Windows Server versions, an FTP server integrated within IIS (Internet Information Services). This means that There is no need to install third-party programs To set up a basic server: simply activate a few system features and configure them correctly.

However, you should keep in mind that the FTP server integrated into Windows is conveniently available, especially in Pro and Enterprise editions of Windows 10 and Windows 11In many Home editions you won't have all the necessary administration tools and you'll have to resort to external software like FileZilla Server.

Activate and install the FTP server on Windows (IIS)

El first step This involves installing the necessary components of IIS and the FTP server. Windows 10, Windows 11, and Windows Server share a very similar foundation, although the way to access the wizard differs slightly between desktop and server versions.

On Windows 10 and Windows 11Normally, these features are activated from the Control Panel:

  • Open the Control Panel and go to Programs > Turn Windows features on or off.
  • In the list, locate Internet Information Services and expand it.
  • Brand Web administration tools to have the IIS console available.
  • Within FTP server, Mark FTP service y FTP extensibility.
  • Press on Accept and wait for Windows to install all the components.

On Windows Server (2012, 2012 R2 and later) It is done from the Server Manager:

  • Opens server administrator from the Start menu or from the taskbar.
  • Click on Add roles and features.
  • In the wizard, select Feature-based or role-based installation.
  • Choose the destination server (usually your own computer) and press Next.
  • En Server roles, expand Web server (IIS) and within it, FTP server.
  • Brand FTP server y FTP serviceIf the wizard asks to add additional components, accept with Add characteristics.
  • Review the summary and press InstallYou can leave the option selected. auto restart if this is the first time you've installed IIS.

Once the installation is complete, you will have IIS with FTP support ready to be configured. From this point on, you will be able to Open Internet Information Services (IIS) Manager to create your FTP site.

Create the FTP site and choose the shared folder

With the components installed, the next step is to create the “FTP site” within IIS, which is simply the entry point which the clients will connect to and the disk folder where the files are stored.

  • In the Windows Start menu, search “Internet Information Services (IIS) Manager” and open it.
  • In the left panel, expand your team's name and right-click on Sites.
  • Choose Add FTP site….
  • In the wizard, type a descriptive name for the FTP site (for example, “FTP_Home”, “FTP_Business”, etc.).
  • En Physical access route, specifies the system folder you want to share. You can create something like this beforehand. C:\FTP or use a specific folder (for example, a "test" folder on the desktop).

On the page Link and SSL You will be able to adjust several important parameters:

  • Select the IP address which the FTP server will listen on. If the computer only has one, you can leave it as is. All unassigned or choose the specific IP address.
  • El default port It's the 21st. You can change it if you want to avoid conflicts or for security reasons "due to darkness", but in most cases it is left as is.
  • For home or testing environments, it is very common to mark No SSLTherefore, the connection will not be encrypted. In environments with sensitive data, it is best to configure an SSL certificate and select the appropriate option. Allow SSL or directly Require SSL.
  • Check that the option is selected. Start FTP site automatically so that the service starts with the server.

On the screen Authentication and authorization information You will decide who can connect to the FTP and with what permissions:

  • En Authentication, the usual thing is to activate Basic (The user logs in with their Windows account and password.) Anonymous authentication only makes sense for read-only public repositories.
  • En ContentYou can choose between granting access to All users, anonymous users, Roles or groups specific or Specified usersFor home environments, it's usually a good idea to limit it to one or more specific users.
  • Select the permissions for Reading And if you want them to be able to upload/modify files, that's fine too. Writing Instruments.
  • Click on Finalize to create the site.

At this point, you already have an FTP site defined in IIS, pointing to a folder on your disk and with some basic access rules. Next, you will need to Open the firewall and, if you want external access, modify the router..

Allow FTP server in Windows Firewall

Configure FTP in Windows

If the Windows Firewall is active (which it should be)This will block incoming connections to port 21 and passive FTP ports. To prevent this, you must create or enable the appropriate rules.

On desktop computers with Windows 10/11 you can do it from the Control Panel:

  • Opens Control Panel > System and Security > Windows Defender Firewall.
  • Click on Allow an app or feature through Windows Defender Firewall.
  • Press on Change settings (it will ask you for administrator permissions).
  • search the list FTP server and activate the boxes of Private y Public depending on your interests.
  • Save with Accept.

In Windows Server, the more controlled form It's about using the advanced firewall:

  • Go to Control Panel > System and Security > Administrative Tools and open Windows Firewall with Advanced Security.
  • In the left panel, select Entry rules.
  • In the right panel, click New rule ....
  • Choose Predefined and, from the list, select FTP server.
  • Select all entries related to FTP (service, port, etc.) and press Next.
  • Choose Allow connection And the assistant finishes.

After this, your server should be able to receive FTP connections from other computers on the network. If you want it to also work correctly in passive mode through firewalls, IIS has a specific section for FTP firewall compatibility where you can define the range of passive ports and the external IP of the firewall.

Access from the local network and from the internet

Once the site is configured and the firewall is open, the interesting part begins: verifying that the server is responding and that we can browse, upload and download files.

To test from another PC on the same network, you can use the same File Browser Windows:

  • Open Explorer with Windows + E.
  • In the address bar, type the URL in the format ftp://SERVER_IP (for example, ftp://192.168.1.109).
  • Enter the username and password for the Windows account you have granted permission to.
  • Brand Save Password if you don't want to enter your credentials every time.

You can also use a dedicated FTP client (FileZilla, WinSCP, etc.) indicating the server IP, port (21 by default), FTP connection type and user credentials.

To access it from the internet (for example, from your laptop when you're away from home), you'll need to touch the router so that redirect port 21 to the private IP address of the FTP server:

  • On the FTP server, open a command prompt (CMD) and run ipconfig to record two pieces of information: the IPv4 address (internal server IP) and the Default Gateway (Router IP address, something like 192.168.xx).
  • In a browser, enter the gateway IP address to access the router administration.
  • Log in with your router's username and password.
  • Look for the section Port forwarding, NAT or WAN.
  • Create a new port forwarding rule with something like this:
    – Service name: for example, “FTP Server”.
    – External port: 21 (or whichever one you use).
    – Internal IP address: the IP of the FTP server (the IPv4 you saw with ipconfig).
    – Internal port: also 21.
    – Protocol: TCP.
  • Save the changes and apply the settings.

To test external access, from any browser you can search for “What is my IP address?"Search Google or Bing to find your public IP address. Then, on another computer connected to a different network, enter ftp://YOUR_PUBLIC_IP in the browser or an FTP client. If the login window appears, it means that port forwarding and the server are working correctly.

User and permissions management for FTP

One of the strengths of using FTP over IIS is that you can leverage your existing Windows accounts to control who accesses the server and what they can do. For shared use among multiple people, this is advisable. create specific users and, if necessary, groupswith limited permissions.

In Windows 10/11, for create a basic user from the modern interface:

  • Opens Configuration with the combination Windows + I.
  • Sign in Accounts and later Family and other users.
  • Click on Add another person to this team.
  • Choose I don't have this person's login details and then Add a user without a Microsoft account.
  • Fill in the Username and password of the new local user.

In server environments (Windows Server), it is common to use the console of Local users and groups to create users and, if applicable, a dedicated FTP group:

  • Open the Management tools and enters Team management.
  • In the tree on the left, go to Local users and groups.
  • Right click on Users and select New user….
  • Enter the name, description, and password. You can select options such as “The user cannot change the password" or "The password never expires"if it is a technical account for FTP."
  • If you want to centralize permissions, also create a new group (right-click on Groups > New Group…), name it (for example, FTP_Users) and add the users who will use the service.

After creating the user, you need to grant him permission on the folder which acts as the FTP "home":

  • Right-click on the folder that acts as the FTP root (for example, C:\FTP) and enter Properties.
  • Go to the tab Security and click on Edit….
  • If you want to fine-tune, you can use Advanced all with break the inheritance and convert inherited permissions into explicit permissions. This way you control exactly who has access.
  • Remove users or groups that do not need to see that folder (for example, the generic “Users” group), applying the principle of least privilege.
  • Click on Add ... to include the user or group created for FTP.
  • Assign the necessary permissions. For a user who needs to read and upload files, it's usually practical to grant Full Control on that folder, as long as you are clear that it is a controlled environment.

Finally, within IIS you can adjust authorization rules per site:

  • In IIS Manager, select your FTP site in the left panel.
  • Open the feature Authorization rules.
  • Add a Permission rule indicating Specified users and write the name of the Windows account that has access.
  • Mark if you will have Reading I Writing Instruments depending on what you want to allow.

In this way, each person can connect with their own credentials and the server can isolate or limit access per userespecially if you combine this with user isolation in FTP.

Advanced IIS FTP options: isolation, filtering, and limits

The IIS FTP server includes a good set of advanced options Designed for more demanding environments or for those who want to have a very tight control over the service. Although in home use it's not always necessary to use them all, it's still a good idea to be familiar with them.

At the server root, within the IIS Manager, you will find several FTP-related modules:

  • FTP site defaultsHere you can define how new FTP sites are created by default (connection timeouts, maximum number of simultaneous connections, use of UTF-8, data channel behavior, etc.).
  • FTP firewall compatibility: allows you to set a passive port range (for example, 5000-6000) which you will then have to open in the firewall and router for passive connections, as well as indicate the External IP address of the firewall that customers must use.
  • FTP user isolationThis is very useful if you want each user to see only their own folder. You can configure each FTP account to be restricted to a directory with its name, a specific physical directory, or even a home directory defined in Active Directory.
  • FTP directory examination: lets you decide whether folder listings are displayed in format MS‑DOS o UNIX and what fields are included (size in bytes, four-digit years, virtual directories, etc.).
  • Restrictions on FTP login attemptsHere you can activate a small anti-brute-force mechanism, limiting the maximum number of failed login attempts within a specific interval and deciding whether to automatically block the IP address or simply log the event.
  • FTP request filteringA very powerful security module that allows filtering by file extensions, URL segments, URL strings, or even specific FTP commands. Used carefully, it can be useful for block dangerous file types or commands.
  • FTP LogHere you configure how the logs are saved (by site or by server), in which folder, with what encoding (UTF-8 or ANSI) and how often new log files are generated (by time, by maximum size or without automatic rotation).
  • FTP messagesIt allows you to customize the text the user will see upon connecting (banner, welcome message, exit message, maximum connection notification) and enable user variables such as %UserName%, %SiteName% o %BytesReceived%.

By combining these options you can make your FTP server very polished: for example, by isolating each user in their personal folder, restricting dangerous extensions, limiting the number of connections and personalizing the messages that customers see.

How to secure FTP with SSL/TLS (FTPS)

If the server will be accessible from the internet or will handle sensitive information, it's not a good idea to leave the traffic unencrypted. In these cases, it's advisable to enable FTP over SSL/TLS (FTPS) using a certificate.

You can use both certificates issued by an official CA and self-signed certificatesThese latter ones generate a warning on the client, but serve to encrypt the channel in controlled environments.

To create a self-signed certificate from IIS on Windows Server:

  • Open the IIS Administrator and select the server in the left panel.
  • double click on Server certificates.
  • In the right panel, choose Create a self-signed certificate….
  • Indicates a descriptive name and select the warehouse Staff.
  • Confirm with Accept.

Once the certificate has been created, you will need to associate it with your FTP site:

  • In IIS Manager, select the FTP site that you created.
  • Open the feature FTP SSL configuration.
  • In the list of SSL certificateChoose the self-signed certificate (or the one issued by your CA, if you have one).
  • Brand Require SSL connections if you want to force all traffic to be encrypted.
  • Apply the changes.

From that point on, to connect to the server you will need to use a client that supports FTPS, such as WinSCP or FileZilla, configuring:

  • Filing protocol: FTP.
  • Encryption: Explicit FTP over TLS/SSL.
  • Host: the IP address or domain name of the server.
  • Port: 21 (or another if you changed it).
  • Username and password: the Windows credentials configured for FTP.

The client will warn you that the certificate is not signed by a trusted authority if it is self-signed. Even so, the The channel will be encrypted. and your credentials will not travel in clear text over the network.

Setting up an FTP server on Windows using IIS isn't complicated, but it does require carefully following all the steps: installing roles, creating the site, configuring the firewall and router, defining users and permissions, and, if necessary, enabling SSL and advanced security options. Once everything is in place, you can enjoy a solution of Flexible, fast, and under your control file storage and transfer, both on your local network and from anywhere with internet access.

How to sync files in Windows 11
Related article:
The best alternatives to Windows 11 File Explorer