Depending on your security policy, you may need to run the ftp service under a non-administrator or another
user account. The tutorial will skip the sections on how to create users on different operating systems.
The non-administrator account I will be using in this tutorial is called
The first thing to do is to change the service account from the default (LOCALSYSTEM) to the
We do this by opening the service control manager (control panel->computer administration->services) and double-clicking
on the blackmoon ftp service entry to bring up the service properties. We click on the Log On tab. The service account name
change is illustrated in the two screenshots below.
After confirming the service account name change, the system will automatically give the
blackmoon_test account rights to log on as a service. It will notify you of this change.
blackmoon_test account I am using is not an Administrator account, so it will have
only read and list folder permissions
since this is the default permission for non-administrator accounts. To add custom permissions to a folder for a user account,
right click on the folder and select the security tab. Click on the Add button and enter the account you want to add custom
permissions for, in my case
blackmoon_test. As in the screenshots below, change the permissions by clicking on the Full Control
checkbox to give the user full control over the folder.
Do this for the blackmoon folder, the temporary folder and any other
folders the ftp server will be serving files from.
Certain ftp server operations may fail
without the appropriate folder permissions for your user account.
SSL and non-administrator accounts
Blackmoon uses OS managed certificate stores to hold certificates. These certificate stores are controlled by
(Access Control Lists) that make it difficult for non-administrator accounts to access their contents. To use SSL
with non-administrator service accounts, click on the start button and select run to bring up the run dialog box.
regedt32.exe (this is not the same as regedit!!).
Regedt32 has the ability to change permissions on registry
keys just like we did above with the folders.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates and right click on the registry key to bring up its properties.
You will notice there is only one tab which is security. Add your user account, in my case
blackmoon_test and give it full
permissions to the registry key like in the screenshots below.
We still have permissions to the private key of the SSL certificate to deal with. Without access to the private key, the
selected ftp server SSL certificate will not work for SSL connections. To make sure your account has access to the private
key, download and install a tool called
WINHTTPCERTCFG from the Microsoft website. The installation folder is
\program files\Windows Resource Kits\Tools.
My SSL certificate is called "blackmoon_cert". To display user accounts with permissions to the private
key of my SSL certificate, I open a command prompt to the
WINHTTPCERTCFG folder and type
winhttpcertcfg -l -c LOCAL_MACHINE\My -s blackmoon_cert
To grant the
blackmoon_test account access to the private key of the "blackmoon_cert" SSL certificate, I would type
winhttpcertcfg -g -c LOCAL_MACHINE\My -s blackmoon_cert -a blackmoon_test
winhttpcertcfg contains a help file that shows the syntax and sample commands on how to use the tool.