Configuring FTP Site Properties

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

The FTP service uses inherited default property settings, much like the WWW service does. Settings on lower levels automatically inherit higher-level settings, and you can edit lower-level settings individually to override inherited settings from the next level up. If you use IIS Manager to change a setting at a lower level and then later change a setting at a higher level that conflicts with the lower-level setting, you are prompted to choose whether you want to change the lower-level setting to match the new higher-level setting. For step-by-step instructions for changing settings, see Changing Default FTP Site Settings.

Configuring Site Messages

When you set up an FTP site, you can configure IIS to send messages when a user accesses the FTP site. You can create the following messages:

  • Banner. This message is sent to users as they connect but before they log on to an FTP site. A banner message usually informs users about what kind of information is available on the FTP site.

  • Welcome.This message welcomes users to an FTP site after they have logged on.

  • Exit. This message appears when users log off from an FTP site.

  • Maximum connections. This message is sent to users when the maximum number of connections for the FTP site has been reached.

Setting the Directory Output Style

You can set the directory output style of your FTP site. The directory output style can be either Microsoft®  MS-DOS®  operating system-based or UNIX-based, and the output style defines the format that is used when an FTP client sends a list command.

By default, the MS-DOS directory output style displays the year in a two-digit format, for example, 03. You can change this setting to display the year in a four-digit format, for example, 2003, by enabling the FtpDirBrowseShowLongDate metabase property. For more information, see FtpDirBrowseShowLongDate Metabase Property.

The UNIX directory output style displays the year in a four-digit format when the date of the file is different from the year of the FTP server. The year is not returned in cases where the file date is the same as the year of the FTP server.

Setting the Authentication Method

Two types of users can connect to an FTP site: anonymous users and authenticated users. Set the authentication method to allow only anonymous users, authenticated users, or both anonymous users and authenticated users. If you want to allow only anonymous users, in the FTP Sites Properties dialog box, on theSecurity Accounts tab, select the Allow anonymous connections check box and the Allow only anonymous connections check box. If you want to allow only authenticated users, clear the Allow anonymous connections check box. If you want to allow anonymous users and authenticated users, select only the Allow anonymous connections check box. Anonymous access to FTP resources works similarly to anonymous access to Web sites. If anonymous access is allowed, all client connections with the user name anonymous or ftp are accepted and authenticated as the anonymous user. By default, the user account that is configured as the anonymous user is IUSR*_ComputerName*. As an Internet convention for anonymous FTP user identification, the anonymous user is prompted for a password, which is used as a user name.

If a site uses FTP User Isolation and a user connects with a user name and password, then the user is authenticated with his or her Windows account and mapped to individual home directories. This practice is not secure because credentials are transmitted over the network in plaintext and can therefore be intercepted and read. For step-by-step instructions for setting the FTP authentication method, see FTP Site Authentication in IIS 6.0.

Note

You cannot set the authentication method and the anonymous user properties using IIS Manager for FTP sites that are configured for the Isolate users using Active Directory mode. The Isolate users using Active Directorymode is explained in more detail later in this section.

Setting the Passive Connection Port Range

FTP clients connect to FTP servers through a well-known service port, TCP port 21, and establish a control channel for sending requests and receiving replies. For actual file data transfers, a second connection is established: a data channel. By default, the server connects back to the client to establish the data connection, which is an active-mode connection. However, to support clients that are behind firewalls and cannot accept incoming connections, the FTP protocol allows the client to connect to the server to establish the data channel, which is a passive-mode connection. Passive-mode connections are established through the following process: the client requests a passive mode (PASV), the server replies with a unique port number, and the client connects to that port.

By default, the FTP server allocates ports for passive-mode connections from the WinSock dynamic range, 1024 to 5000. If the server itself is behind a firewall, the 1024 to 5000 port range must be open for incoming connections at the firewall. This requirement can expose the server to potential attack because many applications share the WinSock dynamic port range. To reduce the attack surface, you can configure the FTP service to allocate ports for passive-mode connections from a port range above 5000, which allows you to assign a port range to be used exclusively by FTP passive-mode connections and to create firewall and router policies that open that range for incoming TCP connections.

To set the port range for passive-mode connections, edit the PassivePortRangeproperty in the metabase. When you set the port range, consider the number of anticipated concurrent file transfers because each client might need a distinct port. For performance reasons, the port range should be at least two times the number of anticipated concurrent file transfers.

For more information about setting the port range used for FTP passive-mode connections, see PassivePortRange Metabase Property.