How to perform a server-to-server FTP transfer by using IIS

Article ID: 247132 - View products that this article applies to.
This article was previously published under Q247132
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
(http://www.microsoft.com/technet/security/prodtech/IIS.mspx)
For more information about IIS 7.0, visit the following Microsoft Web site:
http://www.iis.net/default.aspx?tabid=1
(http://www.iis.net/default.aspx?tabid=1)
Expand all | Collapse all

On This Page

SUMMARY

This step-by-step article describes how to configure a computer that is running Microsoft Internet Information Services (IIS) to allow server-to-server FTP transfers by modifying values in the system registry.

Note By default, these values are disabled to prevent malicious attacks against the file transfer protocol (FTP) service. Although details for configuring server-to-server transfers are listed in this article, Microsoft does not recommend modifying these registry keys on IIS-based FTP servers that are connected to the Internet.

Requirements

The following list outlines the recommended hardware, software, network infrastructure, and service packs that are required:
  • Two computers that are running the IIS FTP Service, with the configured changes that are described in the "Server Configuration" section.
  • A third computer with the command-line FTP that is included with Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows Millennium Edition (Me), Microsoft Windows NT, and Microsoft Windows 2000, or another FTP client that supports issuing literal FTP commands.

Server configuration

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/ )
How to back up and restore the registry in Windows

IIS 6.0

  1. On the server that initiates the data channel, set the following value in the registry to allow server-to-server FTP transfers when you issue commands from a client that is not located on either of the two FTP servers:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters\EnableDataConnTo3rdIP=1
  2. On the second server, set the following value in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters\EnablePasvConnFrom3rdIP=1

IIS 5.0

  1. Set the following value in the registry on both FTP servers to allow server-to-server FTP transfers when you issue commands from a client that is not located on either of the two FTP servers:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters\EnablePortAttack = 1
  2. Set the following value in the registry on the server that will issue the literal port command (Client1 in the example):
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters\EnablePASVTheft = 1
    Note By default, this value does not exist in the registry, and it requires Windows 2000 Service Pack 1 (SP1) or later to be recognized.

IIS 4.0

  1. Set the following value in the registry on the server that will issue the literal port command (Client1 in the example) to allow server-to-server FTP transfers when you issue commands from a client that is not located on either of the two FTP servers:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters\EnablePortAttack = 1
  2. If you are using IIS 4.0 computers that are running Windows NT 4.0 Service Pack 6a or earlier, install the fix that is described in the following Microsoft Knowledge Base article to allow the EnablePortAttack registry key to function properly:
    246173
    (http://support.microsoft.com/kb/246173/ )
    FTP server does not allow FTP server-to-server connection

Example

In typical client/server FTP transfers, the user is only responsible for sending "friendly" commands to the server; the client responds automatically. When a server-to-server FTP transfer is performed, another server is the client. Therefore, the user is responsible for sending all FTP commands to both servers (in RFC959 format, these are preceded by the "literal" keyword).

To transfer a binary file (named myFile.xls) from Server1 (IP address: 192.168.0.10) to Server2 (IP address: 192.168.1.20) by using the command-line FTP client on Workstation1, follow these steps:

Note You must have Write permissions enabled on Server2 for this example to work.
  1. Connect to Server1 by using a command-line FTP client. (This connection will be referred to as Client1).
  2. Connect to Server2 by using a command-line FTP client. (This connection will be referred to as Client2).
  3. Issue the following command in Client2:
    literal pasv
    The response is as follows:
    227 Entering Passive Mode (192,168,1,20,15,61)
    Note that 15,61 represents the low and high order bytes of the port number (port 3901 in this case), which is randomly assigned with each FTP connection. As a result, the last two numbers of this string are different.
  4. Issue the following command in Client1:
    literal port 192,168,1,20,15,61
    The response is as follows:
    200 Port Command Successful
    Use the IP and port string that is returned in step 3.
  5. Issue the following command in both Client1 and Client2:
    literal type i
    The response is as follows:
    200 Type set to I
  6. Issue the following command in Client1:
    literal retr myFile.xls
    The response is as follows:
    125 Data Connection already open; Transfer Starting
  7. Issue the following command in Client2:
    literal stor myFile.xls
    The response is as follows:
    Opening BINARY mode data connection for myFile.xls
  8. Continue to issue the following command on Client2 until you receive a 211 "No data connection" response message:
    literal stat
    This 211 response message is several lines long and indicates that the transfer is no longer in progress.
To transfer files from Server2 to Server1, issue the literal retr command from Client1 and the literal stor command from Client2.
Back to the top | Give Feedback

MORE INFORMATION

For more information about server-to-server FTP transfers in IIS 6.0, visit the following Microsoft TechNet Web site:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/38b012c0-442a-491c-aafc-c174b0048546.mspx
(http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/38b012c0-442a-491c-aafc-c174b0048546.mspx)
Back to the top | Give Feedback

REFERENCES

For more information about the FTP Bounce attack, click the following article number to view the article in the Microsoft Knowledge Base:
185378
(http://support.microsoft.com/kb/185378/ )
IIS 4.0: FTP "Bounce" attack and CERT Advisory CA-97.27
For more information about the registry keys that are listed in this article, click the following article number to view the article in the Microsoft Knowledge Base:
260934
(http://support.microsoft.com/kb/260934/ )
IIS answers PASV commands with port numbers in sequential order
For more information about how to enhance IIS security, click the following article number to view the article in the Microsoft Knowledge Base:
282060
(http://support.microsoft.com/kb/282060/ )
Resources for securing Internet Information Services
For more information about the FTP service that is included with IIS, click the following article number to view the article in the Microsoft Knowledge Base:
283679
(http://support.microsoft.com/kb/283679/ )
Information about the IIS File Transmission Protocol (FTP) service
For more information about port, pasv, stor, retr, stat, and other literal FTP commands, visit the following World Wide Web Consortium (W3C) Web site:
RFC 959 - FILE TRANSFER PROTOCOL (FTP)
http://www.w3.org/Protocols/rfc959
(http://www.w3.org/Protocols/rfc959)
Back to the top | Give Feedback

Properties

Article ID: 247132 - Last Review: July 7, 2008 - Revision: 4.1
APPLIES TO
  • Microsoft Internet Information Services 6.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Server 4.0
Keywords: 
kbhowtomaster KB247132
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top