IIS Answers PASV Commands with Port Numbers in Sequential Order

Article translations Article translations
Article ID: 260934 - View products that this article applies to.
This article was previously published under Q260934
This article has been archived. It is offered "as is" and will no longer be updated.
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
Expand all | Collapse all

Symptoms

When FTP is set to Passive mode with Internet Information Services (IIS) on a Windows 2000-based server, data can be "stolen" from the data connection.

When an FTP data transfer is set to passive and a client issues a pasv command, the server responds with a port command that indicates the IP address and port on which the client should connect the data channel. The server then begins listening on a port. The client then issues a get command and connects to the address or port specified in the port command to receive data.

Anyone on the Internet can connect to that port without proper access privileges. After connecting to the port, the user can read or write data to and from the FTP server. This is largely a problem inherent in FTP, but this way of "stealing" data is made easier in IIS because IIS in Windows 2000 returns port numbers in incremental order. This makes predicting the next passive port number easy.

Cause

This behavior is inherent in FTP, but the port numbers are organized by IIS in Windows 2000 in sequential order.

Resolution

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

The following registry key has been added to the registry to turn this new code on and off:
HKEY_LOCAL_MACHINE\system\currentControlSet\Services\MSFTPSVC\Parameters

EnablePasvTheft = DWORD 0
Note that Microsoft does not recommend using FTP for highly sensitive data transfer. IIS has a variety of secure data transfer options, including WebDav. For additional information, query the Help system in Windows 2000.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was first corrected in Windows 2000 Service Pack 1.

More information


The fix includes the following features:

In passive mode, the FTP server checks the address of the computer connected to the data port. It must be the same as the computer sending the FTP commands. This solution fixes the issue, but, at the same time, does not allow the exchange of data between two FTP servers through an FTP client. This scenario is compliant with RFC 959.

Properties

Article ID: 260934 - Last Review: October 26, 2013 - Revision: 3.0
Applies to
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbnosurvey kbarchive kbbug kbfix kbwin2000sp1fix KB260934

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com