Microsoft KB Archive/239041

= IIS: The FTP PORT Command May be Issued Before a Client is Logged On =

Article ID: 239041

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q239041



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
When using the FTP Server that ships with Internet Information Services 5.0, you may notice some supposedly inconsistent behavior. For example, if you were to create a control connection to a restricted FTP server (one in which the you do not have a valid logon), then issue a PORT command, this command would result in the server returning the following message:

200 PORT Command Successful.

You are never prompted for credentials during this phase of the FTP connection process even though the FTP site has been restricted (meaning anonymous access is disabled). This may be looked at as a possible security problem, but it is actually normal behavior for FTP.



CAUSE
FTP requires that you are identified before a connection is officially established. In other words, a connection has not officially been made yet. You cannot transfer files unless you first logon the server.



STATUS
This is a known issue with Internet Information Services 5.0 (and most FTP servers as well).

Additional query words: iis ftp port

Keywords: kbbug kbpending KB239041

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.