Windows 2003 Server SP1 Firewall Modification for Passive or PASV FTP Connections

WINDOWS/IIS 2007/06/04 13:10
(Portions of this document are parphrased from or directly copied from Microsoft KB article 555022 by Bernard Cheah, MVP.)

Passive Mode FTP connections are normally required by clients connecting through a NAT firewall or router. The client connects on port 21 and issues a PASV command, the server responds with a port in the 1024-65535 range for the data connection. After a data connection command is issued by the client, the server connects to the client using the port immediately above the client-side port of the control connection. The Windows 2003 SP1 Firewall will prevent PASV FTP from working properly unless exceptions for the ports are created. A metabase property key named PassivePortRange can be configured to specify the port range the server will respond with. This can be used to limit the security risk for the FTP server. The property key only exists in IIS 6.0. Support for IIS 5.0 on Windows 2000 can be added, but the system administrator will need to install Service Pack 4 and add the PassivePortRange key in the system registry. Two ports must be opened for each concurrent FTP connection.

On Windows 2003 Server with IIS6
  • To Enable Direct Metabase Edit
    1. Open the IIS Microsoft Management Console (MMC).
    2. Right-click on the Local Computer node.
    3. Select Properties.
    4. Make sure the Enable Direct Metabase Edit checkbox is checked.
  • Configure PassivePortRange via ADSUTIL script
    1. Click Start, click Run, type cmd, and then click OK.
    2. Type cd Inetpub\AdminScripts and then press ENTER.
    3. Type the following command where the range is specified in "..". cscript.exe adsutil.vbs set /MSFTPSVC/PassivePortRange "5001-5201"
    4. Restart the FTP Publishing Service.
    You'll see the following output, when you configure via ADSUTIL script:

    Microsoft (R) Windows Script Host Version 5.6
    Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

    PassivePortRange : (STRING) "5001-5201"

  • Add each port to the Windows Firewall
    1. Click Start, click Control Panel, open Windows Firewall, and select the Exceptions tab.
    2. Click the Add Port button.
    3. Enter a Name for the Exception and the first number in the port range.
    4. Click TCP if not already selected and click OK.
    5. Repeat for each port in the range - for large ranges see the end of the document.
    6. Enable the Windows Firewall on the General Tab.

On Windows 2000 Server with IIS5 Configure PassivePortRange via Registry Editor
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters\
  3. Add a value named "PassivePortRange" (without the quotation marks) of type REG_SZ.
  4. Close Registry Editor.
  5. Restart the FTP Publishing Service.
    Note: The range that FTP will validate is from 5001 to 65535.

To add a range of ports to Windows Firewall from the Command Line
  1. Click Start, click Run, type cmd, and then click OK.
  2. Type in the following where the range is specified in ( ) and the name of the firewall entry is in " ".
    FOR /L %I IN (5001,1,5201) DO netsh firewall add portopening TCP %I "Passive FTP"%I
  3. Each port in the range will be added with an "OK" confirmation.


윈도우 IIS ftp 의 인증포트를 21번이 아닌 다른 임의의 포트로 변경시 데이타포트 또한 임의의 포트로 변경됩니다.
data 전송 모드중 active 모드(20번포트)가 아닌 passsive 모드로 접속시 서버에서는 임의의 포트가 data 포트로 오픈되어 엘켑 등의 상단 방화벽 설정을 할 수가 없게 됩니다.
이런 경우 passive 포트를 고정하여 위의 문제를 해결하는 방법을 소개합니다.

1. [인터넷 정보 서비스 관리] - [로컬 컴퓨터] - [속성 ] - [메타베이스 직접 편집 허용]에 체크
2. C:\WINDOWS\system32\inetsrv 밑에 metabase.xml 을 메모장으로 연다.
3. <IIsFtpService> 항목에 아래 라인 추가한다.
  이와 같이 설정하게 되면 tcp 5001 로 강제 할당된다.
4. 편집한 metabase.xml 파일을 저장한다
5. IIS 를 다시한번 재시작한다.
6. Ipsec 이나 방화벽이 설정되어있다면 tcp 5001을 추가한다.

Windows 2000 Server 의 경우는 레지스트리 값을 추가해야 한다.

에서 REG_SZ 타입의 PassivePortRange 값이름을 추가한다.

값으로는, 5001-5001 을 설정한다.  

참조 :

tags : ,
Comment 0

Write a comment