Configuring IIS FTP Firewall Settings

So I was working with a client site. I’ve got a convoluted mess (at times) of Teamviewer / LogMeIn / RDP (Remote Desktop) connections to get where I need to go – and of course, FTP.  Went to connect via FTP and had problems – hadn’t been up in a while so rather forgot about the Windows firewall being enabled.  Getting a message about not able to connect. Wish I’d written it down, but I knew from the message that it was having a problem getting the data packets back.  I confirmed this by turning off the Windows firewall and indeed it worked immediately. So… NOW, how to configure the Firewall so I didn’t have to go through this little “Oh yeah, I remember now!” moment ever month or three?

Anyone that has followed my blog at all knows that I get REAL annoyed with all the server hack attempts. Even though I was doing a reasonable job of keeping script kiddies at bay, it was just a real drain on the web servers getting pounded left and right from China and North Korea. I finally gave up on trying to obfuscate my ports and just finally said the heck with it. I almost exclusively now use remote access software such as LogMeIn and TeamViewer. It allows me to completely lock down the ports with the exception of the HTTP port.  It’s just a whole lot easier and safer.  However, I still need FTP access to be reasonably efficient.

I honestly ALWAYS change the port for FTP. There are SO many bots out there that it’s just a neverending stream of hacker-wanna-be bots slamming my virtual servers and if I have ANY default port open, they’re going to be banging on it. By changing the port though, the scripts hardly ever try that port. Now a good hacker that’s personally working over your server would obviously scan it, but the whole idea is to just NOT be the low hanging fruit.

This will allow you to setup an alternative Port number on your FTP server – and then lock the baby down on the following OSes!

  • Windows 2003 Server with IIS6
  • Windows 2008 Server with IIS7

To setup the IIS FTP Service to work with passive, the following are the steps…

  1. Setup the FTP to use an alternative port
  2. Add Passive port range in IIS
  3. Add firewall exception in windows firewall

For Windows 2003 IIS Server

Add a new FTP site and set it to your alternative port

  • Won’t go into that configuration here – if you can’t figure THIS part out, you probably need to be letting someone with a little more experience go through this…

Add Passive port range in IIS

a) To Enable Direct Metabase Edit

  • Open the IIS Microsoft Management Console (MMC).
  • Right-click on the Local Computer node.
  • Select Properties.
  • Make sure the Enable Direct Metabase Edit checkbox is checked.

b) Configure PassivePortRange via ADSUTIL script

  •   Click Start, click Run, type cmd, and then click OK.
  •   Type cd Inetpub\AdminScripts and then press ENTER.
  • Type the following command from a command prompt.
    • adsutil.vbs set /MSFTPSVC/PassivePortRange “5500-5700″ – You can pick any range you really want, just NOT one that is already being used…
  •   Restart the FTP service. I needed to restart the whole IIS server all the way to get it to kick in.

You’ll see the following output, when you configure via ADSUTIL script:

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001.
All rights reserved.PassivePortRange : (STRING) “5500-5700″

Add firewall exception in windows firewall

To add a range of ports to Windows Firewall from the Command Line

  1. Click Start, click Run, type cmd, and then click OK.
  2. Type in the following where the range is specified in ( ) and the name of the firewall entry is in ” “.
    FOR /L %I IN (5500,1,5701) DO netsh firewall add portopening TCP %I “Passive FTP”%I
  3. Each port in the range will be added with an “OK” confirmation. It DOES take a few minutes so be prepared.

Or you can manually add the port exception as follows.

  1. Click Start >> Run >> firewall.cpl ( Hit enter) , and select the Exceptions tab.
  2. Click the Add Port button.
  3. Enter a Name for the Exception and the first number in the port range.
  4. Click TCP if not already selected and click OK.
  5. Repeat for each port in the range – for large ranges see the end of the document.
  6. Enable the Windows Firewall on the General Tab.

For Windows 2008 Server

I just haven’t gotten around to using the 2008 server yet, but probably will in the near future – so added the 2008 section for it for my own benefit going forward 🙂

A) Add Passive port range  in IIS

1. Go to IIS 7.0 Manager. In the Connections pane, click the server-level node in the tree.
2.  Double-click the FTP Firewall Support icon in the list of features.
3. Enter a range of values for the Data Channel Port Range.
4. Once you have entered the port range for your FTP service, click Apply in the Actions pane to save your configuration settings.

Notes:

1. The valid range for ports is 1024 through 65535. (Ports from 1 through 1023 are reserved for use by system services.)
2. You can enter a special port range of “0-0″ to configure the FTP server to use the Windows TCP/IP dynamic port range. The default dynamic port range in windows 2008 server is from 49152 to 65535.

You can view this details by issuing the folowing command in the server.

C:\Users\Administrator>netsh int ipv4 show dynamicport tcp

3. For additional information, please see the following Microsoft Knowledge Base articles:

* 929851 – http://support.microsoft.com/kb/929851/

4. This port range will need to be added to the allowed settings for your firewall server.

To configure the external IPv4 Address for a Specific FTP Site
1. Go to IIS 7.0 Manager. In the Connections pane, click the FTP site that you created earlier in the tree, Double-click the FTP Firewall Support icon in the list of features.
2. Enter the IPv4 address of the external-facing address of your firewall server for the External IP Address of Firewall setting.
3. Once you have entered the external IPv4 address for your firewall server, click Apply in the Actions pane to save your configuration settings.

B. Add firewall exception in windows firewall

To add a range of ports to Windows Firewall from the Command Line

1. Click Start, click Run, type cmd, and then click OK.
2. Type in the following where the range is specified in ( ) and the name of the firewall entry is in ” “.

3.  FOR /L %I IN (49152,1,65535) DO netsh advfirewall firewall add rule name=”Passiveport”%I dir=out action=allow protocol=TCP localport=%I

4. Each port in the range will be added with an “OK” confirmation.

The command to add individual port in exception is pasting below.

C:\Users\Administrator>netsh advfirewall firewall add rule name=”OpenPort65535″ dir=out action=allow protocol=TCP localport=65535

References

Reference : http://support.microsoft.com/kb/555022

http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/

http://sakafi.wordpress.com/2009/08/20/how-to-configure-passiveportrange-in-iis/

Author: Eric Erickson

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *