FTP Command Filtering <commandFiltering>


The <commandFiltering> element specifies a collection of FTP commands that the FTP service will allow or deny. The <commandFiltering> element contains a collection of <add> statements that individually specify whether to allow or deny a specific FTP command.

Note: Special attention must be applied when configuring which FTP commands to allow or deny, and whether to deny unlisted commands. For example, denying many commands like USER, PASS, PASV, PORT, etc., will make it impossible for your FTP site to function. Likewise, denying unlisted commands by default will probably be too restrictive and many FTP clients will be unable to access your FTP site.

The collection in the <commandFiltering> element is related to the <requestFiltering> settings; however, while request filtering applies for files and directories and can be configured per URL, the settings under the <commandFiltering> element apply the protocol-level of processing and can only be configured at the site level.

Additional attributes for the <commandFiltering> element are maxCommandLine and allowUnlisted. Respectively, these configure the maximum command line length and whether to allow unlisted commands.


Version Notes
IIS 7.5 The <commandFiltering> element of the <security> element ships as a feature of IIS 7.5.
IIS 7.0 The <commandFiltering> element of the <security> element was introduced in FTP 7.0, which was a separate download for IIS 7.0.
IIS 6.0 The FTP service in IIS 6.0 did not support command filtering.

Note: The FTP 7.0 and FTP 7.5 services shipped out-of-band for IIS 7.0, which required downloading and installing the modules from the following URL:


With Windows 7 and Windows Server 2008 R2, the FTP 7.5 service ships as a feature for IIS 7.5, so downloading the FTP service is no longer necessary.


To support FTP publishing for your Web server, you must install the FTP service. To do so, use the following steps.

IIS 7.5 for Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
  5. Select FTP Service.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
  6. Click Next.
  7. On the Confirm Installation Selections page, click Install.
  8. On the Results page, click Close.

IIS 7.5 for Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, and then FTP Server.
  4. Select FTP Service.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
  5. Click OK.

IIS 7.0 for Windows Server 2008 and Windows Vista

  1. Download the installation package from the following URL:
  2. Follow the instructions in the following walkthrough to install the FTP service:

How To

How to deny an FTP command for an FTP site by using command filtering

Note: The following steps use the FTP Request Filtering user interface, which was introduced in FTP 7.5; these steps will not work if you are using FTP 7.0.

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, expand the server name, expand the Sites node, and then click the name of the site.
  3. In the site's Home pane, double-click the FTP Request Filtering feature.
  4. Click the Commands tab.
  5. Click Deny Command... in the Actions pane.
  6. Enter an FTP command to deny. For example:
    • Many FTP clients do not send or need the SYST command, which may reveal information about your operating system.
    • FTP 7.0 and FTP 7.5 do not implement the ACCT command, so it may be blocked safely.
  7. Click OK.


The <commandFiltering> element is configured at the site level.


Attribute Description
maxCommandLine Optional uint attribute.

Specifies the maximum command line length. It includes the command and parameters. Lines longer than the configured limit will not be processed.

The default value is 4096.
allowUnlisted Optional Boolean attribute.

Specifies whether to allow unlisted commands.

The default value is true.

Child Elements

Element Description
add Optional element.

Adds an entry to the collection of FTP commands.
clear Optional element.

Clears the collection of FTP commands.
remove Optional element.

Removes an entry from the collection of FTP commands.

Configuration Sample

The following sample illustrates several configuration settings in the <ftpServer> element for an FTP site. More specifically, the <site> settings in this example demonstrate how to:

  • Create an FTP site and add the binding for the FTP protocol on port 21.
  • Configure the FTP SSL options to allow secure access on both the control and data channel using a certificate.
  • Disable Anonymous authentication and enable Basic authentication for FTP.
  • Deny access for FTP SYST command.
  • Specify the UNIX directory listing format.
  • Configure the logging options.
  • Specify a customized welcome message and enable local detailed error messages.
  • Specify that users will start in a home directory that is based on their login name, but only if that directory exists.
<site name="ftp.example.com" id="5">
  <application path="/">
   <virtualDirectory path="/" physicalPath="c:\inetpub\www.example.com" />
   <binding protocol="ftp" bindingInformation="*:21:" />
     <ssl controlChannelPolicy="SslAllow"
serverCertHash="57686f6120447564652c2049495320526f636b73" />
       <basicAuthentication enabled="true" />
       <anonymousAuthentication enabled="false" />
     <commandFiltering maxCommandLine="4096" allowUnlisted="true">
       <add command="SYST" allowed="false" />
   <directoryBrowse showFlags="StyleUnix" />
   <logFile logExtFileFlags="Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, FtpStatus, Win32Status, ServerPort, FtpSubStatus, Session, FullPath, Info" />
   <messages expandVariables="true"
greetingMessage="Welcome %UserName%!"
allowLocalDetailedErrors="true" />
   <userIsolation mode="StartInUsersDirectory" />

Sample Code

The following examples configure the Default Web Site to allow unlisted FTP commands and to deny the SYST command.


appcmd.exe set config -section:system.applicationHost/sites /[name='Default Web Site'].ftpServer.security.commandFiltering.allowUnlisted:"True" /commit:apphost

appcmd.exe set config -section:system.applicationHost/sites /+"[name='Default Web Site'].ftpServer.security.commandFiltering.[command='SYST',allowed='False']" /commit:apphost

Note: You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.


using System;
using System.Text;
using Microsoft.Web.Administration;
internal static class Sample { private static void Main() { using (ServerManager serverManager = new ServerManager()) { Configuration config = serverManager.GetApplicationHostConfiguration(); ConfigurationSection sitesSection = config.GetSection("system.applicationHost/sites"); ConfigurationElementCollection sitesCollection = sitesSection.GetCollection(); ConfigurationElement siteElement = FindElement(sitesCollection, "site", "name", @"Default Web Site"); if (siteElement == null) throw new InvalidOperationException("Element not found!"); ConfigurationElement ftpServerElement = siteElement.GetChildElement("ftpServer"); ConfigurationElement securityElement = ftpServerElement.GetChildElement("security"); ConfigurationElement commandFilteringElement = securityElement.GetChildElement("commandFiltering"); ConfigurationElementCollection commandFilteringCollection = commandFilteringElement.GetCollection(); commandFilteringElement["allowUnlisted"] = true; ConfigurationElement addElement = commandFilteringCollection.CreateElement("add"); addElement["command"] = @"SYST"; addElement["allowed"] = false; commandFilteringCollection.Add(addElement); serverManager.CommitChanges(); } } private static ConfigurationElement FindElement(ConfigurationElementCollection collection, string elementTagName, params string[] keyValues) { foreach (ConfigurationElement element in collection) { if (String.Equals(element.ElementTagName, elementTagName, StringComparison.OrdinalIgnoreCase)) { bool matches = true; for (int i = 0; i < keyValues.Length; i += 2) { object o = element.GetAttributeValue(keyValues[i]); string value = null; if (o != null) { value = o.ToString(); } if (!String.Equals(value, keyValues[i + 1], StringComparison.OrdinalIgnoreCase)) { matches = false; break; } } if (matches) { return element; } } } return null; } }


Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample
   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetApplicationHostConfiguration
      Dim sitesSection As ConfigurationSection = config.GetSection("system.applicationHost/sites")
      Dim sitesCollection As ConfigurationElementCollection = sitesSection.GetCollection
      Dim siteElement As ConfigurationElement = FindElement(sitesCollection, "site", "name", "Default Web Site")

      If (siteElement Is Nothing) Then
         Throw New InvalidOperationException("Element not found!")
      End If

      Dim ftpServerElement As ConfigurationElement = siteElement.GetChildElement("ftpServer")
      Dim securityElement As ConfigurationElement = ftpServerElement.GetChildElement("security")
      Dim commandFilteringElement As ConfigurationElement = securityElement.GetChildElement("commandFiltering")
      Dim commandFilteringCollection As ConfigurationElementCollection = commandFilteringElement.GetCollection

      commandFilteringElement("allowUnlisted") = True

      Dim addElement As ConfigurationElement = commandFilteringCollection.CreateElement("add")
      addElement("command") = "SYST"
      addElement("allowed") = False

   End Sub

   Private Function FindElement(ByVal collection As ConfigurationElementCollection, ByVal elementTagName As String, ByVal ParamArray keyValues() As String) As ConfigurationElement
      For Each element As ConfigurationElement In collection
         If String.Equals(element.ElementTagName, elementTagName, StringComparison.OrdinalIgnoreCase) Then
            Dim matches As Boolean = True
            Dim i As Integer
            For i = 0 To keyValues.Length - 1 Step 2
               Dim o As Object = element.GetAttributeValue(keyValues(i))
               Dim value As String = Nothing
               If (Not (o) Is Nothing) Then
                  value = o.ToString
               End If
               If Not String.Equals(value, keyValues((i + 1)), StringComparison.OrdinalIgnoreCase) Then
                  matches = False
                  Exit For
               End If
            If matches Then
               Return element
            End If
         End If
      Return Nothing
   End Function

End Module


var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST");
var sitesCollection = sitesSection.Collection;

var siteElementPos = FindElement(sitesCollection, "site", ["name", "Default Web Site"]);
if (siteElementPos == -1) throw "Element not found!";

var siteElement = sitesCollection.Item(siteElementPos);

var ftpServerElement = siteElement.ChildElements.Item("ftpServer");
var securityElement = ftpServerElement.ChildElements.Item("security");
var commandFilteringElement = securityElement.ChildElements.Item("commandFiltering");

commandFilteringElement.Properties.Item("allowUnlisted").Value = true;

var commandFilteringCollection = commandFilteringElement.Collection;

var addElement = commandFilteringCollection.CreateNewElement("add");
addElement.Properties.Item("command").Value = "SYST";
addElement.Properties.Item("allowed").Value = false;


function FindElement(collection, elementTagName, valuesToMatch) {
   for (var i = 0; i < collection.Count; i++) {
      var element = collection.Item(i);
      if (element.Name == elementTagName) {
         var matches = true;
         for (var iVal = 0; iVal < valuesToMatch.length; iVal += 2) {
            var property = element.GetPropertyByName(valuesToMatch[iVal]);
            var value = property.Value;
            if (value != null) {
               value = value.toString();
            if (value != valuesToMatch[iVal + 1]) {
               matches = false;
         if (matches) {
            return i;
   return -1;


Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST")
Set sitesCollection = sitesSection.Collection

siteElementPos = FindElement(sitesCollection, "site", Array("name", "Default Web Site"))
If siteElementPos = -1 Then
   WScript.Echo "Element not found!"
End If

Set siteElement = sitesCollection.Item(siteElementPos)
Set ftpServerElement = siteElement.ChildElements.Item("ftpServer")
Set securityElement = ftpServerElement.ChildElements.Item("security")
Set commandFilteringElement = securityElement.ChildElements.Item("commandFiltering")

commandFilteringElement.Properties.Item("allowUnlisted").Value = True

Set commandFilteringCollection = commandFilteringElement.Collection

Set addElement = commandFilteringCollection.CreateNewElement("add")
addElement.Properties.Item("command").Value = "SYST"
addElement.Properties.Item("allowed").Value = False


Function FindElement(collection, elementTagName, valuesToMatch)
   For i = 0 To CInt(collection.Count) - 1
      Set element = collection.Item(i)
      If element.Name = elementTagName Then
         matches = True
         For iVal = 0 To UBound(valuesToMatch) Step 2
            Set property = element.GetPropertyByName(valuesToMatch(iVal))
            value = property.Value
            If Not IsNull(value) Then
               value = CStr(value)
            End If
            If Not value = CStr(valuesToMatch(iVal + 1)) Then
               matches = False
               Exit For
            End If
         If matches Then
            Exit For
         End If
      End If
   If matches Then
      FindElement = i
      FindElement = -1
   End If
End Function
Deprecated Elements