FTP over SSL <ssl>

Overview

The <ssl> element specifies the FTP over Secure Sockets Layer (SSL) settings for the FTP service; FTP over SSL was first introduced for IIS 7 in FTP 7.0.

Unlike using HTTP over SSL, which requires a separate port and connection for secure (HTTPS) communication, secure FTP communication occurs on the same port as non-secure communication. FTP 7 supports two different forms of FTP over SSL:

  • Explicit FTPS: By default, FTP sites and clients use port 21 for the control channel, and the server and client will negotiate secondary ports for data channel connections. In a typical FTP request, an FTP client will connect to an FTP site over the control channel, and then the client can negotiate SSL/TLS with the server for either the control channel or the data channel. When you are using FTP 7, you are using Explicit SSL if you enable FTPS and you assign the FTP site to any port other than port 990.
  • Implicit FTPS: Implicit FTPS is an older form of FTP over SSL that is still supported by FTP 7. With Implicit FTPS, an SSL handshake must be negotiated before any FTP commands can be sent by the client. In addition, even though Explicit FTPS allows the client to arbitrarily decide whether to use SSL, Implicit FTPS requires that the entire FTP session must be encrypted. When you are using FTP 7, you are using Implicit SSL if you enable FTPS and you assign the FTP site to port 990.

Depending on the security options that you configure in the controlChannelPolicy and dataChannelPolicy attributes, an FTP client may switch between secure and non-secure multiple times in a single Explicit FTPS session. There are several ways that this might be implemented depending on your business needs:

controlChannelPolicy dataChannelPolicy Notes
SslAllow SslAllow This configuration allows the client to decide whether any part of the FTP session should be encrypted.
SslRequireCredentialsOnly SslAllow This configuration protects your FTP client credentials from electronic eavesdropping, and allows the client to decide whether data transfers should be encrypted.
SslRequireCredentialsOnly SslRequire This configuration requires that the client's credentials must be secure, and then allows the client to decide whether FTP commands should be encrypted. However, all data transfers must be encrypted.
SslRequire SslRequire This configuration is the most secure - the client must negotiate SSL by using the FTPS-related commands before other FTP commands are allowed, and all data transfers must be encrypted.

Compatibility

Version Notes
IIS 10.0 The <ssl> element was not modified in IIS 10.0.
IIS 8.5 The <ssl> element was not modified in IIS 8.5.
IIS 8.0 The <ssl> element was not modified in IIS 8.0.
IIS 7.5 The <ssl> element of the <security> element ships as a feature of IIS 7.5.
IIS 7.0 The <ssl> element of the <security> element was introduced in FTP 7.0, which was a separate download for IIS 7.0.
IIS 6.0 The FTP service in IIS 6.0 did not support FTP over SSL.

Note

The FTP 7.0 and FTP 7.5 services shipped out-of-band for IIS 7.0, which required downloading and installing the modules from the following URL:

https://www.iis.net/expand/FTP

With Windows 7 and Windows Server 2008 R2, the FTP 7.5 service ships as a feature for IIS 7.5, so downloading the FTP service is no longer necessary.

Setup

To support FTP publishing for your Web server, you must install the FTP service. To do so, use the following steps.

Windows Server 2012 or Windows Server 2012 R2

  1. On the taskbar, click Server Manager.

  2. In Server Manager, click the Manage menu, and then click Add Roles and Features.

  3. In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.

  4. On the Server Roles page, expand Web Server (IIS), and then select FTP Server.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will need to select FTP Extensibility, in addition to FTP Service.
    Screenshot of Web Server I I S and F T P Server pane expanded with F T P Extensibility highlighted. .

  5. Click Next, and then on the Select features page, click Next again.

  6. On the Confirm installation selections page, click Install.

  7. On the Results page, click Close.

Windows 8 or Windows 8.1

  1. On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel.

  2. In Control Panel, click Programs and Features, and then click Turn Windows features on or off.

  3. Expand Internet Information Services, and then select FTP Server.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
    Screenshot of Internet Information Services and F T P Server pane expanded with F T P Extensibility highlighted.

  4. Click OK.

  5. Click Close.

Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.

  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).

  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.

  4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.

  5. Select FTP Service.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
    Screenshot of F T P Server expanded with F T P Service selected.

  6. Click Next.

  7. On the Confirm Installation Selections page, click Install.

  8. On the Results page, click Close.

Windows 7

  1. On the taskbar, click Start, and then click Control Panel.

  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.

  3. Expand Internet Information Services, and then FTP Server.

  4. Select FTP Service.

    Note

    To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
    Screenshot of Internet Information Services and F T P Server pane expanded with both F T P Extensibility and F T P Service selected.

  5. Click OK.

Windows Server 2008 or Windows Vista

  1. Download the installation package from the following URL:

  2. Follow the instructions in the following walkthrough to install the FTP service:

How To

How to configure SSL options for an FTP site

  1. Open Internet Information Services (IIS) Manager:

    • If you are using Windows Server 2012 or Windows Server 2012 R2:

      • On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows 8 or Windows 8.1:

      • Hold down the Windows key, press the letter X, and then click Control Panel.
      • Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
    • If you are using Windows Server 2008 or Windows Server 2008 R2:

      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:

      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, expand the server name, expand the Sites node, and then click the name of the site.

  3. In the site's Home pane, double-click the FTP SSL Settings feature.
    Screenshot of the site Home pane with F T P S S L Settings highlighted.

  4. From the SSL Certificate list, select the certificate that you want to use for connections to the FTP server.
    Screenshot of F T P S S L Settings page displaying the field for S S L Certificate and S S L Policy option.

  5. Under SSL Policy, select one of the following options:

    • Allow SSL connections: Allows the FTP server to support both non-SSL and SSL connections with a client.

    • Require SSL connections: Requires SSL encryption for communication between the FTP server and a client.

    • Custom: Enables you to configure a different SSL encryption policy for the control channel and the data channel. If you choose this option, click the Advanced... button. When the Advanced SSL Policy dialog box opens, select the following options:

      • Under Control Channel select one of the following options for SSL encryption over the control channel:

        • Allow: Specifies that SSL is allowed for the control channel; an FTP client may use SSL for the control channel, but it is not required.
        • Require: Specifies that SSL is required for the control channel; an FTP client may not switch to a non-secure mode of communication for the control channel.
        • Require only for credentials: Specifies that only the user credentials have to be sent over SSL session; an FTP client must use SSL for their user name and password, but the client is not required to use SSL for the control channel after they have logged in.
      • Under Data Channel, select one of the following options for SSL encryption over the data channel:

        • Allow: SSL is allowed for the data channel; an FTP client may use SSL for the data channel, but it is not required.
        • Require: SSL is required for the data channel; an FTP client may not switch to a non-secure mode of communication for the data channel.
        • Deny: SSL is denied for the data channel; an FTP client may not use SSL for the data channel.
      • Click OK to close the Advanced SSL Policy dialog box.

  6. In the Actions pane, click Apply.

Configuration

The <ssl> element is configured at the site level.

Attributes

Attribute Description
controlChannelPolicy Optional enum attribute.

Specifies the SSL policy for the FTP control channel.

Note: There is no enum value that denies SSL for the command channel; to deny SSL, do not bind an SSL certificate to the FTP site by specifying a certificate hash in the serverCertHash attribute.
Value Description
SslAllow Specifies that SSL is allowed for the control channel.

The numeric value is 0.
SslRequire Specifies that SSL is required for the control channel.

The numeric value is 1.
SslRequireCredentialsOnly Specifies that only the "USER" and "PASS" commands have to be sent over SSL session. After an FTP client has logged in, the client can switch to a non-secure mode.

The numeric value is 2.
The default value is SslRequire.
dataChannelPolicy Optional enum attribute.

Specifies the SSL policy for the FTP data channel.
Value Description
SslAllow Specifies that SSL is allowed for the data channel.

The numeric value is 0.
SslRequire Specifies that SSL is required for the data channel.

The numeric value is 1.
SslDeny Specifies that SSL is denied for the data channel.

The numeric value is 2.
The default value is SslRequire.
serverCertHash Optional string attribute.

Specifies the thumbprint hash for the server side certificate to use for SSL connections.

There is no default value.
serverCertStoreName Optional string attribute.

Specifies the certificate store for server SSL certificates.

The default value is MY.
ssl128 Optional Boolean attribute.

Specifies whether 128-bit SSL is required.

The default value is false.

Child Elements

None.

Configuration Sample

The following sample illustrates several configuration settings in the <ftpServer> element for an FTP site. More specifically, the <site> settings in this example demonstrate how to:

  • Create an FTP site and add the binding for the FTP protocol on port 21.
  • Configure the FTP SSL options to allow secure access on both the control and data channel using a certificate.
  • Disable Anonymous authentication and enable Basic authentication for FTP.
  • Deny access for FTP SYST command.
  • Specify the UNIX directory listing format.
  • Configure the logging options.
  • Specify a customized welcome message and enable local detailed error messages.
  • Specify that users will start in a home directory that is based on their login name, but only if that directory exists.
<site name="ftp.example.com" id="5">
  <application path="/">
    <virtualDirectory path="/" physicalPath="c:\inetpub\www.example.com" />
  </application>
  <bindings>
    <binding protocol="ftp" bindingInformation="*:21:" />
  </bindings>
  <ftpServer>
    <security>
      <ssl controlChannelPolicy="SslAllow"
         dataChannelPolicy="SslAllow"
         serverCertHash="57686f6120447564652c2049495320526f636b73" />
      <authentication>
        <basicAuthentication enabled="true" />
        <anonymousAuthentication enabled="false" />
      </authentication>
      <commandFiltering maxCommandLine="4096" allowUnlisted="true">
        <add command="SYST" allowed="false" />
      </commandFiltering>
    </security>
    <directoryBrowse showFlags="StyleUnix" />
    <logFile logExtFileFlags="Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, FtpStatus, Win32Status, ServerPort, FtpSubStatus, Session, FullPath, Info" />
    <messages expandVariables="true"
       greetingMessage="Welcome %UserName%!"
       allowLocalDetailedErrors="true" />
    <userIsolation mode="StartInUsersDirectory" />
  </ftpServer>
</site>

Sample Code

The following examples configure an FTP site so that it requires SSL for both the data channel and control channel.

AppCmd.exe

appcmd.exe set config -section:system.applicationHost/sites /[name='ftp.example.com'].ftpServer.security.ssl.serverCertHash:"57686f6120447564652c2049495320526f636b73" /commit:apphost
appcmd.exe set config -section:system.applicationHost/sites /[name='ftp.example.com'].ftpServer.security.ssl.controlChannelPolicy:"SslRequire" /commit:apphost
appcmd.exe set config -section:system.applicationHost/sites /[name='ftp.example.com'].ftpServer.security.ssl.dataChannelPolicy:"SslRequire" /commit:apphost

Note

You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.

C#

using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
   private static void Main()
   {
      using (ServerManager serverManager = new ServerManager())
      {
         Configuration config = serverManager.GetApplicationHostConfiguration();
         ConfigurationSection sitesSection = config.GetSection("system.applicationHost/sites");
         ConfigurationElementCollection sitesCollection = sitesSection.GetCollection();

         ConfigurationElement siteElement = FindElement(sitesCollection, "site", "name", @"ftp.example.com");
         if (siteElement == null) throw new InvalidOperationException("Element not found!");

         ConfigurationElement ftpServerElement = siteElement.GetChildElement("ftpServer");
         ConfigurationElement securityElement = ftpServerElement.GetChildElement("security");

         ConfigurationElement sslElement = securityElement.GetChildElement("ssl");
         sslElement["serverCertHash"] = @"57686f6120447564652c2049495320526f636b73";
         sslElement["controlChannelPolicy"] = @"SslRequire";
         sslElement["dataChannelPolicy"] = @"SslRequire";

         serverManager.CommitChanges();
      }
   }
   
   private static ConfigurationElement FindElement(ConfigurationElementCollection collection, string elementTagName, params string[] keyValues)
   {
      foreach (ConfigurationElement element in collection)
      {
         if (String.Equals(element.ElementTagName, elementTagName, StringComparison.OrdinalIgnoreCase))
         {
            bool matches = true;
            for (int i = 0; i < keyValues.Length; i += 2)
            {
               object o = element.GetAttributeValue(keyValues[i]);
               string value = null;
               if (o != null)
               {
                  value = o.ToString();
               }
               if (!String.Equals(value, keyValues[i + 1], StringComparison.OrdinalIgnoreCase))
               {
                  matches = false;
                  break;
               }
            }
            if (matches)
            {
               return element;
            }
         }
      }
      return null;
   }
}

VB.NET

Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample
   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetApplicationHostConfiguration
      Dim sitesSection As ConfigurationSection = config.GetSection("system.applicationHost/sites")
      Dim sitesCollection As ConfigurationElementCollection = sitesSection.GetCollection

      Dim siteElement As ConfigurationElement = FindElement(sitesCollection, "site", "name", "ftp.example.com")
      If (siteElement Is Nothing) Then
         Throw New InvalidOperationException("Element not found!")
      End If

      Dim ftpServerElement As ConfigurationElement = siteElement.GetChildElement("ftpServer")
      Dim securityElement As ConfigurationElement = ftpServerElement.GetChildElement("security")

      Dim sslElement As ConfigurationElement = securityElement.GetChildElement("ssl")
      sslElement("serverCertHash") = "57686f6120447564652c2049495320526f636b73"
      sslElement("controlChannelPolicy") = "SslRequire"
      sslElement("dataChannelPolicy") = "SslRequire"

      serverManager.CommitChanges()
   End Sub

   Private Function FindElement(ByVal collection As ConfigurationElementCollection, ByVal elementTagName As String, ByVal ParamArray keyValues() As String) As ConfigurationElement
      For Each element As ConfigurationElement In collection
         If String.Equals(element.ElementTagName, elementTagName, StringComparison.OrdinalIgnoreCase) Then
            Dim matches As Boolean = True
            Dim i As Integer
            For i = 0 To keyValues.Length - 1 Step 2
               Dim o As Object = element.GetAttributeValue(keyValues(i))
               Dim value As String = Nothing
               If (Not (o) Is Nothing) Then
                  value = o.ToString
               End If
               If Not String.Equals(value, keyValues((i + 1)), StringComparison.OrdinalIgnoreCase) Then
                  matches = False
                  Exit For
               End If
            Next
            If matches Then
               Return element
            End If
         End If
      Next
      Return Nothing
   End Function


End Module

JavaScript

var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";

var sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST");
var sitesCollection = sitesSection.Collection;
var siteElementPos = FindElement(sitesCollection, "site", ["name", "ftp.example.com"]);

if (siteElementPos == -1) throw "Element not found!";

var siteElement = sitesCollection.Item(siteElementPos);
var ftpServerElement = siteElement.ChildElements.Item("ftpServer");
var securityElement = ftpServerElement.ChildElements.Item("security");

var sslElement = securityElement.ChildElements.Item("ssl");
sslElement.Properties.Item("serverCertHash").Value = "57686f6120447564652c2049495320526f636b73";
sslElement.Properties.Item("controlChannelPolicy").Value = "SslRequire";
sslElement.Properties.Item("dataChannelPolicy").Value = "SslRequire";

adminManager.CommitChanges();

function FindElement(collection, elementTagName, valuesToMatch) {
   for (var i = 0; i < collection.Count; i++) {
      var element = collection.Item(i);
      if (element.Name == elementTagName) {
         var matches = true;
         for (var iVal = 0; iVal < valuesToMatch.length; iVal += 2) {
            var property = element.GetPropertyByName(valuesToMatch[iVal]);
            var value = property.Value;
            if (value != null) {
               value = value.toString();
            }
            if (value != valuesToMatch[iVal + 1]) {
               matches = false;
               break;
            }
         }
         if (matches) {
            return i;
         }
      }
   }
   return -1;
}

VBScript

Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"

Set sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST")
Set sitesCollection = sitesSection.Collection
siteElementPos = FindElement(sitesCollection, "site", Array("name", "ftp.example.com"))

If siteElementPos = -1 Then
Wscript.Echo "Element not found!"
WScript.Quit
End If

Set siteElement = sitesCollection.Item(siteElementPos)
Set ftpServerElement = siteElement.ChildElements.Item("ftpServer")
Set securityElement = ftpServerElement.ChildElements.Item("security")

Set sslElement = securityElement.ChildElements.Item("ssl")
sslElement.Properties.Item("serverCertHash").Value = "57686f6120447564652c2049495320526f636b73"
sslElement.Properties.Item("controlChannelPolicy").Value = "SslRequire"
sslElement.Properties.Item("dataChannelPolicy").Value = "SslRequire"

adminManager.CommitChanges()

Function FindElement(collection, elementTagName, valuesToMatch)
   For i = 0 To CInt(collection.Count) - 1
      Set element = collection.Item(i)
      If element.Name = elementTagName Then
         matches = True
         For iVal = 0 To UBound(valuesToMatch) Step 2
            Set property = element.GetPropertyByName(valuesToMatch(iVal))
            value = property.Value
            If Not IsNull(value) Then
               value = CStr(value)
            End If
            If Not value = CStr(valuesToMatch(iVal + 1)) Then
               matches = False
               Exit For
            End If
         Next
         If matches Then
            Exit For
         End If
      End If
   Next
   If matches Then
      FindElement = i
   Else
      FindElement = -1
   End If
End Function