FTP IP Security <ipSecurity>

Overview

The <ipSecurity> element defines a list of IP-based security restrictions in FTP 7. These restrictions can be based on the IP version 4 address, a range of IP version 4 addresses, or a DNS domain name.

Compatibility

Version Notes
IIS 7.5 The <ipSecurity> element of the <system.ftpServer/security> element ships as a feature of IIS 7.5.
IIS 7.0 The <ipSecurity> element of the <system.ftpServer/security> element was introduced in FTP 7.0, which was a separate download for IIS 7.0.
IIS 6.0 N/A

Note: The FTP 7.0 and FTP 7.5 services shipped out-of-band for IIS 7.0, which required downloading and installing the modules from the following URL:

http://www.iis.net/expand/FTP

With Windows 7 and Windows Server 2008 R2, the FTP 7.5 service ships as a feature for IIS 7.5, so downloading the FTP service is no longer necessary.

Setup

To support FTP publishing for your Web server, you must install the FTP service. To do so, use the following steps.

IIS 7.5 for Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
  5. Select FTP Service.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
  6. Click Next.
  7. On the Confirm Installation Selections page, click Install.
  8. On the Results page, click Close.

IIS 7.5 for Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, and then FTP Server.
  4. Select FTP Service.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
  5. Click OK.

IIS 7.0 for Windows Server 2008 and Windows Vista

  1. Download the installation package from the following URL:
  2. Follow the instructions in the following walkthrough to install the FTP service:

How To

How to add IP restrictions to allow or access for an FTP site

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, expand the server name, expand Sites, and then FTP site or URL for which you want to add IP restrictions.
  3. In the Home pane, double-click the FTP IPv4 Address and Domain Restrictions feature.
  4. In the FTP IPv4 Address and Domain Restrictions feature, click Add Allow Entry... or Add Deny Entry... in the Actions pane.
  5. Enter the IP address that you wish to allow or deny, and then click OK.

How to edit the IP restrictions feature settings for an FTP site

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, expand the server name, expand Sites, and then FTP site or URL for which you want to configure IP restrictions.
  3. In the Home pane, double-click the FTP IPv4 Address and Domain Restrictions feature.
  4. In the FTP IPv4 Address and Domain Restrictions feature, click Edit Feature Settings... in the Actions pane.
  5. Choose the default access behavior for unspecified clients, specify whether to enable restrictions by domain name, and then click OK.

Configuration

The <ipSecurity> element is configured at the site or URL level.

Rules are processed from top to bottom, in the order they appear in the list. The allowunlisted attribute is processed last. Best practice for Internet Protocol security (IPsec) restrictions is to list Deny rules first. You cannot clear the allowunlisted attribute if it is set to false.

Attributes

Attribute Description
allowUnlisted Optional Boolean attribute.

Specifies whether to allow unlisted IP addresses. Setting the allowUnlisted attribute to true allows an unlisted IP address to access the server. Setting the allowUnlisted attribute to false locks down the server, preventing access to all IP address unless they are listed. If you set this attribute to false and do not list the local loopback address (127.0.0.1) as an allowed IP address, you will not be able to access your server by using a browser from a local console.

The default value is true.
enableReverseDns Optional Boolean attribute.

Specifies whether to enable or disable reverse Domain Name System (DNS) lookups for the FTP server. Reverse lookups involve looking up the domain name when the IP address is known.

Caution: Reverse DNS lookups will use significant resources and time.

The default value is false.

Child Elements

Element Description
add Optional element.

Adds an IP restriction to the collection of IP address restrictions.
remove Optional element.

Removes a reference to a restriction from the <ipSecurity> collection.
clear Optional element.

Removes all references to restrictions from the <ipSecurity> collection.

Configuration Sample

The following sample illustrates several security-related configuration settings in the <system.ftpServer> element for an FTP site. More specifically, the <location> settings in this example demonstrate how to:

  • Specify an FTP authorization rule for read and write access for the administrators group.
  • Specify FTP request filtering options that deny *.exe, *.bat, and *.cmd files.
  • Specify FTP request limits for a maximum content length of 1000000 bytes and a maximum URL length of 1024 bytes.
  • Block FTP access to the _vti_bin virtual directory, which is used with the FrontPage Server Extensions.
  • Specify FTP IP filtering options that allow access from 127.0.0.1 and deny access from the 169.254.0.0/255.255.0.0 range of IP addresses.
<location path="ftp.example.com">
  <system.ftpServer>
  <security>
    <authorization>
      <add accessType="Allow" roles="administrators" permissions="Read, Write" />
    </authorization>
    <requestFiltering>
      <fileExtensions allowUnlisted="true">
        <add fileExtension=".exe" allowed="false" />
        <add fileExtension=".bat" allowed="false" />
        <add fileExtension=".cmd" allowed="false" />
      </fileExtensions> <requestLimits maxAllowedContentLength="1000000" maxUrl="1024" /> <hiddenSegments> <add segment="_vti_bin" /> </hiddenSegments>
    </requestFiltering>
<ipSecurity enableReverseDns="false" allowUnlisted="true">
<add ipAddress="127.0.0.1" allowed="true" />
<add ipAddress="169.254.0.0" subnetMask="255.255.0.0" allowed="false" />
</ipSecurity>
  </security>
  </system.ftpServer>
</location>

Sample Code

The following examples configure FTP IP security to allow unlisted IP addresses, then specify IP restrictions that allow access from 127.0.0.1 and deny access from the 169.254.0.0/255.255.0.0 range of IP addresses.

AppCmd.exe

appcmd.exe set config "Default Web Site" -section:system.ftpServer/security/ipSecurity /allowUnlisted:"True" /commit:apphost

appcmd.exe set config "Default Web Site" -section:system.ftpServer/security/ipSecurity /+"[ipAddress='127.0.0.1',allowed='True']" /commit:apphost

appcmd.exe set config "Default Web Site" -section:system.ftpServer/security/ipSecurity /+"[ipAddress='169.254.0.0',subnetMask='255.255.0.0']" /commit:apphost

Note: You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.

C#

using System;
using System.Text;
using Microsoft.Web.Administration;
internal static class Sample { private static void Main() { using (ServerManager serverManager = new ServerManager()) { Configuration config = serverManager.GetApplicationHostConfiguration(); ConfigurationSection ipSecuritySection = config.GetSection("system.ftpServer/security/ipSecurity", "Default Web Site"); ConfigurationElementCollection ipSecurityCollection = ipSecuritySection.GetCollection(); ipSecuritySection["allowUnlisted"] = true; ConfigurationElement addElement = ipSecurityCollection.CreateElement("add"); addElement["ipAddress"] = @"127.0.0.1"; addElement["allowed"] = true; ipSecurityCollection.Add(addElement); ConfigurationElement addElement1 = ipSecurityCollection.CreateElement("add"); addElement1["ipAddress"] = @"169.254.0.0"; addElement1["subnetMask"] = @"255.255.0.0"; ipSecurityCollection.Add(addElement1); serverManager.CommitChanges(); } } }

VB.NET

Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample Sub Main() Dim serverManager As ServerManager = New ServerManager Dim config As Configuration = serverManager.GetApplicationHostConfiguration Dim ipSecuritySection As ConfigurationSection = config.GetSection("system.ftpServer/security/ipSecurity", "Default Web Site") Dim ipSecurityCollection As ConfigurationElementCollection = ipSecuritySection.GetCollection ipSecuritySection("allowUnlisted") = True Dim addElement As ConfigurationElement = ipSecurityCollection.CreateElement("add") addElement("ipAddress") = "127.0.0.1" addElement("allowed") = True ipSecurityCollection.Add(addElement) Dim addElement1 As ConfigurationElement = ipSecurityCollection.CreateElement("add") addElement1("ipAddress") = "169.254.0.0" addElement1("subnetMask") = "255.255.0.0" ipSecurityCollection.Add(addElement1) serverManager.CommitChanges() End Sub End Module

JavaScript

var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var ipSecuritySection = adminManager.GetAdminSection("system.ftpServer/security/ipSecurity", "MACHINE/WEBROOT/APPHOST/Default Web Site");
var ipSecurityCollection = ipSecuritySection.Collection;

ipSecuritySection.Properties.Item("allowUnlisted").Value = true;

var addElement = ipSecurityCollection.CreateNewElement("add");
addElement.Properties.Item("ipAddress").Value = "127.0.0.1";
addElement.Properties.Item("allowed").Value = true;
ipSecurityCollection.AddElement(addElement);

var addElement1 = ipSecurityCollection.CreateNewElement("add");
addElement1.Properties.Item("ipAddress").Value = "169.254.0.0";
addElement1.Properties.Item("subnetMask").Value = "255.255.0.0";
ipSecurityCollection.AddElement(addElement1);

adminManager.CommitChanges();

VBScript

Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set ipSecuritySection = adminManager.GetAdminSection("system.ftpServer/security/ipSecurity", "MACHINE/WEBROOT/APPHOST/Default Web Site")
Set ipSecurityCollection = ipSecuritySection.Collection

ipSecuritySection.Properties.Item("allowUnlisted").Value = True

Set addElement = ipSecurityCollection.CreateNewElement("add")
addElement.Properties.Item("ipAddress").Value = "127.0.0.1"
addElement.Properties.Item("allowed").Value = True
ipSecurityCollection.AddElement(addElement)

Set addElement1 = ipSecurityCollection.CreateNewElement("add")
addElement1.Properties.Item("ipAddress").Value = "169.254.0.0"
addElement1.Properties.Item("subnetMask").Value = "255.255.0.0"
ipSecurityCollection.AddElement(addElement1)

adminManager.CommitChanges()
Deprecated Elements