FTP File Name Extensions <fileExtensions>


The <fileExtensions> element contains a collection of <add> elements that specify unique file name extensions that IIS will either allow or deny, depending on how each <add> element is defined. By using the <fileExtensions> element, you can fine-tune the types of content that your server will make available to FTP clients.

For example, if you set the allowUnlisted attribute to false, all requests for files with extensions that are not contained in the list of allowed extensions will be denied. By using the <clear> element, you can clear the list of the file name extensions that have already been defined, then you can specify just the file name extensions that you want to allow.

Note: When request filtering blocks an FTP request because of a denied file name extension, FTP 7 will return an FTP error to the client and log the following unique substatus that identifies the reason that the request was denied:

FTP Substatus Description
11 File name extension was denied based on request filtering rules

This substatus allows FTP administrators to analyze their IIS logs and identify potential threats.


Version Notes
IIS 7.5 The <fileExtensions> element of the <requestFiltering> element ships as a feature of IIS 7.5.
IIS 7.0 The <fileExtensions> element of the <requestFiltering> element was introduced in FTP 7.0, which was a separate download for IIS 7.0.
IIS 6.0 The FTP service in IIS 6.0 did not support request filtering.

Note: The FTP 7.0 and FTP 7.5 services shipped out-of-band for IIS 7.0, which required downloading and installing the modules from the following URL:


With Windows 7 and Windows Server 2008 R2, the FTP 7.5 service ships as a feature for IIS 7.5, so downloading the FTP service is no longer necessary.


To support FTP publishing for your Web server, you must install the FTP service. To do so, use the following steps.

IIS 7.5 for Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
  5. Select FTP Service.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
  6. Click Next.
  7. On the Confirm Installation Selections page, click Install.
  8. On the Results page, click Close.

IIS 7.5 for Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, and then FTP Server.
  4. Select FTP Service.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
  5. Click OK.

IIS 7.0 for Windows Server 2008 and Windows Vista

  1. Download the installation package from the following URL:
  2. Follow the instructions in the following walkthrough to install the FTP service:

How To

Note: FTP Request Filtering did not have a user interface in the FTP 7.0 release; the FTP Request Filtering UI was added in the FTP 7.5 release.

How to deny FTP access to a specific file name extension

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, go to the site or directory for which you want to modify your request filtering settings.
  3. In the Home pane, double-click FTP Request Filtering.
  4. In the FTP Request Filtering pane, click the File Name Extensions tab.
  5. Click Deny File Name Extension... in the Actions pane.
  6. In the Deny File Name Extension dialog box, enter the file name extension that you wish to block. For example, to prevent access to files with a file name extension of .inc, you would enter "inc" in the dialog box.
  7. Click OK.


The <fileExtensions> element of the <requestFiltering> element is configured at the global, site or URL level.


Attribute Description
allowUnlisted Optional Boolean attribute.

Specifies whether the Web server should process files that have unlisted file name extensions. If you set this attribute to true, you must list all file name extensions that you want to deny. If you set this attribute to false, you must list all file name extensions that you want to allow.

The default value is true.

Child Elements

Element Description
add Optional element.

Adds a file name extension to the collection of file name extensions.
clear Optional element.

Removes all references to file name extensions from the <fileExtensions> collection.
remove Optional element.

Removes a reference to a file name extension from the <fileExtensions> collection.

Configuration SampleConfiguration Sample

The following sample illustrates several security-related configuration settings in the <system.ftpServer> element for an FTP site. More specifically, the <location> settings in this example demonstrate how to:

  • Specify an FTP authorization rule for read and write access for the administrators group.
  • Specify FTP request filtering options that deny *.exe, *.bat, and *.cmd files.
  • Specify FTP request limits for a maximum content length of 1000000 bytes and a maximum URL length of 1024 bytes.
  • Block FTP access to the _vti_bin virtual directory, which is used with the FrontPage Server Extensions.
  • Specify FTP IP filtering options that allow access from and deny access from the range of IP addresses.
<location path="ftp.example.com">
      <add accessType="Allow" roles="administrators" permissions="Read, Write" />
      <fileExtensions allowUnlisted="true">
        <add fileExtension=".exe" allowed="false" />
        <add fileExtension=".bat" allowed="false" />
        <add fileExtension=".cmd" allowed="false" />
      </fileExtensions> <requestLimits maxAllowedContentLength="1000000" maxUrl="1024" /> <hiddenSegments> <add segment="_vti_bin" /> </hiddenSegments>
<ipSecurity enableReverseDns="false" allowUnlisted="true">
<add ipAddress="" allowed="true" />
<add ipAddress="" subnetMask="" allowed="false" />

Sample Code

The following examples specify FTP request filtering options that deny *.exe, *.com, *.bat, and *.cmd files.


appcmd.exe set config "Default Web Site" -section:system.ftpServer/security/requestFiltering /+"fileExtensions.[fileExtension='.exe',allowed='False']" /commit:apphost

appcmd.exe set config "Default Web Site" -section:system.ftpServer/security/requestFiltering /+"fileExtensions.[fileExtension='.com',allowed='False']" /commit:apphost

appcmd.exe set config "Default Web Site" -section:system.ftpServer/security/requestFiltering /+"fileExtensions.[fileExtension='.cmd',allowed='False']" /commit:apphost

appcmd.exe set config "Default Web Site" -section:system.ftpServer/security/requestFiltering /+"fileExtensions.[fileExtension='.bat',allowed='False']" /commit:apphost

Note: You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.


using System;
using System.Text;
using Microsoft.Web.Administration;
internal static class Sample { private static void Main() { using (ServerManager serverManager = new ServerManager()) { Configuration config = serverManager.GetApplicationHostConfiguration(); ConfigurationSection requestFilteringSection = config.GetSection("system.ftpServer/security/requestFiltering", "Default Web Site"); ConfigurationElement fileExtensionsElement = requestFilteringSection.GetChildElement("fileExtensions"); ConfigurationElementCollection fileExtensionsCollection = fileExtensionsElement.GetCollection(); ConfigurationElement addElement = fileExtensionsCollection.CreateElement("add"); addElement["fileExtension"] = @".exe"; addElement["allowed"] = false; fileExtensionsCollection.Add(addElement); ConfigurationElement addElement1 = fileExtensionsCollection.CreateElement("add"); addElement1["fileExtension"] = @".com"; addElement1["allowed"] = false; fileExtensionsCollection.Add(addElement1); ConfigurationElement addElement2 = fileExtensionsCollection.CreateElement("add"); addElement2["fileExtension"] = @".cmd"; addElement2["allowed"] = false; fileExtensionsCollection.Add(addElement2); ConfigurationElement addElement3 = fileExtensionsCollection.CreateElement("add"); addElement3["fileExtension"] = @".bat"; addElement3["allowed"] = false; fileExtensionsCollection.Add(addElement3); serverManager.CommitChanges(); } } }


Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample Sub Main() Dim serverManager As ServerManager = New ServerManager Dim config As Configuration = serverManager.GetApplicationHostConfiguration Dim requestFilteringSection As ConfigurationSection = config.GetSection("system.ftpServer/security/requestFiltering", "Default Web Site") Dim fileExtensionsElement As ConfigurationElement = requestFilteringSection.GetChildElement("fileExtensions") Dim fileExtensionsCollection As ConfigurationElementCollection = fileExtensionsElement.GetCollection Dim addElement As ConfigurationElement = fileExtensionsCollection.CreateElement("add") addElement("fileExtension") = ".exe" addElement("allowed") = False fileExtensionsCollection.Add(addElement) Dim addElement1 As ConfigurationElement = fileExtensionsCollection.CreateElement("add") addElement1("fileExtension") = ".com" addElement1("allowed") = False fileExtensionsCollection.Add(addElement1) Dim addElement2 As ConfigurationElement = fileExtensionsCollection.CreateElement("add") addElement2("fileExtension") = ".cmd" addElement2("allowed") = False fileExtensionsCollection.Add(addElement2) Dim addElement3 As ConfigurationElement = fileExtensionsCollection.CreateElement("add") addElement3("fileExtension") = ".bat" addElement3("allowed") = False fileExtensionsCollection.Add(addElement3) serverManager.CommitChanges() End Sub End Module


var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var requestFilteringSection = adminManager.GetAdminSection("system.ftpServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site");
var fileExtensionsElement = requestFilteringSection.ChildElements.Item("fileExtensions");
var fileExtensionsCollection = fileExtensionsElement.Collection;

var addElement = fileExtensionsCollection.CreateNewElement("add");
addElement.Properties.Item("fileExtension").Value = ".exe";
addElement.Properties.Item("allowed").Value = false;

var addElement1 = fileExtensionsCollection.CreateNewElement("add");
addElement1.Properties.Item("fileExtension").Value = ".com";
addElement1.Properties.Item("allowed").Value = false;

var addElement2 = fileExtensionsCollection.CreateNewElement("add");
addElement2.Properties.Item("fileExtension").Value = ".cmd";
addElement2.Properties.Item("allowed").Value = false;

var addElement3 = fileExtensionsCollection.CreateNewElement("add");
addElement3.Properties.Item("fileExtension").Value = ".bat";
addElement3.Properties.Item("allowed").Value = false;



Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set requestFilteringSection = adminManager.GetAdminSection("system.ftpServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site")
Set fileExtensionsElement = requestFilteringSection.ChildElements.Item("fileExtensions")
Set fileExtensionsCollection = fileExtensionsElement.Collection

Set addElement = fileExtensionsCollection.CreateNewElement("add")
addElement.Properties.Item("fileExtension").Value = ".exe"
addElement.Properties.Item("allowed").Value = False

Set addElement1 = fileExtensionsCollection.CreateNewElement("add")
addElement1.Properties.Item("fileExtension").Value = ".com"
addElement1.Properties.Item("allowed").Value = False

Set addElement2 = fileExtensionsCollection.CreateNewElement("add")
addElement2.Properties.Item("fileExtension").Value = ".cmd"
addElement2.Properties.Item("allowed").Value = False

Set addElement3 = fileExtensionsCollection.CreateNewElement("add")
addElement3.Properties.Item("fileExtension").Value = ".bat"
addElement3.Properties.Item("allowed").Value = False

Deprecated Elements