Tech Reference » Glossary - Computing » File Transfer Protocol (FTP) » Passive FTP » FTP Passive Port Range on ISS

FTP Passive Port Range on ISS


The IIS-based FTP service supports both active and passive mode connections, depending on the method that is specified by the client.  In Passive-mode IIS FTP randomly choose to response with port ranging within 1024 - 65535 by default - from a security standpoint this is no good. To further limit these huge port range, system administrator can configure a metabase property key named PassivePortRange.


For IIS on Windows 2003 Server


a) To Enable Direct Metabase Edit
1. Open the IIS Microsoft Management Console (MMC).
2. Right-click on the Local Computer node.
3. Select Properties.
4. Make sure the Enable Direct Metabase Edit checkbox is checked.


b) Configure PassivePortRange via ADSUTIL script
1. Click Start, click Run, type cmd, and then click OK.
2. Type cd Inetpub AdminScripts and then press ENTER.
3. Type the following command from a command prompt.
adsutil.vbs set / MSFTPSVC / PassivePortRange "5500-5600"
4. Restart the FTP service.


For IIS on Windows 2000 Server


Configure PassivePortRange via Registry Editor
1. Start Registry Editor (Regedt32.exe).
2. Locate the following registry key:
    HKEY_LOCAL_MACHINE System CurrentControlSet Services Msftpsvc Parameters
3. Add a value named "PassivePortRange" (without the quotation marks) of type REG_SZ.
4. Close Registry Editor.
5. Restart the FTP service.


Note: Remember to change your settings on your firewall.  The range that FTP will validate is from 5001 to 65535.

Updated On: 05.08.23

Leave your message, comment or feedback:
Your Name (shown) & Your E-mail (hidden) is used only to alert you when someone reply your message.