IIS: The FTP PORT Command May be Issued Before a Client is Logged On (239041)
The information in this article applies to:
- Microsoft Internet Information Services 5.0
This article was previously published under Q239041 We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site: SYMPTOMS
When using the FTP Server that ships with Internet Information Services 5.0, you may notice some supposedly inconsistent behavior. For example, if you were to create a control connection to a restricted FTP server (one in which the you do not have a valid logon), then issue a PORT command, this command would result in the server returning the following message:
200 PORT Command Successful.
You are never prompted for credentials during this phase of the FTP connection process even though the FTP site has been restricted (meaning anonymous access is disabled). This may be looked at as a possible security problem, but it is actually normal behavior for FTP.
CAUSE
FTP requires that you are identified before a connection is officially established. In other words, a connection has not officially been made yet. You cannot transfer files unless you first logon the server.
STATUS
This is a known issue with Internet Information Services 5.0 (and most FTP servers as well).
| Modification Type: | Minor | Last Reviewed: | 5/3/2006 |
|---|
| Keywords: | kbbug kbpending KB239041 |
|---|
|