IIS Home @ it-notebook.org

IIS FTP Service does not support secure communication

(Kristofer Gafvert, April 24, 2005)

Introduction

The File Transfer Protocol (FTP)[2] transfers the username and password in clear text. This is a security risk, since the username and password can be stolen by monitoring the network. Unfortunately, the FTP Service provided with IIS supports only the FTP protocol, and not FTP over SSL (also known as FTPS).

SFTP vs FTPS

When talking about secure file transfers, two names usually comes up: SFTP and FTPS. Although the names seems to indicate the same thing (Secure FTP), they are not the same. SFTP (also known as "FTP over SSH") is an abbreviation for Secure File Transfer Protocol (or SSH File Transfer Protocol) and is a protocol run over SSH to transfer and manage files. This protocol does not have anything in common with the FTP protocol. It is a protocol designed from the ground up by IETF. An SFTP client cannot communicate with an FTP Server, because they "talk different languages". FTPS (also known as "FTP over SSL" and "FTP/S") uses SSL/TLS to secure the communication, and is an extension[1] to the FTP Protocol.

As already written, the FTP Service in IIS does not support any of these. If SFTP, or FTPS is required, a third-party solution is needed.

Other ways to secure file transfers

If the FTP protocol is not required, there are other ways to secure file transfers. WebDav over SSL is one option, and FTP over an encrypted channel such as VPN is another option.

Applies to [?]

IIS 6.0

Resources

IETF
IETF - Securing FTP with TLS
Virtual Private Networks for Windows Server 2003
Securing WebDAV Publishing Directories in IIS 6.0
[1] RFC 2228 - FTP Security Extensions
[2] RFC 959 - FILE TRANSFER PROTOCOL (FTP)