PassivePortRange Metabase Property (IIS 6.0)
The PassivePortRange property specifies the range of data ports to be used by the FTP service in response to PASV commands.
PASV FTP requires the server to open a data port for the client to make a second connection. This is a separate connection than the typical port 21 that is used for the control channel. The second connection is used when data files are transferred back to the client. By configuring the port range, you can write firewall and router rules to allow external clients access only to the ports they need and reduce the attack surface available to malicious users. In other words, if you have applications other than FTP that are using the default port range of 1025-5000, and do not want to expose these ports through your firewall in order to enable PASV FTP, you can use this value to change the range that you must open through your firewall. If this value is not specified, or is set to an empty string, the default value of 1025-5000, as specified by Winsock, is used. If this property is specified, the valid range that FTP will validate is from 5001 to 65535 (see StartingNumber and EndingNumber below), and may be a range or a single number.
This property can be set only at the service level. In order to make the changes effective, the service must be restarted. If the value is invalid, the service will invalidate it and will not restart.
For more information, see Modes and Data Transmission.
You can configure this property at the following locations in the IIS metabase.
For general code examples, see Code Examples to Configure Metabase Properties.