- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
The File Transfer Protocol often still proves to be the easiest way to transfer files between computers. This is especially true in heterogeneous environments. However, you should avoid unencrypted transfers where possible. Hence, the server should be configured for FTPS.
Install an FTP server
While the FTP server can be managed uniformly on all variants of the operating system via the IIS Manager console, the installation on the client and the server is different.
On Windows 10/11, you install the FTP server via the Control Panel under Programs and Features > Turn Windows features on or off. There, you expand the tree below Internet Information Services and select FTP server > FTP service and Web Management Tools > IIS Management Console.
Alternatively, you can add the FTP server in a PowerShell session with elevated privileges, as follows:
Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServerManagementTools, IIS-ManagementConsole, IIS-FTPServer, IIS-FTPSvc
On Windows Server, run the Add Roles and Features Wizard, and select the Web Server Role (IIS). In the Role Services dialog box, clear the selection of Web Server and check the required components under FTP Server and Management Tools.
If you prefer PowerShell, enter this command:
Install-WindowsFeature Web-FTP-Server, Web-Mgmt-Console
Configure the site via the IIS Manager
After the installation is complete, start the Internet Information Services (IIS) Manager using the search function or by typing InetMgr.exe. The configuration of the FTP server contains only the Default Web Site, which points to C:\inetpub\wwwroot and is not enabled.
In practice, however, you are more likely to create your own site. To do so, launch the Add FTP Site command from the Sites context menu.
We use the Default Web Site in this tutorial, but the configuration is the same for each site.
Customize the default site
If you use the default web site, you should move the default root directory to the %SystemDrive%\inetpub\ftproot folder because the FTP server uses this by default. To do so, execute the command Basic Settings in the action bar.
Then, execute the Add FTP Publishing command for further configuration, which launches a wizard. If, on the other hand, you create a new FTP site, you will automatically end up on the first page of this wizard after entering the basic data.
In the first dialog box, you can optionally bind the service to a specific IP address. You can also overwrite the default port 21 here. In addition, a virtual host name can be assigned to the FTP site.
When creating multiple FTP sites, each needs its own IP address to bind to. Virtual hosts, on the other hand, are interesting if you want to provide multiple FTP servers via one IP address.
In the SSL section, we select the No SSL option for the moment because we have not yet imported or issued a certificate.
In the wizard's second dialog box, define how users authenticate themselves and which permissions they get. If you activate Anonymous, it is sufficient if users log in with the name FTP or Anonymous and their email address as password.
If you decide to log in with a user name and password, you can grant access rights to certain Windows accounts or groups. For this purpose, you can either enter existing users or create a separate group for FTP.
You can include not only local accounts but also AD accounts in this group. It should be noted that these must have the necessary rights in the specified directories at the NTFS level.
Subsequent rights management
You may select both forms of authentication in the wizard, but named and anonymous users cannot be entered in the Authorization section at the same time. However, after launching the site, the FTP Authentication applet can be used to configure both types of logins, if needed. Rights are subsequently assigned via FTP authorization. Here, you can add any number of allow and deny rules for users and groups to control read and write permissions.
Create a certificate
To configure an SSL connection, you need a certificate. The Internet Information Services (IIS) Manager provides functions for creating a request (CSR) and issuing a domain certificate or a self-signed certificate. The latter is primarily suitable for internal use or for tests.
To do this, switch to the root directory (i.e., the name of the server) in the Connections window and open the Server Certificates applet in the main window. Now you can execute the Create Self-Signed Certificate command in the action window.
In the dialog box that appears, enter a name for the certificate. This name is for description purposes only and has nothing to do with the Common Name or the Subject Alternate Name. For smaller environments, select Personal as the store. After submitting the dialog box, you will receive a certificate that is valid for one year.
Configure SSL connections
For the SSL configuration, the IIS Manager provides the FTP SSL Settings applet. There, you select the previously issued certificate and then decide on an SSL policy.
The Require SSL connections option does not allow unencrypted communication, while Allow SSL connections allows the client to transmit all data, including login information, in clear text.
In addition, there is a custom setting where, for example, you can force passwords to be encrypted, but the client uses an unencrypted connection for all other data.
Configure firewall for passive mode
The IIS FTP server supports both active and passive modes. The difference between the two is who establishes the data connection after the client's initial request (via port 21). In passive mode, this is the client; in active mode, it is the server.
Active mode often leads to problems with the firewall on the client side because it usually blocks the incoming connection. The mode is configured via the client, whereas the ftp.exe included in Windows supports only active mode and no SSL connection.
After installing the FTP server, the Windows firewall contains three new rules that you can now activate:
- FTP Server (FTP Traffic-In): This opens port 21, which is required for the control channel to transmit FTP commands.
- FTP Server Passive (FTP Passive Traffic-In): This defines the port range for the client to establish the data connection.
- FTP Server Secure (FTP SSL Traffic-in): FTP over SSL uses TCP port 990, and this rule opens it.
To do so, open Windows Defender Firewall with Advanced Security, switch to the list of incoming rules, and enable them using the Enable Rule command.
In addition to activating FTP Passive Traffic-In, open the FTP Firewall Support applet by navigating to the top node under Connections in the IIS Manager. There, you should check whether the port range matches the one in the firewall rule. If you click this applet in the context of a site, the input field for the port range is grayed out.
Finally, it is highly advisable to restart the FTP service so that the firewall rules take effect, and you do not have to bother yourself unnecessarily with searching for the cause of rejected FTP connections.
In a PowerShell session with elevated privileges, enter the following command:
Now clients should be able to connect to the FTP server. If you use a self-signed certificate, you will get a warning that it is not trusted. This can be avoided in the future, for example, in FileZilla, by selecting the corresponding option.
If the communication fails with error 530, your first step should be to check whether the correct root directory is stored in the site configuration. You should also take this opportunity to ensure that access rights are sufficient. This is especially true for logged-in users who end up in their home directory. You can determine this directory in the IIS Manager under FTP User Isolation.
Virtual directories and filters
Virtual directories are used to mount external folders into the FTP directory tree. For example, you could make c:\users\public\images accessible to clients under /images, even if the root directory of the FTP site is under c:\inetpub\ftproot.
Another function for customizing the FTP server is FTP request filtering. This can be used to specify which file types it should transfer and which it should block.
Additional filters can be applied to explicitly allow or exclude certain IP addresses or domains.
Windows includes an FTP server in both the client and server operating systems, which can be added as an optional feature or role. It is administered though the GUI of the IIS manager.
All essential settings can be configured there, including user permissions and SSL options. To transfer files securely, you can create a self-signed certificate from the IIS console or send a request to an AD CA or an external certification authority.
Subscribe to 4sysops newsletter!
A special challenge with FTP is the configuration of the firewall. Installing the FTP server adds three rules that must be enabled if you want to establish secure connections in passive mode.