IIS FTP Service Registry Parameters

MORE INFORMATION

The following is a list of registry parameters and values that are used specifically for the IIS FTP service.

The parameter location is under the HKEY_LOCAL_MACHINE subtree under the following subkeys:

   \System\CurrentControlSet\Services\MSFTPSVC\Parameters

EnablePortAttack                                REG_DWORD
Range:  0 or 1                                  Default:0
Description:                                    CONFIGURABLE
				

Recently there was a security hole discovered in FTP service with passive connection support. The hole is in the FTP protocol specification. By default, the FTP service allows passive connections to be established based on the port address given by client. This can enable some hackers to use this facility to execute malicious commands off the FTP service. The problem occurs when we request FTP service to connect to a port other than FTP Data port (20) and port number is less than IP_PORT_RESERVED (1024). This flag controls if such an attack should be allowed. By default, the service does not make any connections to ports less than IP_PORT_RESERVED (other than 20). If someone deliberately wants the old behavior then this flag should be enabled.

ExitMessage                                     REG_SZ
Range:  <String>                                Default: ""
Description:                                    ADMIN CONFIGURABLE
				

Conventionally FTP Service sends back an exit message when a client sends a quit command. This string specifies the exit message to be sent.

GreetingMessage                                 REG_MULTI_SZ
Range:  <String>                                Default: ""
Description:                                    ADMIN CONFIGURABLE
				

When a new user connects to the FTP Server, the server sends a friendly greeting message detailing contents and administrative information. This string (multiple lines) specifies the message to use for greeting the new client connections.

MaxClientsMessage                               REG_SZ
Range:  <String>                                Default: ""
Description:                                    ADMIN CONFIGURABLE
				

When the current connection exceeds the MaxConnections specified for the service, the service sends a friendly message to clients. This message is a single line message provided in this parameter.

AccessCheck                                     REG_DWORD
Range:  <any>                                   Default: <none>
Description:                                    CONFIGURABLE
				

This key is used for access check of incoming user connection. The server impersonates as the logged on user and attempts to open the registry key for read and write. If the key does not exist then read/write permissions are granted. If the key exists then based on the access permission on the registry key, read and write permissions are granted to the user. This feature is specifically useful for servers which publish content on a FAT volume and hence do not have the rich security features of NTFS. This is not a recommended approach to provide security owing to poor manageability and performance.

AllowGuestAccess                                REG_DWORD
Range:  0 or 1                                  Default:1
Description:                                    CONFIGURABLE
				

This flag specifies if guest logons are permitted for FTP service. When a new user logs on, the server checks to see if the user is logged on as an "NT" guest user. For a guest connection, based on the value of this flag, the FTP service either rejects or accepts the new connection. Permitting Guest access has been known to have problems in poorly managed site. Under default installation of Windows NT systems, Guest is granted permissions for all types of access on the system. This could easily be a security hole and it is recommended that wary administrators turn off this switch.

AnnotateDirectories                             REG_DWORD
Range:  0 or 1                                  Default:0
Description:                                    CONFIGURABLE
				

FTP service supports annotating a directory with custom messages. The annotation text should be stored in a special file named ~ftpsvc~.ckm under the directory. If this file exists in the target directory of a Change Directory (CWD) FTP operation, then the service responds with the contents of this file for the operation. This provides a way for administrators to add custom messages for directories under consideration. By default the service is configured to not send annotation text. If administrator decides to add a custom message, the annotation file should be created as well as this flag turned on. It is recommended to make the annotation file a hidden file so that the file does not show up on a directory listing.

MsdosDirOutput                                  REG_DWORD
Range:  0 or 1                                  Default:1
Description:                                    CONFIGURABLE
				

This flag specifies the style of directory output for a LIST operation from an FTP client. If the flag is turned on, the service generates a MS-DOS style directory listing. If the flag is turned off, then the service generates an UNIX style listing. (Some clients may break if they do not support MS-DOS style listing. For these and numerous other reasons and administrator may consider turning this flag off. The downside is that generation of UNIX style listing is costly operation and consumes more CPU).

LowercaseFiles                                  REG_DWORD
Range:  0 or 1                                  Default:0
Description:                                    CONFIGURABLE
				

The service uses the native case for file names ( like what the file names are stored in file system). However for exact comparisons with case- sensitive file systems (NTFS provides an option, FAT is case insensitive) to work fine, it may be necessary to ensure proper file names are used. Administrators can turn on this flag to ensure that the service uses lower case for such comparisons.

DebugFlags                                      REG_DWORD
Range:  0 - 0xFFFFFFFF                          Default:0
Description:                                    INTERNAL ANALYSIS
				

This value specifies bit mask for selectively enabling different checks in a debug binary of the FTP service component (FTPSVC2.DLL). The output is sent to the debug terminal by default.

# define DEBUG_SERVICE_CTRL                     0x00000001
# define DEBUG_TIMING                           0x00000002
# define DEBUG_CACHE                            0x00000004
# define DEBUG_ERROR                            0x00000008

# define DEBUG_SECURITY                         0x00000010
# define DEBUG_USER_DATABASE                    0x00000020
# define DEBUG_LICENSE                          0x00000040
# define DEBUG_RPC                              0x00000080

# define DEBUG_CONNECTION                       0x00000100
# define DEBUG_PARSING                          0x00000200
# define DEBUG_COMMANDS                         0x00000400
# define DEBUG_CONFIG                           0x00000800

# define DEBUG_VIRTUAL_IO                       0x00001000
# define DEBUG_CLIENT                           0x00002000
# define DEBUG_ASYNC_IO                         0x00004000
# define DEBUG_DIR_LIST                         0x00008000

# define DEBUG_SOCKETS                          0x00010000
# define DEBUG_SEND                             0x00020000
# define DEBUG_RECV                             0x00040000
# define DEBUG_CRITICAL_PATH                    0x10000000