IIS 7 Tip # 11 You can restrict SSL to only the Control Channel on FTPS

The File Transfer Protocol (FTP) has been around even before I was born :) It is a good protocol for transferring files across the network but has one major flaw. If you use authentication it sends the password in a Base64 encoded format over the wire. If someone intercepts this he/she can easily decode the password. So if someone intercepts the traffic for your FTP site that allows a user to write files he/she can get access to an username and password that has write permissions on the server.

FTPS (FTP-Secure) address this flaw. FTPS allows you to use TLS or SSL cryptography to encrypt the data that is being transferred. 

With Windows 2008 the FTP service was rewritten to support FTPS and shipped as an extension for IIS 7.0. Earlier versions of IIS only support FTP.

With FTPS you no longer have to worry about someone intercepting your password because of the encryption. But encryption comes with a performance overhead. (Consider situations where users frequently transfer files in 100s of MBs to the server all that has to go through en/decryption)

The best thing about the IIS FTPS extension is that you can control the encryption levels.


The FTP (even FTPS) protocol uses two channels(basically two ports) to communicate with the server. The Control Channel is used to transfer the commands (it also carries the credentials) and the Data Channel to transfer the files.

In situations where protecting just the password is enough and you are not concerned about the content being transferred you can remove the encryption on the Data Channel. This will lower the CPU cycles burnt for en/decrypting the large files that are transferred.

Even the Control Channel can be tweaked to just use encryption for credentials. But commands sometimes contain folder locations so its better to keep it encrypted.

Bookmark and Share