PassivePortRange Metabase Property

Applies To: Windows Server 2003, Windows Server 2003 with SP1

The PassivePortRange property specifies the range of data ports to be used by the FTP service in response to PASV commands.

PASV FTP requires the server to open a data port for the client to make a second connection. This is a separate connection than the typical port 21 that is used for the control channel. The second connection is used when data files are transferred back to the client. By configuring the port range, you can write firewall and router rules to allow external clients access only to the ports they need and reduce the attack surface available to malicious users. In other words, if you have applications other than FTP that are using the default port range of 1025-5000, and do not want to expose these ports through your firewall in order to enable PASV FTP, you can use this value to change the range that you must open through your firewall. If this value is not specified, or is set to an empty string, the default value of 1025-5000, as specified by Winsock, is used. If this property is specified, the valid range that FTP will validate is from 5001 to 65535 (see StartingNumber and EndingNumber below), and may be a range or a single number.


This property can be set only at the service level. In order to make the changes effective, the service must be restarted. If the value is invalid, the service will invalidate it and will not restart.

For more information, see Modes and Data Transmission.

Attribute Name Attribute Value

XML Data Type


WMI Data Type


ADSI Data Type


ABO Data Type


ABO Metabase Identifier




Default Value




User Type




Configurable Locations

You can configure this property at the following locations in the IIS metabase.

Metabase Path IIS Admin Object Type



Code Example

For general code examples, see Code Examples to Configure Metabase Properties.