The File Transfer Protocol (FTP) service is one of the most venerable services to date. Its presence on the Internet predates HTTP, and it’s still one of the best options users have to transfer large files across a WAN. Indeed, some sites have begun offering HTTP-based downloads because of corporations that block both outgoing and incoming FTP ports, but FTP remains the most efficient transport mechanism of the two. However, FTP has some inherent security issues, the most prominent of which is its nature to transmit password information in clear text through the Internet—a huge security hole and a grab bag for packet sniffers. Beware of that, and use FTP when and where that problem is not severe or applicable enough for you to worry about.

IIS 6 comes complete with an FTP service and includes some new security features that harden FTP against the unwanted on the Internet. IIS 6 includes FTP user isolation mode, which restricts an FTP client’s ability to move around in directory structures outside of his home directory. You need to set up an FTP site to either use isolation mode or disregard it, and in this section, we’ll tackle both and discuss where it might be appropriate to use either.