Step-by-Step: Adding a FTP Service on a Non Standard Port in Windows 2000 Advanced / Server
May 8, 2001

Here is a typical situation.  You have a server setup with WEB, FTP, and email capabilities.  You have it all running fine, but one day, you decide to host a website for a friend.  Well, that friend needs you to setup his website on your server. No problem.  That friend needs you to have email forwarded to his personal email account.  No problem (this can be done in DNS).  You friend needs FTP access to your server so they can access their website to upload files, configure things, and other general tinkering.  This makes you think for a second.  You think about a few issues:
  1. Do you want your friend (user) to have access to your FTP site where they can see all your files and configurations?  I mean, hey, you might have some private things there.
  2. Are you afraid they might change some of your files or accidentally screw something up?  You could set the NTFS permissions so that this isn't possible, but then again, remember issue 1?
So how do you let your friend have FTP access to their website and not have access to your own material?  Easy.  Setup another FTP service for them.  This way, the FTP site they log into will be different from yours and they will stay in their own domain and not bug you.  And it's more secure too.

Here comes the tricky part.  You can only have 1 FTP service running on a specific port.  The standard port for FTP is port 21.  You are probably using port 21 for your own purposes, so you can't run your friend's FTP service on port 21.  What are you to do? 

Run a FTP service on a non-standard port!

This is good for several reasons.  First it addresses all of the issues that we mentioned above.  Second, by assigning your buddy's FTP service to a nonstandard port, it is less likely to get hacked into unless your buddy is giving his password and port number away to everybody (unlikely).  In most situations, FTP services on non standard ports are much less likely to be compromised than FTP services on the standard port of 21.  You're the person who needs to watch out of you're own FTP is on port 21!

The great thing about ports is that there are tons of them.  If you have several users, you can grant them access by giving each user a FTP service with their own unique port number.  Which port numbers should you use?  You don't want to use any ports that are already in use, so you need to find a range that is pretty unpopulated.  My guess is that anything with 4 digits is pretty safe.  So you can give one FTP service access on port 9000 and then number them consecutively - 9001, 9002, 9003.. etc.

Don't forget to forward the proper ports on the router to reflect the port numbers you choose for your FTP servers.  Here's how to do it on the Linksys router.  The example uses the older 1.2x firmware which looks different than the current 1.3x firmwares, but the concept is the same.

However, there are some problems with running a FTP service on a non standard port.  Here is a summary of the problems:

The FTP server IS behind a router and the FTP user/client is NOT behind a router
The FTP server is NOT  behind a router and the FTP user/client IS behind a router
The FTP server IS behind a router and the FTP user/client IS also behind a router

As you can see, when both the FTP server AND the FTP user/client are BOTH behind a router, there are problems with making a successful connection.  This problem seems to be prevalent in many brands of home DSL/Cable routers.  The problem also manifests itself while using ICQ.  If you have a solution to this problem, I would love to hear from you by email!

Okay people, let's get started setting up our FTP service on a non standard port.

Start -> Settings -> Control Panel -> Administrative Tools -> Internet Service Manager.

Right click on "*server" and select New -> FTP Site

Click "Next" to continue.

Label your website with a descriptive name so you can keep track of it easily.

For our example, we'll call it "DSL/Cable Example".  Click "Next".

Here we are prompted for the IP address and TCP port number.

Using the drop down box, select the IP number you wish to use.  Do not leave the IP number as "All Unassigned" as this may cause problems later.

For the TCP port, I chose "9988".  You can choose pretty much any 4 digit number without too much problems.  Do not leave this number at the default 21 since you probably already have a FTP service running on that port.  Also remember to forward the same port number on your DSL/Cable router otherwise the port number will be blocked by the router.  Click "Next".

Here you select the directory that you assigned to your user.

How should the FTP directory relate to the actual WEB directory that is accessible from the web?  Let's take a look.

When you configure the WEB part of IIS 5.0, you had to select the root directory for the website which in my case was "www".  So when I try to access my site by a web browser, it takes me to the files that are inside "www".

The FTP root directory can be set up in many ways, but here are two popular ways.  1.  You can set the FTP directory as the same as the WEB directory at "www".  2.  However, most administrators like to give the FTP directory "one level up" on the WEB directory.  In the picture above, one step up above "www" is "example".  This gives your user a "staging area" where the can store files or put old copies of their website.  Visitors to that particular website can't see what's in the "example" directory, but can only see what's in the "www" directory.

However, if you don't want your user to store files on your computer that aren't going to be directly viewable from the web, then you can set the FTP and WEB root directories as the same directory.  It's up to you.  However, having the staging area is pretty nice if you can afford the disk space and bandwidth.

Of course you have to make all these directories on your own using Windows Explorer.

Use the "Browse" button to choose the FTP directory.  Click "Next".

Here you set the read and write settings.  By default, only "Read" is checked.

If your user is going to be managing a website, then they need both "Read" and Write" permissions enabled.  Click "Next".

Ta-da!  We're done!  Click on "Finish"  However, we still need to do several things.

In the Internet Service Manager, right click on the name of the FTP site you just created then right click and select "Properties".  Here should be all the information that you entered previously.  Make sure the info here is to your liking.  Click on the "Security Accounts" Tab.

By default, this FTP site is open to anonymous connections.  Since we are setting up this FTP service for a specific user, we don't want this so we uncheck the box labeled "Allow Anonymous Connections".

You'll get this prompt - click "Yes".

Now let's look at the "FTP Site Operators" in the bottom half of the screen.  By default, only Administrators can have full control over the FTP site.  You need to create an account for your user and then add them to the "Operators" list.

Here is a Step-by-Step: Creating a New User Account in Windows 2000.

Once you create a new user account for your friend/user, click on "Add"

Scroll down this list until you see the user you want.

The user account that I created for this example is named "dslcableguest".  Click on "Add" to move that name into the bottom window.  If that FTP site has more than one user/operator, add those names also.

"dslcableguest" is now added to the bottom window.  Click on "OK".

"dslcableguest" is now added to the list of operators.
Note: "Administrators" cannot be removed from the operators list.  Next click on the "Messages" tab.

You have the option of adding a personal welcome message and exit message.  Here's what I have.

Next click on the "Home Directory" tab.

This is simply what you setup when you first configured the FTP site. However, there are more options for you to play with.  Set them accordingly.

Next click on "Directory Security".

You can never be secure enough these days. Here you can set it so all IP's are granted access or all IP's are denied access.  Then you add exceptions to this list.

For example, if you know your user only accesses the FTP site from home on a static IP number that never changes, then you can set the radio button to "Denied Access" for all IP numbers except the IP number of your user which you add into the "except" window.  If your user will access this FTP site from many different computers, then this won't work.

Whatever changes you make to this window won't take place until you restart the FTP service.  You need to go into the Internet Service Manager, select the correct FTP service, stop it and then restart it.

You're done!

Step by Step Menu