If you want your site to be PCI Compliant and plan on using FTP, don’t plan on using IIS 7 to run FTP. It just cannot be secured properly.
While trying to secure a site that was failing PCI compliance testing, I hit upon a problem that is going to bite Microsoft, big time! It seems that there is no way to send passwords from your FTP program to IIS other than clear text, even while using SSL. This is a big red flag with PCI compliance and a huge security risk.
My first thought was to use FTP IP and Domain restrictions to prevent connections in the first place, but alas, Microsoft in their infinite wisdom, first asks for your username and password then checks to see what IP address your coming from. Completely backwards!
My solution was to put the IP address restrictions at my firewall. Another solution I will be implementing in the future will be to turn FTP publishing off and then setup a more secure FTP server that will take encrypted passwords.