Security Basics mailing list archives
RE: Secure FTP
From: "Scott Ramsdell" <Scott.Ramsdell () cellnet com>
Date: Mon, 26 Mar 2007 10:56:22 -0400
Aaron, You have the option of using HTTPS, instead of FTP to meet your need for encryption. You can do this by buying a cert from VeriSign (or whomever), or alternativley having IIS generate a self signed cert using selfssl.exe from the resource kit. If you use a self signed cert, educate your clients about what to expect when they see the prompts. Next, you'd create user accounts locally on the web server, and establish directories with appropriate permissions. Then, create the corresponding virtual directories in IIS and again assign appropriate permissions. You would provide each of your customers/clients with an individual login (local to the web server, not domain accts). Your clients would then access their directory as a 'web folder' within IE, by going to File, Open, and clicking 'open as web folder' in the dialog. They could then drag or drop from/into their directory. All file transfers would be recoded in your IIS logs, of course. I implemented this solution at a medium sized (500+ attorney) law firm in a previous role, and the maintenance was minimal. One gotcha however was that unlike in a domain environment, local accounts cannot be set to automatically expire. I wanted this feature so that opposing counsel would have an account active only for the appropriate amount of time. Many solutions were freely available on the web to expire the local accts, I've forgotten which one I used. This solution is fast, easy, and can be accomplished with what you already have, so without additional expense or need for your clients to download additional software. Kind Regards, Scott Ramsdell CISSP, CCNA, MCSE Security Network Engineer -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of aaronr () imcu com Sent: Tuesday, March 20, 2007 9:35 AM To: security-basics () securityfocus com Subject: Secure FTP Hi all, Long time reader, first time poster. Got a quick question that I was = hoping you all could point me in the right direction... We have a public facing FTP server that we would like to secure. We are = running a MS 2003 Active Directory domain and this box is running on = Win2k Server. What is the best way to secure this FTP server? I've = tried SFTP, but was just curious as to what else is out there. Right = now we are using the builtin IIS FTP server. Our goal is to provide a = public FTP server so that clients or customers can dropoff large files = there without the need to e-mail them. We aren't too keen on the fact = that FTP is cleartext and these are domain user/pass going back and = forth. Plus, we are a financial institution and any way to encrypt this = traffic would definitely be a plus....even if we have to provide a link = to connecting clients so that they can download a free secure FTP = client. Any thoughts? Thanks in advance! Aaron
Current thread:
- Secure FTP aaronr (Mar 23)
- Re: Secure FTP Ali, Saqib (Mar 26)
- Re: Secure FTP Ansgar -59cobalt- Wiechers (Mar 26)
- RE: Secure FTP Scott Ramsdell (Mar 26)
- Re: Secure FTP MaddHatter (Mar 26)
- RE: Secure FTP jbeauford (Mar 27)
- Re: Secure FTP Michael Louie Loria (Mar 28)
- RE: Secure FTP jbeauford (Mar 27)
- <Possible follow-ups>
- Re: Secure FTP Krymson (Mar 26)