RE: Secure FTP

["Scott Ramsdell" <Scott.Ramsdell () cellnet com>]

Aaron,

You have the option of using HTTPS, instead of FTP to meet your need for
encryption.

You can do this by buying a cert from VeriSign (or whomever), or
alternativley having IIS generate a self signed cert using selfssl.exe
from the resource kit.  If you use a self signed cert, educate your
clients about what to expect when they see the prompts.

Next, you'd create user accounts locally on the web server, and
establish directories with appropriate permissions.  Then, create the
corresponding virtual directories in IIS and again assign appropriate
permissions.  You would provide each of your customers/clients with an
individual login (local to the web server, not domain accts).

Your clients would then access their directory as a 'web folder' within
IE, by going to File, Open, and clicking 'open as web folder' in the
dialog.  They could then drag or drop from/into their directory.  All
file transfers would be recoded in your IIS logs, of course.

I implemented this solution at a medium sized (500+ attorney) law firm
in a previous role, and the maintenance was minimal.  One gotcha however
was that unlike in a domain environment, local accounts cannot be set to
automatically expire.  I wanted this feature so that opposing counsel
would have an account active only for the appropriate amount of time.
Many solutions were freely available on the web to expire the local
accts, I've forgotten which one I used.

This solution is fast, easy, and can be accomplished with what you
already have, so without additional expense or need for your clients to
download additional software.

Kind Regards,
 
Scott Ramsdell
CISSP, CCNA, MCSE
Security Network Engineer

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of aaronr () imcu com
Sent: Tuesday, March 20, 2007 9:35 AM
To: security-basics () securityfocus com
Subject: Secure FTP

Hi all,

Long time reader, first time poster.  Got a quick question that I was =
hoping you all could point me in the right direction...

We have a public facing FTP server that we would like to secure.  We are
=
running a MS 2003 Active Directory domain and this box is running on =
Win2k Server.  What is the best way to secure this FTP server?  I've =
tried SFTP, but was just curious as to what else is out there.  Right =
now we are using the builtin IIS FTP server.  Our goal is to provide a =
public FTP server so that clients or customers can dropoff large files =
there without the need to e-mail them.  We aren't too keen on the fact =
that FTP is cleartext and these are domain user/pass going back and =
forth.  Plus, we are a financial institution and any way to encrypt this
=
traffic would definitely be a plus....even if we have to provide a link
=
to connecting clients so that they can download a free secure FTP =
client.

Any thoughts?

Thanks in advance!
Aaron