Best Practices for Configuring Your FTP Server
As a developer of secure file transfer software we frequently have customers ask us what the best practices are when configuring their FTP server software. The following are a set of best practices we ask each customer to consider during setup and configuration. These best practices are catered primarily to users of JSCAPE Secure FTP Server but should be considered regardless of what server software vendor you are using.
Transport Services and Security
The first question you should ask yourself is what file transfer services you want to offer. There are several file transfer services available including FTP, FTPS (FTP over SSL), SFTP, HTTP/S and WebDAV. Which services you choose may depend on several variables which include but are not limited to: existing processes or software, availability of client software, firewall restrictions and network security.
If you have existing processes that rely on certain services then short of rewriting those processes the decision has already been made for you. Rewriting processes is typically only necessary if you are wanting to move from an insecure protocol such as FTP to a secure protocol such as FTPS or SFTP and vary in complexity.
Most file transfer clients today support FTP, FTPS and SFTP protocols so locating compatible client software is generally not an issue. However, supporting these clients and the costs associated with them can be expensive. If possible it is best to standardize your users on a single client in order to reduce support costs. If you are hoping to avoid client software altogether you may consider using a browser based client such as the HTML and Java based clients provided in JSCAPE Secure FTP Server. These clients require no installation and no per-user license fees reducing your support and licensing costs considerably.
If your server is behind a strict firewall that restricts most inbound traffic it is recommended that you stick to SFTP, HTTP/S and WebDAV services if possible. FTP is less firewall friendly than the above mentioned services due to the fact that separate ports must be used for data and command channels. This does not mean that you should not use FTP/S, just that if you or your clients have a firewall be prepared to open a range of ports v.s. a single port for SFTP, HTTP/S and WebDAV services.
If you need to secure your user credentials and data (the only reason not to is to support existing processes) it is important that you select a secure file transfer service. FTPS, SFTP, HTTPS and WebDAV/S are all secure services that encrypt both your data and user credentials as it travels over the network. It is important to note however that there are two types of FTPS. These are known as FTPS explicit SSL and FTPS implicit SSL. An explanation of their differences can be found here, however suffice it to say that if you are using FTPS you should go with FTPS implicit SSL or FTPS forced explicit SSL. Both of these methods ensure that users must login using an SSL encrypted session whereas the standard FTPS explicit SSL may allow both encrypted and unencrypted sessions.
Account Permissions
User accounts should limit users only to the data they need to see and to the actions they need to perform. For example, if a user only needs the ability to upload files then all other functionality such as the ability to download or delete files should be removed for this user. For ease of user manageability it is generally a good idea to create a group or user template which defines the permissions for a group of common user roles. Users and their permissions can be defined in the Users section of JSCAPE Secure FTP Server Manager.
Password Policies
Part of good network security is making sure that your users choose strong passwords. This protects accounts against brute force dictionary attacks or easily guessed passwords. Strong passwords should be a minimum of 8 characters in length and contain uppercase, lowercase, numeric and non-alpha-numeric characters. Furthermore, users should be forced to change passwords on a regular basis (i.e. every 90 days). Password compliance settings may be found in the Compliance section of JSCAPE Secure FTP Server Manager.
Trusted Access Lists
If possible it is a good idea to restrict access to your file transfer services to only trusted networks. This can be accomplished defining a white-list in your firewall or by using the IP Access section available in JSCAPE Secure FTP Server Manager. Using a white-list you can restrict access to trusted networks, preventing possible DOS (Denial of Service) or brute force password attacks from untrusted networks.
Detect and Respond to Rogue Activity
Brute password attacks can come from both trusted and untrusted networks. If you have defined a white-list then this significantly reduces your risk. You are however still open to attack from your trusted networks. These attacks can come from your employees, your customers employees and hackers that have gained access to your trusted networks. To address this risk you should automatically detect and respond to these types of attacks. A common method of handling this is to automatically block the client IP address from further access in the event client has failed authentication several times within a short period of time. These options may be set in the Connections section of JSCAPE Secure FTP Server Manager. In the event that an IP address is blocked an IP Blocked event is raised and client IP is automatically added to IP Access list in JSCAPE Secure FTP Server Manager as a denied client IP. Furthermore, it is also a good idea to capture the IP Blocked event using a Trigger and respond to that event by sending an email message (using the Send Email action) to a system administrator for further investigation.
Activity Logging
It is very important that you log all server activity. After all, in the event your server is compromised it is this log data that will tell you what data was exposed. If your company is subject to SOX or HIPAA compliance then this is an absolute requirement. Without this log data then in the event of an intrusion you have to assume that ALL data on the server has been exposed. For very secure environments you may consider writing your log files to a tamper proof database on a remote server. The database account used by the server to write log data should have permissions that limit it to appending records only. This will ensure that database records cannot be updated or deleted to hide activity. Both file and database logging support are provided and may be defined in the Logging section of JSCAPE Secure FTP Server Manager.
Comments