Re: Enterprise FTP Solution

From: S. Pidgorny (slavickp_at_yahoo.com)
Date: 05/13/04

• Next message: Florian Proch: "acceptPKCS7 error : No KeySet..."
• Previous message: Sadie: "Documentation of IE Advanced Options?"
• In reply to: Wren Mott: "Enterprise FTP Solution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 13 May 2004 21:38:12 +1000

I seriously recommend considering alternatives to FTP protocol, as it
doesn't feature encryption.

Then, regardless of the protocol, you will have to manage user accounts if
you chose to implement user-level access. The risk here is in improper
segregation - that is, possibility of some users to access information of
others.

The solution? Use anonymous or unified user access - that avoids the need of
managing user accounts. Make sure that the data needed to identify the
client is included with the file, or use a Web form that includes
identification field, or something along those lines.

-- 
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Wren Mott" <wren_mott@hotmail.com> wrote in message
news:u8A4WZEOEHA.1104@TK2MSFTNGP10.phx.gbl...
> Hi Everyone,
>
> We have a project in the works whose scope encompasses FTP in two areas
(the
> solution is an AD integrated FTP farm running in isolation mode with
storage
> living on EMC).
>
> The first is internal file transfers by applications that will have static
> accounts in AD and encryption is handled at the network level.   The
number
> of accounts in this group is minimal and will rarely change.
>
> The second directive is that the same FTP solution must also service
> external customers.  These are customers who have an occasional need to
> upload sensitive financial databases created by our software for support
of
> one kind or another.  The number of clients that will want to use this
> service is expected to be a couple of thousand.
>
> Here is the quandry.  Since the FTP solution is AD integrated creating
> thousands of accounts for external users is the most obvious solution.
> However, managing those accounts and the security risks they pose is a
> nightmare.  Is there another form of authentication that we should be
> looking at to handle these users?  Would deploying certificates help us?
It
> is important to note that each user should be locked down to their own
> personal directory and not have the ability to browse beyond it.
>
> As far as the upload process goes, we are planning on creating an .ASP
page
> that will allow them to browse for a file on their machine and then click
an
> "Upload" button.
>
> Does anyone have any design/implementation suggestions?
>
>

---

• Next message: Florian Proch: "acceptPKCS7 error : No KeySet..."
• Previous message: Sadie: "Documentation of IE Advanced Options?"
• In reply to: Wren Mott: "Enterprise FTP Solution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)