SECURE FTP SITE ON Windows 2003

0 pts.
Tags:
3Com
Access
Access control
Application security
Availability
backdoors
Bandwidth
BEA
Biometrics
BroadVision
Browsers
Cabling
Cisco
Citrix Systems
Compliance
configuration
Corporate portal applications
CRM
Current threats
Database
DataCenter
Desktops
Development
Digital certificates
Disaster Recovery
Encryption
Epicentric
filtering
Firewalls
Forensics
Hacking
Hardware
Hubs
human factors
IBM
Identity & Access Management
Incident response
Instant Messaging
Intrusion management
Management
Microsoft Exchange
Microsoft Office
Microsoft Windows
Network security
Networking
Oracle
OS
Patch management
patching
PEN testing
PeopleSoft
Performance management
Ping
Platform Security
Plumtree
Policies
provisioning
Risk management
Routers
SAP
Secure Coding
Security
Security Program Management
Security tokens
Servers
Single sign-on
Spyware
SQL Server
SSL/TLS
Switches
Sybase
TIBCO
Trojans
Viruses
VPN
vulnerability management
Web security
Web services
Web Services Standards
Web site design & management
Wireless
worms
We have a Windows 2003 IIS server setup behind our firewarll which is a PIX firewall. What is the best method to establish a secure FTP site on this IIS server? I have reviewed this topic on the internet and actually talked with somebody from IPSWITCH and the best method available is to purchase a third party client setup, such as IPSWITCH. This would mean end users would have to install this client when the first try to hit our FTP site and secondly they could not simply use Internet Explorer. What we want, if it exists, is to establish a secure FTP site where the end user can use their Internet Explorer browser. They can transmit files to us once they are connected and the user knows it is a secure site connnection. I also talke to Verisign and they told me their certificates do not work in establishing a secure FTP site. Will the end user then be able to come directly through the internet to our FTP site, then have to login with a userid and password and be able to upload or download files from our site?
ASKED: September 1, 2006  8:22 AM
UPDATED: September 8, 2006  10:37 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

You’ve stumbled across something that a lot of us deal with in the MS world when trying to accomplish this. From my personal experience with it I would do one of two things:

1)Consider using a standard FTP server with pgp encrypted files.
2)Consider using a third party product as you already have one of the better ones out there (IPSWITCH).
3)A potential solution might be to allow outside users a Web SSL VPN connection into a DMZ where all they can see is your FTP server and then pass files to it along a VPN tunnel. You’d need a cisco VPN 3005 or a newer ASA series firewall to do this though. Users would just hit a website, login to the SSL VPN and just click the object for the FTP server and pass a file along using the VPN tunnel and then sign out.

I’ve used the ipswitch ws_ftp pro client with good results with pgp encrypted and unencrypted files. The only problems I had with where when some boneheads used really old version of pgp which WS_FTP didn’t really like. Otherwise it worked well, esp with the automated scripting client it comes with and the auto-decryption of files ending in .pgp. That was great.

best regards

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Mconfer
    Thanks for the reply. If we go with option one, implementing the standard FTP site with unique userid login/passwords with each user having their own folder for files, how would the PGP work? Would each client have to download PGP to purchase it or is that provided on a server level purchase? Would the client then have to learn PGP to encrypt files to send to us? Do you know of other options besides ipswitch and if we use ipswitch or other third party software, do we need to use PGP on top of that? Thanks
    0 pointsBadges:
    report
  • Turman
    One option is to set up a webdav site on your IIS server, instead of FTP. Then protect it with SSL. Here are some sites that i read before chooing that route: http://groups.google.com/group/microsoft.public.inetserver.iis.security/browse_frm/thread/c2e7f34b19558ac3/dcff166eaa262eae?lnk=st&q=webdav+iis+ssl+6.0&rnum=3&hl=en#dcff166eaa262eae and http://www.windowsitpro.com/Article/ArticleID/49847/49847.html
    0 pointsBadges:
    report
  • Mconfer
    By using WEBDAV can you setup unique folder for each login ID and password. The users will not be our staff, but all our clients and reps. They will be downloading files or uploading files to and from the site. Is Webdav as secure and easy to use as a secure FTP site? Lastly, what about the PGP option. Do we need this for both the Webdave and the secure FTP or only as a method if we go with the standard FTP site. PGP is no longer free and how is this worked out for client use. Do we pay for that before hand in a server license agreement and they setup from us and then they need trained to use PGP? Thanks
    0 pointsBadges:
    report
  • Turman
    When using WEBDAV, you can create unique folders and then secure them to users or groups by granting them create, read, delete rights. It would be the same as users browsing a shared drive. Users can see everyones folder, but can't access them unless they have read rights.
    0 pointsBadges:
    report
  • PDMeat
    If you choose Ipswitch WS FTP, it has licenses patented PGP algoritms so you don't need to purchase or use another pgp program for it to work. Other users can download using standard ftp and use a third party pgp program to decrpyt if they like, but I ran into the issue of older free versions of pgp that used only unpatented algorithms and had issues with the files (these versions were years old). In my case I was writing the simple automated scripts that downloaded the files and auto-decrypted them from the client side. In your case, you will host the server and have to handle clients. If the clients may be using various browsers and or linux/unix OS, I don't know how webdav would behave because I've not used it. You can also run SSH server which the WSFTP client works with and all linux/unix hosts work with as well. I beleive Ipswitch may have an SSH server product, but if not there are tons of them out there.
    0 pointsBadges:
    report
  • Mconfer
    Thanks for the feedback on the options, but which one do you think is the best method to implement: The ipswitch, FTP with PGP or the VPN method. On top of that do you know which one is the most cost effective method yet is secure. Thanks
    0 pointsBadges:
    report
  • YosiNYC
    Hi, regarding the cost; if this is going to be a very busy ftp server that is an integral part of your day to day business than going with WS_FTP w/pgp will justify the cost. However, if you're going to use it lightly, and cost is an issue, you can give a standard ftp server a try, you can probably find tons of freeware that will take care of your file security needs. hope this helps, Yosi
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following