5

I'm doing some work for a printing company right now. They'd like to setup a more secure FTP situation. It seems like, from what they've described to me, most printing companies have a general FTP account that they give the login info out to all of their clients to upload to. This is how theirs is currently setup. However, the problem is, the way the permissions are setup, you can view everybody else's uploads. They're trying to make their enviornment secure, but at the same time make it easy for clients to upload. I was telling them two quick things we could do is create client specific accounts or create temporary accounts (like 7 days) every time somebody needed to upload/download.

What would you recommend? What would be your ideal solution, and what would be most practical? They're currently using all windows based server.

Brett G
  • 2,033
  • 2
  • 28
  • 45
  • Would anonymous FTP not work here? Everyone can upload, but no one can see anyone else's stuff. –  Sep 15 '11 at 22:18

6 Answers6

3

I would create a different account for each client, locking them to their own directory. There is no way you want clients to see each other's work!
edit: just wanted to add, if you keep giving temp access out- it's going to annoy your repeat business. It's just as easy to setup perm accounts for them to use :)

AliGibbs
  • 2,323
  • 21
  • 34
  • I also created "Upload" and "Download" folders, so if somebody was able to break into the account, they would only be able to see the downloads – Brett G Jul 25 '12 at 19:22
3
  1. Don't do FTP. Use either SFTP or FTPS.
  2. Create unique accounts and directories for each customer.
EEAA
  • 109,363
  • 18
  • 175
  • 245
  • 1
    Are there friendly (idiot-proof) GUIs for SFTP or FTPS included with Windows and OS X these days? Publishing companies get the best luddites trying to upload stuff to be printed - you're lucky if they don't drool on the mouse... – voretaq7 Sep 15 '11 at 18:58
  • Included, nah, unfortunately not. Plenty of free ones available, though. – EEAA Sep 15 '11 at 19:17
  • …but we are talking about the kinds of people who click on banner ads. BANNER ADS! :-{ – voretaq7 Sep 15 '11 at 19:29
  • Very true. Same people that think Comic Sans is God's gift to typology. – EEAA Sep 15 '11 at 19:30
  • …which is why they hire professional publishing houses that (*hopefully*) know better. – voretaq7 Sep 15 '11 at 19:35
  • [link](http://winscp.net) WinSCP is a pretty good free SFTP client for Windows that we've been using. For Mac, [link](http://cyberduck.ch/) Cyberduck is good. – Alo Sep 15 '11 at 20:53
2

If you choose to stick with FTP, please switch to something better, then with some FTP daemons you can setup permission such that a user will not be able to see files that are uploaded. For example see the section 'common configuration: an upload-only directory' in the proftpd mini-HOWTO. So the simple answer may be to find a ftp daemon that can support upload only feature. Here is a blind drop howto for IIS.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
1

I would go one step further than @AliGibbs' recommendation and say "Ditch FTP, use a web-based upload system". If you google for "web upload script" you'll find a bunch (since you're on Windows you probably want an ASP based one), and you'll probably find one that has decent security controls.

There are some downsides, but FTP is a pretty old (and woefully insecure) protocol - Ditching it would be to your benefit, and the benefit of the internet at large...

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • While web may seem as more flexible and modern solution it's actually less secure than FTP option. Vulnerability of web services and ability to upload files even regardless of extension to some web reachable path to be included when abusing some other vulnerability can lead to remote execution; FTP configured/jailed for just upload to path not used by other services is much safer option. Also web has issues that would endanger password or session unless you use SSL whereas most of FTP clients these days support SSL/TLS and protect such session better than HTTP – Hrvoje Špoljar Sep 15 '11 at 19:49
  • 1
    @Hrvoje - You are describing easily remedied *misconfigurations* which are just as possible (and I would argue prevalent) with FTP-based systems. It is trivial to code an upload script to write to a directory outside the webroot (and to select that directory based on user credentials). Plain http is no less secure than plain FTP, and https is at least equivalent in security to FTPS. Poorly-coded web applications do not make http-based solutions insecure and more than poorly-written C programs make C an insecure language. – voretaq7 Sep 15 '11 at 20:01
  • True but HTTP was not designed to serve as file sharing upload/download service while FTP was made to do exactly that; so get good reliable ftp server would be my pick. Certainly your choice has it's good sides; this is just my opinion on the matter. – Hrvoje Špoljar Sep 15 '11 at 22:43
  • I don't think HTTP is the *best* option by any means (especially if we're talking more than a 5-10MB upload) - they *should* be using SFTP, or if that's impractical FTPS. HTTP-based solutions require no additional software on the end user's system though, which is a big win when dealing with non-technical users. – voretaq7 Sep 16 '11 at 14:11
  • precise determining requirements is always half of the solution ... I guess there are few things OP could have explained better to help decide on solution. – Hrvoje Špoljar Sep 16 '11 at 14:29
1

We have used CrsuhFTP running on a spare Windows box. It can use many formats(SFTP,FTP,HTTPS,SCP, WEBDAV and others) but the fact that clients can send/download from a web browser is a big deal for us. And it is secure using SSL. You can have many accounts and it alerts on transfer if so configured. There is a free trial and support is great. Cost is reasonable. Setup is simple. Accounts and content can be set to expire. CrushFTP

Dave M
  • 4,514
  • 22
  • 31
  • 30
1

We run Serv-U, it's pretty impressive with how flexible it is. We use it for SFTP.

As for a client, FileZilla, I know... not the simplest but if they can learn Office they can learn drag and drop.

StrangeWill
  • 541
  • 5
  • 16