RhinoSoft.com - Newsletter Archive
Newsletter Archives
Back to Newsletter Archive homepage.
11-10-2009 - Secure File Transfer Choices In Serv-U 9
Hello,
Welcome to another installment of the RhinoSoft.com newsletter. You are getting this newsletter because you signed up on our web site. If you would like to stop receiving these newsletters, please visit: http://www.RhinoSoft.com/newsletter/unsubscribe.asp
The intent of this newsletter is to give you some pointers on our products. This newsletter highlights Serv-U's security features.
Meeting With Our Accountants
Recently I had a meeting with RhinoSoft.com's accountants. After discussing the issues for the meeting, the conversation drifted toward how their accountants receive files from their clients. In almost all cases their accountants ask their clients to email their accounting databases and other financial records to them for processing. I know they do this because they've asked us to email our records to them as well!
Naturally, we don't send sensitive information to our accountants via email, instead I have a server dedicated to sensitive material through which they may upload and download files. Normally our accountants will take our accounting software files, make modifications, then give them back to us. For other clients this is usually all done via email. For us it's all done securely via web browsers.
Email is so Insecure
So, maybe you're asking yourself, "what's wrong with sending sensitive files via email" or "yeah, that's what our accountants do too". Well, there are several problems sending sensitive data via email.
First; the connection to your SMTP server is probably insecure, meaning the data that is being sent to your mail server can be read, on the Internet, by anyone trying hard enough.
Second; even if your connection to your email server is secure (i.e., using SSL), there is no guarantee that the next email server connection will use a secure connection. Normally when an email message is sent it first gets sent to your email server, which in-turn, sends it to another email server, normally the end recipient's email server. In some email configurations, there will be even more servers and connections.
Third; your email message will sit on each server, for some period of time, probably in an unencrypted form, usually exactly as it was sent. Anyone with access to that server, whether it's a system administrator, an employee of an ISP, or someone just passing by the server, can read your email message, copy it, modify it, or even delete it.
Fourth; chances are that the recipient of the email message will not be using a secure connection to receive the message. Like the first point listed above, the data transferred over the Internet will be completely unencrypted. Prying eyes will be able to see that sensitive data!
Okay, you're thinking my email client is setup to transfer messages securely, I'm not worried. You should worry, unless you're 100% confident you know every step of your email message, and how it's stored throughout the delivery process.
Serv-U Has Many Secure Choices
You're convinced. You know email isn't a good choice for sensitive data, so now what? Serv-U. Serv-U can solve the problems listed above. Here's how:
1) Create user accounts that require a secure connection. Serv-U supports FTPS (Serv-U Silver & Gold), HTTPS (Serv-U Gold), and SFTP via SSH2 (Serv-U Gold). There are several ways to ensure a secure connection is used:
a) Create secure listeners only. Create only FTPS, HTTPS, and SFTP (SSH2) listeners.
b) If some non-secure access is still desired, force users to login securely. For desired users or groups, select the "Limits & Settings" tab, double click on "Require secure connection before login.", answer "Yes" to create the limit, check the check mark. This setting is also available for the entire server or domain.
c) Disable non-secure protocols for the user or group. These settings are available under "Limits & Settings" as well.
When using one of the secure protocols, all transferred data is encrypted while being transferred over the Internet.
2) Use Windows to encrypt the contents of the target directories for these user accounts. Anyone trying to read these files will be unable without the proper credentials.
3) Since files are being transferred to a secure location (i.e., a server running Serv-U), file are also transferred from this server by the recipient. Unlike email messages where several servers can be between the sender and recipient, your Serv-U server acts as a repository for the exchange of sensitive data.
4) No special client-side software is required. Serv-U provides for 2 built-in secure clients; the Web Client and FTP Voyager JV. When connecting to Serv-U via HTTPS both of these highly secure clients ensure the data is protected from prying eyes. If your application requires a less-sophisticated solution, the Web Client is perfect. If you need something more powerful FTP Voyager JV is the perfect fit.
5) Serv-U has the ability to perform certain events. If you're really concerned about how long sensitive data sits on the server, create an upload event to email a notification to those concerned so immediate action may be performed.
6) If you're required to use an even more secure connection FIPS 140-2 mode ensures the highest level of security for all secure transfers. To enable FIPS 140-2 mode, select the check box under the "Encryption" tab for the server "Limits & Settings". Be aware that some FTP and SFTP clients may not support this higher level of security.
Serv-U 9.0 Improves User Administration
If your company has a lot of clients who would use this solution but your IT resources are limited, Serv-U can help with this as well. Creating client accounts can be a snap, here is my suggestion.
1) Install Serv-U on a computer with plenty of disk space.
2) Determine where you would like to store user home directories, let's use "C:\Serv-U Users"
3) After creating your domain, create a group, call it "Clients". In the "Home Directory" field enter "C:\Serv-U Users\%USER%". Serv-U expands %USER% to the login ID for a particular user.
4) Go into the "Limits & Settings" tab, double click on "Require secure connection before login.", answer "Yes", select the check box then save.
5) Select the "Events" tab for the group. Select the "Create Common Events" button. Select "Email", then enter any email address (the email address doesn't matter). A bunch of events are created, delete all but the "User Welcome Message" (select multiple items using the Shift or Control key while clicking).
NOTE: this event may be created for the entire domain if desired.
6) Double click on the "User Welcome Message" event and customize as you see fit. It might be a good idea to provide a direct HTTP link in this message. For example, http://demo.Serv-U.com/&user=$Name&password=$Password so all a client needs to do is click the link. Save the group.
NOTE: Be sure your server or domain SMTP configuration is setup. These configurations are found under the "Settings" tab of the server and domain pages by pressing the "Configure SMTP" button.
7) Navigate to the users page, change the default user template to include your newly created group. Select the "Template" button. Under the "Groups" tab, select the group, press the left arrow to make all new users members of this group. Save the template.
8) Create users using the "Wizard" button. Enter the login ID, User's full name, and the email address. Step 2; the password page automatically generates a random password for you. Step 3; enter a new Home Directory, or use the one from the group. Step 4; the final step, select FULL Access.
When a new user is created, the new user will receive an email message providing login instructions for the account. Any additional user accounts are created using the wizard only, just a few simple steps.
Serv-U 9.0 For Our Accountants
As you can see, we have a simple solution for our accountants so they can now ensure sensitive data is safe. Maintaining client user accounts is now accomplished and automated through a simple 4-step wizard, of which 2 steps are completely skipped. Creating a user account takes just 15 seconds or less.
There are alternate methods to the above, such as simply entering "C:\Serv-U Users\%USER%" into the user template instead, but that's just slightly less flexible over time. If you find alternative setups that suite your needs, feel free to use those methods. Serv-U is designed to accommodate your needs.
Try Serv-U Free for 30 Days
Download Serv-U:
http://www.Serv-U.com/download/
FREE SUPPORT OPTIONS
If you need technical or sales support, please use one of the following URLs. Our support turn-around time is very fast during normal working hours Central Time U.S.:
Technical Support:
http://www.RhinoSoft.com/support
Knowledge Base:
http://www.RhinoSoft.com/kb
Sales Support:
http://www.RhinoSoft.com/sales
ON-LINE CUSTOMER SERVICE
If you need to change any of your customer information, you can make
changes on-line. The RhinoSoft.com On-line Customer Service page
allows you to resend your registration ID, receipt, invoice, and
change your information in our database. To use visit:
http://www.RhinoSoft.com/customer
Thank you for taking the time to read.
Mark P. Peterson - Presidenthttp://www.RhinoSoft.com
Voice: +1(262) 560-9627
FAX: +1(262) 560-9628
