Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 364
  • Last Modified:

Creating an FTP script to move a file with specifying domain account credentials. Certificates the asnwer?

We have an FTP server that is running on a DMZ system. In the past we have created FTP.exe based scripts that move files from the FTP server to a share on the network somewhere. In order to do this we have created reduced privledge accounts that have liimted access and explicitly put the username and password in the script.
We can no longer do this. We need some way of automating the ftp transfer without specifiying credentials. One of the security guys mentioned certificates as a possilbe solution.

Can some one please provide me with instructions on going about this?
FTP server is a proprietary server
Both Boxes are windows 2003
I am using windows ftp.exe but I can change that.

Thanks in advance.
0
bbcac
Asked:
bbcac
  • 6
  • 5
3 Solutions
 
ParanormasticCryptographic EngineerCommented:
What are the security requirements for logging in?  If it is just that they cannot be passed in clear text this should be fairly easy - FTPS (FTP over SSL) - this will use a standard server certificate.  Take a look at filezilla for client and server it works okay (I don't think any of them are really all that great yet for functionality, but they are functional and secure).  When you assign the cert to the server (if using an issued cert instead of self-signed then convert to PEM format using OpenSSL) then export it wihtout private key to copy to clients in the directory where you installed the executable to in order to 'import' it...

You can also try IIS7 if you have 2008...
http://learn.iis.net/page.aspx/304/using-ftp-over-ssl/


If you are looking for certificate logon for FTP then you might want to look for one that supports client certificate mapping.  

The last concept you could look into is "SFTP" (FTP over SSH) - for this you can establish a secure shell and then use that for your FTP stuff.  I haven't gotten aroudn to testing this out yet, but I understand not as many products support it but I believe PuTTY does which is a long established decent SSH program that is opensource /free that I would recommend anyways.
0
 
bbcacAuthor Commented:
We cannot trasmit the password in clear text or hard code the password anywhere. What do you suggest then?
0
 
ParanormasticCryptographic EngineerCommented:
Um.

So you want to create a script to log into FTP that doesn't supply the password at all - I would assume this would include both the FTP password and a password for the private key of a user certificate...  

What if the script called a file that was stored in encrypted format under the script user's context (i.e. the user account the script uses has an EFS certificate or something similar that won't prompt for a pin, and is then used to decrypt a password file for either FTP session or certificate PIN)?

That's about all I got from my understanding of your requirements... Might see if you can request attention to add to 2 more programming zones...
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
omarfaridCommented:
0
 
ParanormasticCryptographic EngineerCommented:
You would still need to connect to the sftp which would require a password.  I suppose you could use putty to store the password for the SSH session, if that is acceptable.
0
 
bbcacAuthor Commented:
My security team has recommeneded using self signed certificates. Is this viable? or do they not have any idea what they are talking about.
0
 
ParanormasticCryptographic EngineerCommented:
Yes and no...  self-signed certs are clumzy and are generally meant for the test lab.

If this is a tightly controlled environment where you can easily control that the self-signed certificate is installed to each client box into the trusted root CA store then it is viable for a few servers.  They're free and usually relatively easy  - that's why people like to use them.

Reasons to consider for not using self signed certs:
1) They cannot be revoked.  There is no managing certification authority.
2) Expirations dates are either difficult to track since they are not centrally accessible OR a common workaround to this is to issue a cert that can be hacked in 5-10 years to be valid for 99 years.
3) Each cert added to the root store of your clients adds up.  You won't notice a performance impact until a fair number are installed, like well over 50 - but there is a critical mass point where every SSL session will take a long time to search through all the roots to find the right one.  This can happen as early as 80-100 certs.
4) Possible conflict with corporate policy - some larger companies declare that all certs used on the network should be issued by the company's internal CA or by the company's approved commercial certificate provider - there may be a specific team that handles cert issuance.
5) Additional overhead of having to import multiple self-signed certs to all of the clients instead of one root certificate.
6) Depending on how you are installing (manual or script) - a manual installation can be risky as most instructions do not ask the user to verify the signature / thumbprint of the certificate prior to importing.  This makes it easier for a potential rogue certificate to become fully trusted (read: establishing a trust base for all of your users) instead of having the security of a single root certificate that is deployed using enterprise tools like GPO.
0
 
bbcacAuthor Commented:
What about using a private/public key method. We have tested this here and it seems to work pretty good. Unfortunately if you passphrase the key then you have to load the passphrase everytime you reboot. Does anyone know a way around this?
0
 
ParanormasticCryptographic EngineerCommented:
The passphrase for the key is just necessary if you use that level of security.  You could use a script to fill it in during execution - I'm not much of a programmer but I would think this could be done with Perl and probably some other languages.
0
 
bbcacAuthor Commented:
then we are back to the same circumstnace where I am hardcoding a password/passphrase, which I am sure won't fly with the security team. If I used hte private/public key without a passphrase then anyone can grab the file and use it. just like a password.

Any other suggestions?
0
 
ParanormasticCryptographic EngineerCommented:
Okay I think the only way around this empass is to have a script file reference a password file that is encrypted, or to have the script itself be encrypted.  

If necessary, the file could be encrypted under a dummy user's account credentials, so nobody should be able to access that account to decrypt the file.  You can secure that account using a split password (where multiple people each enter part of the password) - this ensures multiple person integrity and that no single person knows that password.  Enabled auding functions under the local security policy on that box, with it being a local user account random admins can't just reset it and if it gets reset as a local admin (which may need to be restricted down to local admin account instead of local admin group containing domian admins, helpdesk, etc.).

This is a bit of overkill as usually there is some programmitic way of storing an encrypted password, but this would be one way of handling it.


The big difference here is that the password is now being sent locally, not across the wire.  If an attacker can get in to read the memory or that encrypted password file ... well, let's just say that you have much bigger issues to worry about at that point.
0
 
bbcacAuthor Commented:
We ended up going with a priv/pub RSA key authentication which we opt not to password protect. This seems to do the trick and our information secuity office is ok with it
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now