Solved

Creating an FTP script to move a file with specifying domain account credentials. Certificates the asnwer?

Posted on 2009-04-03
12
353 Views
Last Modified: 2013-12-02
We have an FTP server that is running on a DMZ system. In the past we have created FTP.exe based scripts that move files from the FTP server to a share on the network somewhere. In order to do this we have created reduced privledge accounts that have liimted access and explicitly put the username and password in the script.
We can no longer do this. We need some way of automating the ftp transfer without specifiying credentials. One of the security guys mentioned certificates as a possilbe solution.

Can some one please provide me with instructions on going about this?
FTP server is a proprietary server
Both Boxes are windows 2003
I am using windows ftp.exe but I can change that.

Thanks in advance.
0
Comment
Question by:bbcac
  • 6
  • 5
12 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24060888
What are the security requirements for logging in?  If it is just that they cannot be passed in clear text this should be fairly easy - FTPS (FTP over SSL) - this will use a standard server certificate.  Take a look at filezilla for client and server it works okay (I don't think any of them are really all that great yet for functionality, but they are functional and secure).  When you assign the cert to the server (if using an issued cert instead of self-signed then convert to PEM format using OpenSSL) then export it wihtout private key to copy to clients in the directory where you installed the executable to in order to 'import' it...

You can also try IIS7 if you have 2008...
http://learn.iis.net/page.aspx/304/using-ftp-over-ssl/


If you are looking for certificate logon for FTP then you might want to look for one that supports client certificate mapping.  

The last concept you could look into is "SFTP" (FTP over SSH) - for this you can establish a secure shell and then use that for your FTP stuff.  I haven't gotten aroudn to testing this out yet, but I understand not as many products support it but I believe PuTTY does which is a long established decent SSH program that is opensource /free that I would recommend anyways.
0
 

Author Comment

by:bbcac
ID: 24062263
We cannot trasmit the password in clear text or hard code the password anywhere. What do you suggest then?
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24063103
Um.

So you want to create a script to log into FTP that doesn't supply the password at all - I would assume this would include both the FTP password and a password for the private key of a user certificate...  

What if the script called a file that was stored in encrypted format under the script user's context (i.e. the user account the script uses has an EFS certificate or something similar that won't prompt for a pin, and is then used to decrypt a password file for either FTP session or certificate PIN)?

That's about all I got from my understanding of your requirements... Might see if you can request attention to add to 2 more programming zones...
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 40

Expert Comment

by:omarfarid
ID: 24063222
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24063640
You would still need to connect to the sftp which would require a password.  I suppose you could use putty to store the password for the SSH session, if that is acceptable.
0
 

Author Comment

by:bbcac
ID: 24087418
My security team has recommeneded using self signed certificates. Is this viable? or do they not have any idea what they are talking about.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 24089360
Yes and no...  self-signed certs are clumzy and are generally meant for the test lab.

If this is a tightly controlled environment where you can easily control that the self-signed certificate is installed to each client box into the trusted root CA store then it is viable for a few servers.  They're free and usually relatively easy  - that's why people like to use them.

Reasons to consider for not using self signed certs:
1) They cannot be revoked.  There is no managing certification authority.
2) Expirations dates are either difficult to track since they are not centrally accessible OR a common workaround to this is to issue a cert that can be hacked in 5-10 years to be valid for 99 years.
3) Each cert added to the root store of your clients adds up.  You won't notice a performance impact until a fair number are installed, like well over 50 - but there is a critical mass point where every SSL session will take a long time to search through all the roots to find the right one.  This can happen as early as 80-100 certs.
4) Possible conflict with corporate policy - some larger companies declare that all certs used on the network should be issued by the company's internal CA or by the company's approved commercial certificate provider - there may be a specific team that handles cert issuance.
5) Additional overhead of having to import multiple self-signed certs to all of the clients instead of one root certificate.
6) Depending on how you are installing (manual or script) - a manual installation can be risky as most instructions do not ask the user to verify the signature / thumbprint of the certificate prior to importing.  This makes it easier for a potential rogue certificate to become fully trusted (read: establishing a trust base for all of your users) instead of having the security of a single root certificate that is deployed using enterprise tools like GPO.
0
 

Author Comment

by:bbcac
ID: 24089955
What about using a private/public key method. We have tested this here and it seems to work pretty good. Unfortunately if you passphrase the key then you have to load the passphrase everytime you reboot. Does anyone know a way around this?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24117015
The passphrase for the key is just necessary if you use that level of security.  You could use a script to fill it in during execution - I'm not much of a programmer but I would think this could be done with Perl and probably some other languages.
0
 

Author Comment

by:bbcac
ID: 24120971
then we are back to the same circumstnace where I am hardcoding a password/passphrase, which I am sure won't fly with the security team. If I used hte private/public key without a passphrase then anyone can grab the file and use it. just like a password.

Any other suggestions?
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 24130632
Okay I think the only way around this empass is to have a script file reference a password file that is encrypted, or to have the script itself be encrypted.  

If necessary, the file could be encrypted under a dummy user's account credentials, so nobody should be able to access that account to decrypt the file.  You can secure that account using a split password (where multiple people each enter part of the password) - this ensures multiple person integrity and that no single person knows that password.  Enabled auding functions under the local security policy on that box, with it being a local user account random admins can't just reset it and if it gets reset as a local admin (which may need to be restricted down to local admin account instead of local admin group containing domian admins, helpdesk, etc.).

This is a bit of overkill as usually there is some programmitic way of storing an encrypted password, but this would be one way of handling it.


The big difference here is that the password is now being sent locally, not across the wire.  If an attacker can get in to read the memory or that encrypted password file ... well, let's just say that you have much bigger issues to worry about at that point.
0
 

Author Closing Comment

by:bbcac
ID: 31566209
We ended up going with a priv/pub RSA key authentication which we opt not to password protect. This seems to do the trick and our information secuity office is ok with it
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Learn the basics of strings in Python: declaration, operations, indices, and slicing. Strings are declared with quotations; for example: s = "string": Strings are immutable.: Strings may be concatenated or multiplied using the addition and multiplic…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question