Solved

Creating an FTP script to move a file with specifying domain account credentials. Certificates the asnwer?

Posted on 2009-04-03
12
349 Views
Last Modified: 2013-12-02
We have an FTP server that is running on a DMZ system. In the past we have created FTP.exe based scripts that move files from the FTP server to a share on the network somewhere. In order to do this we have created reduced privledge accounts that have liimted access and explicitly put the username and password in the script.
We can no longer do this. We need some way of automating the ftp transfer without specifiying credentials. One of the security guys mentioned certificates as a possilbe solution.

Can some one please provide me with instructions on going about this?
FTP server is a proprietary server
Both Boxes are windows 2003
I am using windows ftp.exe but I can change that.

Thanks in advance.
0
Comment
Question by:bbcac
  • 6
  • 5
12 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24060888
What are the security requirements for logging in?  If it is just that they cannot be passed in clear text this should be fairly easy - FTPS (FTP over SSL) - this will use a standard server certificate.  Take a look at filezilla for client and server it works okay (I don't think any of them are really all that great yet for functionality, but they are functional and secure).  When you assign the cert to the server (if using an issued cert instead of self-signed then convert to PEM format using OpenSSL) then export it wihtout private key to copy to clients in the directory where you installed the executable to in order to 'import' it...

You can also try IIS7 if you have 2008...
http://learn.iis.net/page.aspx/304/using-ftp-over-ssl/


If you are looking for certificate logon for FTP then you might want to look for one that supports client certificate mapping.  

The last concept you could look into is "SFTP" (FTP over SSH) - for this you can establish a secure shell and then use that for your FTP stuff.  I haven't gotten aroudn to testing this out yet, but I understand not as many products support it but I believe PuTTY does which is a long established decent SSH program that is opensource /free that I would recommend anyways.
0
 

Author Comment

by:bbcac
ID: 24062263
We cannot trasmit the password in clear text or hard code the password anywhere. What do you suggest then?
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24063103
Um.

So you want to create a script to log into FTP that doesn't supply the password at all - I would assume this would include both the FTP password and a password for the private key of a user certificate...  

What if the script called a file that was stored in encrypted format under the script user's context (i.e. the user account the script uses has an EFS certificate or something similar that won't prompt for a pin, and is then used to decrypt a password file for either FTP session or certificate PIN)?

That's about all I got from my understanding of your requirements... Might see if you can request attention to add to 2 more programming zones...
0
 
LVL 40

Expert Comment

by:omarfarid
ID: 24063222
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24063640
You would still need to connect to the sftp which would require a password.  I suppose you could use putty to store the password for the SSH session, if that is acceptable.
0
 

Author Comment

by:bbcac
ID: 24087418
My security team has recommeneded using self signed certificates. Is this viable? or do they not have any idea what they are talking about.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 24089360
Yes and no...  self-signed certs are clumzy and are generally meant for the test lab.

If this is a tightly controlled environment where you can easily control that the self-signed certificate is installed to each client box into the trusted root CA store then it is viable for a few servers.  They're free and usually relatively easy  - that's why people like to use them.

Reasons to consider for not using self signed certs:
1) They cannot be revoked.  There is no managing certification authority.
2) Expirations dates are either difficult to track since they are not centrally accessible OR a common workaround to this is to issue a cert that can be hacked in 5-10 years to be valid for 99 years.
3) Each cert added to the root store of your clients adds up.  You won't notice a performance impact until a fair number are installed, like well over 50 - but there is a critical mass point where every SSL session will take a long time to search through all the roots to find the right one.  This can happen as early as 80-100 certs.
4) Possible conflict with corporate policy - some larger companies declare that all certs used on the network should be issued by the company's internal CA or by the company's approved commercial certificate provider - there may be a specific team that handles cert issuance.
5) Additional overhead of having to import multiple self-signed certs to all of the clients instead of one root certificate.
6) Depending on how you are installing (manual or script) - a manual installation can be risky as most instructions do not ask the user to verify the signature / thumbprint of the certificate prior to importing.  This makes it easier for a potential rogue certificate to become fully trusted (read: establishing a trust base for all of your users) instead of having the security of a single root certificate that is deployed using enterprise tools like GPO.
0
 

Author Comment

by:bbcac
ID: 24089955
What about using a private/public key method. We have tested this here and it seems to work pretty good. Unfortunately if you passphrase the key then you have to load the passphrase everytime you reboot. Does anyone know a way around this?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24117015
The passphrase for the key is just necessary if you use that level of security.  You could use a script to fill it in during execution - I'm not much of a programmer but I would think this could be done with Perl and probably some other languages.
0
 

Author Comment

by:bbcac
ID: 24120971
then we are back to the same circumstnace where I am hardcoding a password/passphrase, which I am sure won't fly with the security team. If I used hte private/public key without a passphrase then anyone can grab the file and use it. just like a password.

Any other suggestions?
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 24130632
Okay I think the only way around this empass is to have a script file reference a password file that is encrypted, or to have the script itself be encrypted.  

If necessary, the file could be encrypted under a dummy user's account credentials, so nobody should be able to access that account to decrypt the file.  You can secure that account using a split password (where multiple people each enter part of the password) - this ensures multiple person integrity and that no single person knows that password.  Enabled auding functions under the local security policy on that box, with it being a local user account random admins can't just reset it and if it gets reset as a local admin (which may need to be restricted down to local admin account instead of local admin group containing domian admins, helpdesk, etc.).

This is a bit of overkill as usually there is some programmitic way of storing an encrypted password, but this would be one way of handling it.


The big difference here is that the password is now being sent locally, not across the wire.  If an attacker can get in to read the memory or that encrypted password file ... well, let's just say that you have much bigger issues to worry about at that point.
0
 

Author Closing Comment

by:bbcac
ID: 31566209
We ended up going with a priv/pub RSA key authentication which we opt not to password protect. This seems to do the trick and our information secuity office is ok with it
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Have you ever stumbled upon a software that is so great that you just love? It happened to me. Love at first sight. Filezilla Server.   Ok its not the most advanced ftp server I've came across. But its a fairly simple piece of software to get the …
If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …
Learn the basics of while and for loops in Python.  while loops are used for testing while, or until, a condition is met: The structure of a while loop is as follows:     while <condition>:         do something         repeate: The break statement m…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now