Avatar of Andy-UK
Andy-UK asked on

Dropbox SBS 2008

We need to setup something on a SBS 2008 server where clients can upload files to the server...
Email is becomming unreliable due to the size of the files and managing them.

Some kind of ftp drop box would be ideal I guess?

Could I ask for options, or other options and instructions on how to set this up??

Thanks
RoutersMicrosoft IIS Web ServerSBS

Avatar of undefined
Last Comment
Cris Hanna

8/22/2022 - Mon
Cris Hanna

I would recommend setting up a workstation...doesn't need to be fancy  then install Filezilla FTP Server on it.

But an even better solution is to actually use a cloud service such as http://www.dropbox.com/pricing  for 20/month  you get 100GB of storage and you have control over who can put stuff there   Then someone from your company can pull the stuff down and no one is accessing any components on your network
crash2000

I would suggest using Sharepoint and connecting to your companyweb from the outside world.
Once you have established the connection, you can get cleints to log in and up load files etc.

Should be fairly straight forward. Take about an hour to set up.

Mark
ASKER
Andy-UK

A clients data must not be accesible by another client so dropbox.com is unfortunately not a good choice...

Sharepoint will need individual users setup and permissions to keep data private so it may not be a great idea either having to keep adding new users for sharepoint access...

I remember uploading to a ftp server and the files disappear when the page is refreshed, this would be ideal if I knew what it was or how to set it up??
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Cris Hanna

Filezilla is a free download, can be run on an inexpensive XP or Windows 7 desktop (should not be domain joined) and does not require users to be setup in AD...pretty straight foreward

Then you just forward port 21 in the Router to the IP (static internal) of workstation

Internal users can then ftp to the workstation to get the files and move them to your server and your server is not touched by outside resources
ASKER
Andy-UK

Filezilla isn't quite what we're looking for and they don't want another desktop computer.

There must be a better option to run on the server, it doesn't matter if it costs money,,,

Can ftp not be setup on the SBS2008 box for this purpose??
ASKER
Andy-UK

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Cris Hanna

Ask anyone who has tried setting up FTP using MIcrosoft's solution...it's a pain in the ....
And it requires AD Accounts for everyone who will connect, meaning lots of CALs

You can install Filezille, considered a gold standard for FTP, on the Server, but this means that people from the outside are making a direct connection to your server.   This presents a potential security risk.   Filezilla does not require CALs.

I suggested a non-domain workstation because then folks from the outside will not connect to your network...much more secure
ASKER
Andy-UK

The extra workstation isn't an option...

It either has to be setup on the server (securely)

or a hosted elsewhere option
Cris Hanna

Microsoft's FTP solution doesn't support SFTP   Filezilla does
But still doesn't circumvent the issue that "outsiders" will be connecting to your server.  That always presents a risk

A hosted solution is the better option  You might look at this http://www.ftpworldwide.com/
Your help has saved me hundreds of hours of internet surfing.
fblack61
crash2000

How about renting an online solution for your customers to upload to.
Then, you just download what they have uploaded onto your system.

You could use an online shrepoint or FTP for this.

Mark
Cliff Galiher

Or look at something like skydrive which has shared folder support. Unlike dropbox, you can restrict who has access to shared folders on a per folder basis, ths resolving you multiple-client issue. Client access wont be using your bandwidth. And nobody is accessing your server directly.
ASKER
Andy-UK

I've looked at the options offered but I still think the only really acceptable option would be a SBS2008 version of:


http://www.windowsnetworking.com/articles_tutorials/Creating-FTP-Drop-Site.html

If anyone knows how?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Cris Hanna

The process is no different than in his article.  
But you should take note that in his article, he's doing this on a Stand Alone Server.  Not domain joined .

Creating an FTP site accessible from the internet and allowing Anonymous Access on your Domain Controller which also hosts all your business sensitive information, is a big security risk.
ASKER
Andy-UK

How about if we didn't allow anonymous access?
crash2000

How about setting up a dedicated workstation in a DMZ from your router?
This was mentioned earlier on and would be low cost and could be kept outside your network.
You would need to make it an FTP server and I would not recommend having anonymous access, but at least you would not have to setup user account in Active Directory.

Going back to the online solution I mentioned earlier, this would be better as your ftp'ers would not be using your bandwidth.

Hope that Helps

Mark
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Cris Hanna

You would have to enforce strong Passwords...7 or 8 characters, 1 upper..1 lower...1 number...1 special character
ASKER
Andy-UK

Still waiting for a solution for a "write only" "blind drop" "drop box" for a SBS2008 server

Anyone know how?
crash2000

Hi Andy,

You have several solutions listed here which cover all the bases. I don't think you are going to get any others.
I think you now need to judge what you require against security concerns and then make an informed decision.

Thanks
Mark
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Andy-UK

What I was hoping for was a (as mentioned before) SBS 2008 version of:
http://www.windowsnetworking.com/articles_tutorials/Creating-FTP-Drop-Site.html

It's not the same setup as Chris said so I'm not much further advanced.

The only 2 options that I have is setting it up on the SBS2008 server or online but it needs to be a blind drop as I don't want to create 300 users that will be using the service...

A seperate box for ftp is not an option unfortunately
crash2000

HI Andy,

I would go for that solution. It would work in an SBS environment. But for added security, I would use a dedicated PC (an old one, XP would do) and set this up in a DMZ environement off your router, external to your SBS environment, but inside your organisation.

You really don't want to allow external users to ftp on to your server. You will be asking for trouble.

Once the workstation is setup, you can share the folder you are using for FTP, allow access to the folder from inside the network. Then internal users or specific internal users can browse the folder as if it were directly on the main server.

Mark

ASKER
Andy-UK

I think you missed my last sentence!!!
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
crash2000

You don't want to add a seperate box.
You don't want to use an online service
You really shouldn't put it on your SBS server
Then all there is left is for your customers to burn a CD and put it in the post!
ASKER
Andy-UK

Online service is an option but it needs to be blind drop (previous post - line 4)
crash2000

Then I would rent an online Virtual Server.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Cris Hanna

Andy
I can appreciate your situation - business needs vs security vs budget   I get it.
But as the trusted advisor to your customer, sometimes you have to protect them from themselves

You can do what the article says on your SBS 2008 box,  but you need to keep in mind the differece between your SBS box, and the box in the article.   Your SBS box is a domain controller holding all the critical business information for the customer.  In the article, the box was a stand alone box so anyone dropping files there has no connectivity to the domain, so it's very secure.    Allowing anyone in the world to drop files on your SBS server anonymously is extremely insecure.
ASKER
Andy-UK

Chris,
Thanks for you reply.

Their point of view is... We have a server that cost £4,000 ($6000) so why is it not secure enough for use as a ftp server? They don't want another physical unit in their small office.

What I have seen of ftp 7.5 - You set up a username / password for ftp  that is NOT an active directory username/password (why is that not secure)??

What is the actual security risk here? what am I missing or not understanding?

Their clients would be uploading files with a ftp username and password...
Cris Hanna

In my original reply, I had suggested Filezilla but your FTP server would work well too I'm sure
If they are required to use STRONG passwords (upper and lower case, numbers and special characters, 7 or more characters) then the risk becomes less.  But anytime you allow file level access to your domain controller (which FTP does) you are placing the network at potential risk.

Placing it on a separate workstation, which is not domain joined, is much more secure!
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Cliff Galiher

Just to jump back in on this, I don't understand the "I bought a $6,000 server, so it should be secure" argument. You could buy a $100,000 number crunching, chess-playing, behemoth but because of its specialized OS design, it isn't *at all* secure.

Cost does not equal security, by any means. With that in mind, SBS is a domain controller, and by design domain controllers should *not* host outside services, no matter how much you spent on your domain controllers. This is a bad security practice. The problem isn't how beefy the server is, how much hardware you threw in it, how fast it is, or how much storage you gave it (to host FTP files and such.) The problem is that this server holds the very fabric of your infrastructure in the 1's and 0's flowing through its circuits, and if compromised, is not a risk just to that machine and its data, but is a risk to the entire network that sits on top of it.

In short, while I'd love to have access to a transportation system that would pick me up *exactly* when and where I wanted, drop me off *exactly* when and where I wanted, that I didn't have to share seats with anybody else, and where I didn't have a car payment, these simply don't exist. I can take public transportation, where I share a seat, bend to their schedule, and must compromise on where the stops are (subway, bus stops, etc) or I can purchase a car for its convenience and then deal with the cost, and insurance, and maintenance, and make a decision on the *type* of car I want (Ferrari's won't handle Montana snow very well...)

....making good decisions, whether it is in the mode of transportation you choose, or how well protected your network should be, is always about compromise. There is *never* a perfect solutoin. You want convenience for the outside world, but you want to keep your SBS server safe. And you want us to tell you that setting up an FTP server on your SBS server is perfectly okay, give you a step-by-step process on how to do it, and then promise that the steps we give you won't weaken your  security....and to use a vernacular popular here in Montana..."that ain't gonna happen son." You have some *tough* decisions to make.

Clearly it is the consensus of this thread that you should not host this file-sharing service on your SBS box. You've been given several "cloud" options (and by the way, dropbox now has folder support so you can restrict access on a per folder basis...I quite like it actually...) as well as others. Or you can find a scrappy workstation and set it up in the DMZ as suggested. There *are* options. You just have to weigh the pros and cons and commit to one, but coming back a month after the initial question and saying "I haven't gotten an answer yet" doesn't change the situation. You *have* gotten an answer; it simply wasn't one you wanted to hear.

On a final note, it is not my intention to be patronizing or condescending. I realize that this may come across as such. In writing this response, I chose to err on the side of caution and be *very* verbose and explanatory, as the short "quick" answers were clearly not getting a complete and coherent message out. If that extra verbosity unintentionally conveys some negativity, I hope you understand that it was not my intent, but was a result of an extra effort to cover all the bases.

-Cliff
ASKER
Andy-UK

As the server has FTP 7 installed, I would think that there is a way of securely using it??
Exchange is securely usable...
SharePoint is securely usable...
Remote desktop is securely usable... and so on...

Surely Microsoft would not make FTP 7 available on SBS2008 if it couldn't be securely used??

There is always a way Cliff, even if we need to look a little deeper to find it!
crash2000

Yes you can
Open up all ports on your router. But make sure you open all of them.
Direct them all to your SBS Server
Install FTP server on sbs server
disable firewall
setup write permissions all directorys for anonymous access
Make sure all ananoymous users can write to directory.
Publish IP address on as many forums as possible, inviting people to test your security as we all know Microsoft would never release a program that has any security flaws.
Change your name
Move abroad
go into hiding and never work in IT again.
Sorted

For those reading this who are not the author, please do not follow any of these instrcutions. This is meant as a tongue in cheek approach to help one particular IT Expert (not)

Moderator - Please feel free to remove this post once this idiot has left the country
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Cris Hanna

While inbound mail is "anonymous" it makes no connection to the OS and file system, OWA is connected to by https as is Sharepoint and Remote Web Workplace

Remote Desktop is not a truly secure protocol

FTP is not enabled by default on SBS or other Windows Servers...you have to add it.

There is a protocol called SFTP but Windows FTP doesn't support it as far as I know.

hopefully you recognize that crash2000 is being "cheeky'

Cliff and I are both Microsoft designated MVPs for the Small Business Server product.  If you won't take our advise, I think you're only option is to proceed down the path your customer wants and be prepared when your customers server is compromised.

Our role (yours mine, Cliff's, etc) is to be the trusted advisor to our customers.  Sometimes we have to tell them the answer is NO we can't do it that way.
ASKER
Andy-UK

I think crash has crashed too many times - he's definitely lost control there and not being helpful at all - maybe his home life is upsetting him! :-)

I asked for options in my first post...
I said another physical box in their office was not an option - NOT an option - no need to mention it again!

ChrisHanna mentioned we would need Strong Passwords (SO FTP IS AN OPTION I SEE)

Chris I will take your advice but I can't understand why FTP that is installed on a SBS2008 server can't be used for that purpose that it is designed for?? Are strong passwords of no use after all??

Cris Hanna

Strong passwords help, with regular FTP passwords are not encrypted
SFTP (Secure FTP) using SSL would be the way to go, but it's not free

So don't misunderstand my comment regarding strong passwords as an endorsement for an FTP server on your SBS box.

If you want truly secure options, then as Cliff and I have have both suggested.  www.dropbox.com is the way to go
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
Andy-UK

dropbox.com would have been a great option but they need to allow over 300 clients to be able to upload files - without seeing each others files

Creating and managing 300 users isn't practical and that's why I thought a blind drop (write only) would be perfect with one username and password

Is secure FTP an option to install on the same box? The cost isn't really an issue.
crash2000

If you won the lottery, Would you leave all the cash on the front seat of the car, whilst letting other people who you don't know sit in the back?
Even if they said they wouldn't touch it?

It's just not worth the risk.
Cliff Galiher

If you read the documentation for exchange, sharepoint, etc, you will see that MS recommends against installing them on a domain controller. This isn't my advice, or crash's, or cris's, but Microsoft's advice. Yes, FTP is included with windows server, but that us because not every windows server as to be a domain controller.

Now, when it comes to exchange and sharepoint, Microsoft with it's BILLIONS of dollars in resources, has invested in making those products as secure as possible on a domain controller via SBS.  ...and it is SBS specific, and kept up-to-date via SBS update "roll-ups."

If someone were asking to install exchange on a domain controller and they weren't running SBS, I'd tell them the same thing I am telling you about FTP. don't do it. They wouldnt have access to the specially preconfigured setup of exchange that SBS gets or access to the patches and security testing that SBS gets. The exchange team doesn't expect their product to be run on a DC so that security isn't a priority for them. The SBS team fills the gap.

For FTP, however, there is no team making additional configuration, security, and testing changes for it to run more safely on a domain controller. Not the IIS team. And since SBS doesn't ship with it enabled, not the SBS team either.

In other words, very much a "use at your own risk" scenario...and a very high risk it is. With that said, don't let s stop you. Install and configure FTP. you clearly know better than us. Put your clients entire network at risk. They aren't MY client, so I no longer care. Nor do I care to continue to participate in this thread.

-Cliff
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Cris Hanna

Andy
if cost isn't the issue, then why have you consistently refused to entertain the idea of an OLD recycled workstation (you can get through tigerdirect for under 200 USD and installing Filezilla on it?
ASKER
Andy-UK

Chris,
They don't want another physical box in their office...

I would happily give them a new £600 ($1000) workstation GIVE! but they don't want it
ASKER CERTIFIED SOLUTION
Cris Hanna

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question