The Ultimate Guide To Hardening Your Secure File Transfer Server
An extensive list of things you can do to harden your secure file transfer server.
While inherently secure file transfer servers like JSCAPE MFT Server are packed with lots of security features, many of those features need to be activated first. In addition, some functions need to be configured and, in some cases, disabled, to ensure optimal protection. Unless you implement those changes, you won't be able to realize the full (security) potential of your secure file transfer server.
Not all file transfer servers need to be configured to a high level of security. Some security functions, like strong encryption, are computationally expensive and can cause performance hits. If you're not exchanging any sensitive data and your servers aren't really high-performance grade, you don't need to enable every single security feature available.
However, if your company is operating in a highly regulated industry and need to comply with data protection laws and regulations like HIPAA and PCI DSS, you don't have a choice. You need to harden your server to avoid penalties.
To help those server administrators who need to meet stringent regulatory compliance requirements and corporate security policies, we've put together an extensive list of tips for hardening a file transfer server that's built to be secure. We hope you find this useful.
1. Disable plain FTP
FTP is one of the most widely used file transfer protocols even up to this day. The problem is, it's atrociously insecure. With just a packet sniffer, an eavesdropper can easily obtain confidential information like an account's username and password. The attacker can then use that information to gain unauthorized access into your file transfer server. Instead of using FTP, stick to secure file transfer protocols like SFTP, FTPS, and HTTPS.
In JSCAPE MFT Server, make sure, none of your FTP/S services are using 'regular' (a.k.a. plain) FTP.
2. Enable password compliance policies
Weak passwords are easily broken by dictionary or brute force attacks. Given enough time, a cyber criminal carrying out these attacks can eventually break into a user account on your server. The best way to counter these attacks is by implementing a strong password policy. You know, the one that says something like "Use passwords that consist of uppercase and lowercase letters, numbers, and non-alphanumeric characters, and having a minimum length of 10 characters."
Long, sophisticated passwords can force dictionary attack tools to work much harder and, ultimately, make it impractical for a hacker to continue with the attack. But while this kind of policy works, you shouldn't totally rely on users to implement it. Some users will find it too burdensome and might just circumvent it. To make sure your password policy is enforced, you need to configure server settings that will enforce it for you.
In JSCAPE MFT Server, you can go to the Compliance module and configure the settings there. Once activated, these settings will prohibit users from circumventing your password policies.
3. Detect and respond to brute force attacks
While those compliance settings can prevent a brute force attack from succeeding, it won't stop hackers from initiating such an attack. So while the attack will eventually fail, it will still flood your logs with tons of failed login attempt entries, which usually causes undue anxiety to your junior admins, and adversely impact your server's performance.
To stop a brute force attack in its tracks, you can configure your Connections settings so that a user account is automatically disabled or an IP address is automatically blocked (or flagged) after a certain number of failed login attempts is reached.
4. Disable weak encryption ciphers
Although secure file transfer protocols like FTPS, SFTP, and HTTPS are equipped with encryption capabilities to preserve the confidentiality of data during transmission, you need to understand that encryption ciphers are not created equal. Some ciphers are just stronger than others. So, if you're frequently transmitting highly sensitive information, you shouldn't be using weak ciphers.
To use strong ciphers on JSCAPE MFT Server, make sure you use the latest version of Java and install the JCE Unlimited Strength Jurisdiction Policy Files.
You can then proceed to configure the FTPS, SFTP, and HTTPS protocols to use only strong ciphers.
For FTPS, go to Services > FTP/S tab > SSL/TLS Ciphers and then click 'Select Strong'
For HTTPS, go to Settings > Web > HTTPS > SSL/TLS Ciphers and then click 'Select Strong'
For SFTP, go to Services > SFTP/SCP tab > Algorithms and then select the key exchange, cipher, and MAC algorithms that meet your security requirements.
If you need to adhere to very strict security policies but aren't sure which ciphers to enable/disable, then the easiest way would be to simply enable FIPS compliance. You can apply FIPS compliance to HTTPS, FTPS, and SFTP.
5. Scan incoming files for viruses
Due to the sheer volume of files that are uploaded to file transfer servers, there's always a good chance some of those files are infected with malware. Now, we all know how disruptive and destructive some of these malware can be. Some types of malware, like ransomware, can cripple entire networks or, in the case of WannaCry, multiple networks.
It's therefore important to employ solutions that detect and eliminate these threats as they enter your server. JSCAPE MFT Server supports various methods of integrating with virus solutions to address these threats. MFT Server can work with an antivirus software that's installed locally on the same machine or connect to an ICAP antivirus server and offload the scanning to it.
6. Inspect outgoing content using DLP
Some data breaches happen as a result of a deliberate cyber attack. Others happen simply because of an unintentional act, like a user accidentally uploading a spreadsheet containing highly confidential data to a shared folder. You don't want that file to fall into the wrong hands.
To prevent accidental data leaks on JSCAPE MFT Server, implement the DLP (data loss prevention) feature. The built-in DLP rules of MFT Server can already detect several kinds of sensitive data, including: credit card numbers, IBAN account numbers, UK National Insurance Numbers, and US Social Security Numbers, but you can add more rules.
Read 'Using DLP to Protect Credit Card Data' for an example on how to use this feature.
7. Encrypt data-at-rest
In items #1 and #4, we highlighted the importance of using encrypted file transfer protocols like FTPS, SFTP, and HTTPS. But while these protocols encrypt data while in transit, it's equally important to encrypt data while at rest, i.e. while it's being stored. That way, even if your storage device gets compromised, the contents of the files stored there will still be able to preserve their confidentiality.
Data-at-rest encryption in JSCAPE MFT Server is provided via OpenPGP. The way you would leverage OpenPGP encryption is through any of the following:
1. Activating it through a trigger
2. Enabling PGP encryption on a Group virtual path
3. Enabling PGP encryption on an individual user's virtual path
8. Enforce IP access rules
One way to mitigate unauthorized access to your file transfer server is by enforcing IP access rules. An IP access rule restricts access to your server (through blacklisting or whitelisting) from machines/devices with specific IP addresses or belonging to a certain IP range. Not only would this limit the amount of inbound connections. This would also make it more difficult for an attacker to login to your server even if he/she managed to steal a valid account's login credentials. If that attacker connects from a non-whitelisted IP address, that connection request would be denied.
In JSCAPE MFT Server, IP access rules can be applied to the following areas:
1. In Settings > Manager Service > Access tab (This is for server admins.)
2. In a domain's IP Access module (This is for domain-wide IP access restrictions)
3. In Users > [user] > IP Access (This rule applies to a specific user)
9. Enable Multi-Factor Authentication
Not all cybercriminals are going to break into an account using a brute force attack. Some of them prefer to obtain passwords through methods with more finesse, like social engineering, or by simply purchasing it from the dark web. After obtaining an account's password, an attacker can simply walk into the front door (i.e. the login screen) and enter those credentials there.
You can mitigate this threat by implementing multi-factor authentication, which is basically a combination of two or more factors of authentication. So, for example, you can combine password AND public key authentication, or password AND the user's mobile phone (e.g. TOTP), and so on.
In JSCAPE MFT Server, password AND public key authentication can be enabled when you add a service like SFTP:
Or you can go to Authentication > Multi-Factor Authentication, and select one type from the drop-down list
10. Restrict file types
If you only expect certain file types to be uploaded to your server, you can create a whitelist to ban all other types. This will prevent you from encountering issues like:
- malware infections (some files are actually trojans disguised as pdf or docx files)
- unnecessary uploads that only consume disk space
- legal issues caused by uploading of pirated media
- and so on
Here's a video demonstrating how to ban files on JSCAPE MFT Server:
11. Restrict time access
There are a couple of reasons why you would want to restrict the time clients can access your server. Some of them are the following:
- You probably have very limited network bandwidth and want to prevent file transfers from interfering with other business operations during certain hours;
- You want to closely monitor transfers and don't want them taking place outside officer hours
- You want to minimize the chances of non-work related transmissions
You can set up time-based access in the Time Access module.
12. Manage and monitor your logs
Log files aren't just for troubleshooting purposes. They can also be used for digital forensics if something goes wrong (e.g. your server is hacked). In JSCAPE MFT Server, server logs are usually found in the [mft server installdir]/var/log directory. File-based domain logs can be found in the directory specified in Logging > Service > Directory, while database-based domain logs can be found in the database specified in Logging > Service > JDBC URL. You also have the option to store domain log entries in a Syslog service.
If you're conducting an investigation and want to find certain entries/events in your domain logs, you can carry out a search in the Search tab...
You can even generate reports off of your logs in the Reports module to get insightful information.
13. Stay up-to-date
Software patches and upgrades don't just include new features and enhancements that improve performance, efficiency, and so on. They can also include vulnerability fixes as well as new security features and enhancements. That's why we really encourage customers to upgrade from time to time. We typically release new versions twice a year but release patches every now and then, so you might want to check what those upgrades and patches contain to see if you find something useful or critical.
You can track JSCAPE patches and new releases in https://www.jscape.com/releases. Better yet, you can enter your email on that page and click the Subscribe button to receive email notifications on patches and new releases.
Download JSCAPE MFT Server Trial
Guide to PCI DSS Compliant File Transfers
Required MFT Server Password Settings for PCI DSS Compliance
Guide to HIPAA Compliant File Transfers
Securing HIPAA EDI Transactions with AS2
10 Essential Attributes of a Secure File Transfer
Haven't tried JSCAPE MFT Server yet? Download a free, fully-functional Starter Edition now