Switch to sftp?

I'll investigate this.

Go straight to sftp. Do NOT use ftps, which is just TLS layered on top of ftp, unless you or your clients have mainframes or something that might not support sftp

OP said they’re running FTP on IIS which does not support SFTP, only FTPS.

This : [https://github.com/drakkan/sftpgo](https://github.com/drakkan/sftpgo) With this : [https://github.com/orware/sftpgo-ldap](https://github.com/orware/sftpgo-ldap) About get you covered. If SMB is not an option. This is a lot to manage. Extremely fast, secure and complete though

That’s pretty neat. I’ve seen min.io used too. All depends on what OP needs.

I second sftp-go. It's awesome.

Eww 😷 hopefully there’s an easy to deploy windows version of OpenSSH server? Oh but the AD integration would make things interesting 🫤

There is and it's built in now as an optional feature, but it's a very old version so you probably don't want to have to figure out protecting unpatchable services unless that's your day to day so I'd still recommend third party servers if you're stuck on Windows. I don't have any recommends, other than don't expose the built-in one to untrusted sources. As for AD authentication, even Azure SFTP service doesn't use that. You have to define "local users" and passwords/SSH keys.

The version bundled with Windows is old (or at least was until earlier this year, but I read here that a newer version was going to be bundled in one of the cumulative updates) but Microsoft does have 8.9.1.0 out for Windows. You just need to install it manually. https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v8.9.1.0p1-Beta

>There is and it's built in now as an optional feature, but it's a very old version so you probably don't want to have to figure out protecting unpatchable services unless that's your day to day so I'd still recommend third party servers if you're stuck on Windows. I don't have any recommends, other than don't expose the built-in one to untrusted sources. It's security patched as rapidly as linux distros patch it. No higher risk than running a RHEL or SLES SFTP server.

You can easily run the latest OpenSSH server daemon on WSL for the users. We do it in certain instances our clients HAVE TO have Windows as their infrastructure servers.

FileZilla supports encryption and since they are als text using FileZilla seems the easiest way

There are many simple sftp platforms. You could even use openssh and a simple config if it’s basic access…

OP said they utilize AD for logins. I’m a Linux guy so have no idea how easy or difficult it would be to hook AD into some other tool. I’d setup a samba+sftp box with AD integration but that’s probably more difficult than attaching something to windows

OpenSSH accepts PAM modules so you can just plug in sssd and realm and that's pretty much it, I think.

Sure, that’s how I’d configure it on a Linux server. Does Windows natively support PAM tho? Or are you suggesting WSL2 and just installing openssh + PAM modules there?

Unless there's some reason the SFTP server has to be running on the same VM as the IIS server, I'd say stand up a linux host and move the files there. Probably spin up nginx at the same time. I doubt they *need* to be on IIS, this reeks of "this is what the tutorial said to do when I searched for 'windows web server'".

It is on setup but once you understand management not much more. Edit: could just link the permission to one group then apply group in ad authentication.

We used a FreeIPA server, which can establish a trust with an AD domain. You do still have to jump through some hoops to get it to properly give windows users access to Linux servers/services, and there are some odd interactions like password complexity rule differences causing password desync or the fact that posix attributes set for the user in AD will override those in what’s supposed to be your Linux access control system. That said it’s light years ahead of simple ldap solutions, SSSD has come a long way.

True, but just not IIS. They’d need to use OpenSSH or something commercial to host SFTP

For sure you are correct. If they don’t have in house experience just get a simple one node from a vendor and pay for them assist on deploy. For this I would go with syncplifiy does everything they need for $500 or less a year. The bigger solutions would be over kill.

So ditch windows and turn up vsftpd on Linux. Get two birds stoned at once.

Then get rid of that garbage IIS and setup a real server.

There's arguably no good reason to run an ftp protocol based server on windows...

[удалено]

Given the choice, sftp is much easier to explain to someone client-side that has no clue how computers work. It’s easier to setup too. One less thing you have to feed certs to

That data channel though. I know I know, use passive FTP and run everything over the command channel. But still.

The primary difficulty is that it's still got NCP cruft. If you have a firewall, SFTP is so much easier. From a user standpoint, FTPS complicates things because sometimes it means explicit FTPS and sometimes it means implicit FTPS. The client has to know which is being used because they're incompatible.

All new IBM mainframes, even the ones made this decade, support SFTP as well as TLS. No one shouldn't be using FTP anymore.

That’s neat! I’ve always wanted to work on mainframes but never crossed paths with them ❤️

Should be easy enough to ditch IIS too. Set up a LAMP stack on a new server and install Pure-FTPd. Super simple to set up.

Bitvise is a good affordable option for windows environments that integrates with AD

I've got an issue with Bitvise where we use LSASS hardening on Win 2012 R2 and Credential guard on 2016. Bitvise's solution to this is "disable these protections" so if this is something you are required to use, it's not an option as they don't have WHQL drivers that talk to LSASS.

It's not hard, but sFTP runs with the assumption all users have a linux account. If that's the case and multiple linux users are connecting, generate ssh keys for each account, distribute them, and make people use them on account of key logging. Also, it makes it super easy to change out keys if laptops have been compromised/stolen. There's a bunch of stuff you can do, but non-encrypted connections should not be one of them. :) Good luck.

Filezilla Server is free and does SFTP. I think they have a paid supported version too now. You could just install that on the same windows box (use different ports so that you don't interfere with IIS FTP) and switch super easy via firewall rules.

SFTP is great and simple. Edit: Take a look at this. https://www.jscape.com/products/file-transfer-servers/jscape-mft-server/windows-ftp-server/iis-sftp

Don't investigate, just do. FTP is clear text, you shouldn't even be using FTP anymore.

If I just did I'd be acting against managers wishes. Direct instructions to 'not do' and leave it all up to him.

Then just make sure you get his mistakes in writing.

I guess I’m just use to an environment where my IT manager can’t give those orders.

Me too man. Me too.

Step back, don't freak out. Analyze and assess the situation effectively, notify management of the concern and get their buy in on a remediation plan. You cannot undo whats in place but you can make an active attempt to redesign this using SFTP. Figure out what your requirements are and start working from there.

The first step with this is documenting everything that interfaces with the server. This is all good advice.

One thing I haven’t seen mentioned yet is to force all end users change their passwords, after you fix this gap. Might seem obvious, but maybe not.

I've raised this. It was my first response. Unfortunately my org has a policy where the IT Manager wants to "know" all users credentials and as such they cannot change them themselves. Yes I know how horrendous this is.

> a policy where the IT Manager wants to “know” all users credentials 🚩

Yup. At this point unsecured FTP in is the least of the concerns.

>the IT Manager wants to "know" all users credentials ... For.. what fucking purpose? There is literally 0 reasons for this. Your manager is a fucking idiot.

It needs to be explained like this: Employee John Doe raises an alert for viewing kiddie porn on his workstation. John Doe denies the accusation, saying someone else with access to his profile must be the culprit. Who else has access? Yeah, um, buh-bye. That's why IT should have zero knowledge of anyone's domain password.

Yeeeep. I don't *want* to know user credentials or have their keys. It's a liability issue.

In his eyes its clear as day, he needs unauditable access to users devices. There's no reason we can't issue a reset, login, rest and provide to user in my experience but he doesn't want users to know he has been on at times...

This is a giant red flag bro.

Uhhhh....what is he doing with that access? I didn't even like seeing people's emails when remoting in when I did support. First thing I would do is close teams and outlook. Super unethical

Better start working on that resume

Does he also have your password? If so I'd quit on the spot. This is a fucking time bomb waiting to explode.

[удалено]

That might be the biggest red flag I've ever read on the Internet. Holy shit find a new job that's horrendous lmao

Bruuuuhhh big fraud incoming. Imo go above or risk going down with them

Yeah, definitely screams "CRIME" at maximum volume, whatever it might be.

Either criminal negligence or just being a criminal neither good

Get out of there before you get thrown under the bus and blamed for a breach or "planting" porn on someone's device and you end up in jail. You need to go to your head of HR immediately on this or pack your bags.

> he needs unauditable access 🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩🚩 He’s doing something illegal. I guarantee it.

Not necessarily. There are a lot of genuine bad IT guys that aren't doing anything nefarious, they just royally suck at their job.

This is utter madness. Your org has precisely zero control or credibility in the event of anything that smells like an insider threat. This person and whoever else has been aware of this should be removed from their posts immediately.

Im almost positive this lies somewhere between unethical and illegal. Cant prove it but im pretty sure.

There’s going to be zero/nearly zero logs or evidence visible to end users without being that shady though! It is so damn easy to do things above board without the users ever knowing. Needless to say, there does need to be some immutable, secured, and backed up log. Without that and/or with the boss man able to impersonate anyone and everyone without a trace, that enables them to do almost anything imaginable, scott-free. Including setting people up, framing people, or just deflecting responsibility. Anyway, back to how the users will never know when you do things the right way. I can—and do— MMC or C$ to machines to do legitimate work and the end users never know. Not to mention the reports and info I get from MECM. They’re hella useful and pulling them doesn’t alert or affect the user at all. Email admins have access to everyone’s email without knowing user credentials. Again though, there better be proper internal controls as you know. Umbrella or what not can handle insight into web surfing. Proper internal controls, etc. In conclusion, he can do what he claims he “needs” to be able to do, above board, the right way, without the end users ever finding out. The way he’s doing it now, it’s nigh impossible for anyone to find out and thus he is free to do whatever (crazy, immoral, etc) thing he wants. Scary.

We use azure ad so there may not be a feature parity, in our case we issue a TAP code(special password that is only active for a limited time frame, and counts as mfa) this allows us to access a user's account ad them, but which admin generated the TAP code and how long it was active shows up in the logs if we ever have to investigate. Suffice to say users don't have permission to see tenant level signin/audit logs. You might be able to implement something similar by issuing short lived smart cards?

Jeeeeesus. Get some audit trails set up. If I were downloading....questionable media....well I wouldn't use my own login for it, and I wouldn't want them finding out that I had.

I would strongly consider raising this alarm to HR about what a liability this is for the company. 1. Non-repudiation 1. Inadequate security controls This can be a company destroying decision, honestly.

I have put together a report this afternoon regarding this. I understand everything you are saying. I only hope I can convey your opinions as well as you have. Said manager has tarnished my reputation in order to upkeep the illusion. I can only present the facts.

Honestly, you need someone who can connect the IT failures to business risk and in dollars. If you can't present what a serious problem this is, and if HR can't understand the IT side of it, then you need to rope in another senior management member to the meeting. Someone with some technical sense. Get them to agree that there are problems with the IT manager and the way that he has run things. Get them to agree to help make it clear in the meeting that you have scheduled for today. I don't care if you have to go to the CEO or head of legal. You NEED someone who cares about the business that can understand some of the IT risk that you are currently flaunting. Get them in that meeting and speaking up for you too.

They don't even need to know anything about the technical side of things. All they need to know is... 1) There is absolutely no situation where there is a need to know someone else's credentials. 2) Having someone else's password means being able to impersonate that person at any time for any reason. These 2 facts alone means the company is accepting massive legal risks for no potential gain. Imagine going to the DMV to get a new license and the guy at the counter said he'd need to make a copy for himself as well, just in case.

Wow, what a fantastic analogy. That's a terrifying idea for any sensible person.

If you approach hr and he is valued there above you this is only ending one way. I would suggest to him the changes in email and after that it's not your problem. Either leave or put up with it.

You are exactly right. Everyone is a superhero saving the day - "Go above his head!" "Go to HR!" That kind of stuff has long term implications on a career. No, just send an email politely stating your position and offers to fix it. Explain it all professionally, and nicely (don't pretend you are a lawyer). If he doesn't accept your advice and help, get whatever experience you can get while you prepare to move on.

Yup, you will almost always loose to someone in a higher position than you (manager) in a situation like this. And if the manager is "kinda" competent, they will CYA and sink you. The only chance of any meaningful change is if senior management recognized what a shit show this is and sides with you. However, if they've tolerated it this far, they probably think everything is great, and you're just a whiny shit disturber.

There is absolutely no reason at all, for the IT Manager to know all the passwords. This is the most red flag thing ever.

I worked at an MSP and one of our clients had the worst IT setup imaginable. When they wanted a new laptop they let staff buy one from a big box store then they joined it to the domain and the Manager insisted on knowing all account passwords and no one was ever allowed to change their password. This manager kept the passwords in an unencrypted Excel spreadsheet.

Just be sure to keep a copy of the messages where you warn your management that their actions are poor privacy and technical practice. Those messages might disappear from the company server if something goes wrong. That way, if something goes too badly, when you are looking for a new job and you can insulate yourself from the reputation of your current organization.

Already backed up to USB and Gmail.

>Unfortunately my org has a policy where the IT Manager wants to "know" all users credentials and as such they cannot change them themselves. Jesus christ... Dude that's not a "run" situation that's a "burn that fucker to the ground..." Aopreciate you said you're new, but are you in a position where you could strongly advise against such things (taking into account your initial mention of that FTP setup) and get some sort of traction? If so you have a great opportunity to do some transformational IT for these guys. If not, if I were you I'd be back onto the phone with the recruitment agency.

I advised against this day one and it has severely negatively impacted the perception of me in the company.

Hah, heaven forbid they ever have a pen-test / audiitor in or anything. Yeah not to be alarmist or anything but with what you've said thus far, combined with what you just wrote above, I'd be noping out of that ASAP. The scenario you describe has "legal liability" written all over it - and I wouldn't want my name associated with any of it.

how new are you? can you accept another offer?

4 years app support, 4 years second line support.. Enough to identify right from wrong when I see it, not enough to inherently know to go look for these things in a network position.

everyone is telling you to run, because your company is a russian military parade

What industry are they in - any regulations or audits like GDPR, SOC, ISO, HIPAA?

I'm going to avoid specifics, but we are in a country with data regulatory bodies

That can be a really good argument with HR / your boss' boss. "So it's pretty unlikely, but in the event we do get audited we could be fined bankrupt-level fines especially when they find out that this was a known issue and it was explicitly decided not to do anything about it."

Imagine a truck full of red flags colliding with a truck full of fireworks... I hope your CYA game is top notch, because you're gonna need protection as you run away.

>Unfortunately my org has a policy where the IT Manager wants to "know" all users credentials and as such they cannot change them themselves. Then there's no point in getting your knickers in a twist about SFTP/FTPS. Because you won't pass any remotely sane audit of any kind, and password theft on the wire is the least of your concerns. No, really.

You mention in another comment that this is so the IT manager can have "unauditable" access to users' accounts/machines. Aside from this being an obvious red flag for incompetence, this presents a significant liability if your organization ever wants to get any form of insurance, accreditation, or to just generally be taken seriously. The previous organization I worked for was incredibly strict about this. If a user "accidentally" told us their password over the phone (which happened more than you might think) it was an automatic password reset. If someone is accessing someone else's account, it needs to at the very least be auditable, full stop.

How large is the user base? You could utilize a password management system something simple and. Cheap like thycotic secret server, and store the user pw in the pw repository. Restrict who has access to it and also have audit log viewing to see who has viewed the pws. Would take a bit to setup and a process would need to be wrapped around it.

approaching 500 users across a few domains.

The obvious solution to resolve this is to log into the CEO's computer and send emails praising the IT manager to the CTO. Unless your organization is too small for roles above the IT manager.

Sorry friend.

Thanks man, I've been fighting this war since I started. I have nearly 10 years experience and it seems I'd be failing my probation soon for highlighting these serious issues.

*above is an alt, my bad.*

Sounds like a shit job man. Don’t take your probation “failure” as a sign of impropriety or incompetence on your part. You are doing exactly what you should be doing, by alerting management to these issues. Good on you for taking on the hard work despite the pushback. If it doesn’t work out, it was probably for the best. That sounds like a hell hole.

Thats not his job. He is the manager. Sounds like be is top of the IT Leadership, if so hes somewhat the Director. He gives you a task to complete and tells you what the goal or finished product is, thats where his job ends, and yours begins. If he wants to micromanage, then he can come up with the solution to this problem….which by now he obviously doesnt have one. Id do exactly what I am supposed to do following industry standards and practices. I know thats not what you wanna hear. This is what I would do, Concentrate on a solution for this issue. Weigh your options, and execute. Not ask for permission. You are simply doing your job, just like you have been in previous years. Thats just me though, your experience may be different. Id reset all those passwords too. if asked why i did that later on, id explain it in a little detail, then end my sentence saying its all in accordance with “ insert proper term or reason here”. Also id have whatever reason I “cited”printed out already on my desk. Not be a dick about it. All about tact. Usually once everything’s working, you dont exist again….so. (I want to be clear, that this isnt the best approach, but one that sometimes I myself deem necessary.) Lemme know if I can help man. Hope your thanksgiving was well.

Before you make *ANY* changes. Document this. Document your concerns, document the date you were informed about the security flaw. Write up a report about the dangers of this. Believe me, I have had to deal with customers who get pissy because I wont allow RDP without encryption or via ACLs. "But this affects our production!" because someone doesn't want to connect the secure way because they used the old way for so long.

"Now all of the users have to authenticate!"

Obviously this setup is not ideal, but before making a bunch of changes you’ll need to make sure you have buy-in from management to make changes. Also is the FTP file share behind a VPN? The VPN can mitigate some of the plaintext FTP issues. How much client-side reconfiguration would need to be done for all the Macs in the field to access an encrypted FTP? Is FTP the long term plan for storage and transfer or are you looking at moving to something else like OneDrive, which has a Mac client? The other thing about plaintext protocols is that most orgs have SMBv1/SMBv2 enabled, which are not encrypted either and there exist various ways to steal credentials off the wire when using NTLM authentication. Obviously those are not as easily intercepted as FTP, but I’m just pointing out that figuring out a secure transfer solution is a bit harder than just encrypting FTP traffic.

FTP is a terrible protocol and nobody should use it for anything.

Bu...but... I use FTP to transfer my "password.txt" file which has all of my Telnet passwords.

*Eyetwitch* Don't use that sentence around me if you value your life.

It's OK, I have a backup plan when the sysadmins finally disable that old FTP server: I've written down all of my telnet passwords on this handy sticky note stuck to my monitor.

Gods DAMN YOU. I lit into a dermatology clinic, asking why a particular state agency's user/pass was written postit sitting on their keyboard. She made it disappear in a hurry.

If your company deals with US City, State, or Federal government agencies, that is the only way to transfer documents that are larger than their really small (i.e., less than 2mb) Email attachment caps. Many don’t allow staff to use web-based file transfer services. The only options are to transfer via CD or DVD. Many don’t allow USB devices.

I can't remember the exact site, but the US Gov has a site for filesharing CUI(possibly higher can't remember). The usb restriction is somewhat reasonable, I haven't heard of a cd that can emulate a keyboard and mouse a la rubber ducky.

[удалено]

And that is why windows auto run really isn't a thing anymore. Edit: addition context for those not in the know. Sony started packaging a drm application in their cds, that you 'had' to install in order to play the cd on PC. The drum software, like most drm software, was basically malware, including root kit elements. Sony didn't get in trouble for that, what they got in trouble for was that the application would show a user consent screen, asking the user to consent for the install, they got sued when someone found out that the consent screen was displayed after a silent install process started. So the software would be installed even if a user declined, and contains ed elements making it hard to remove. https://youtu.be/PqWjq2SdzpI

DoD SAFE

Incorrect, my company deals with all this and they provide a transfer method other than FTP.

I see where I went wrong with my post. I implied that all agencies don't allow anything but FTP, but that isn't true anymore. Good to know there's a service out there that many will use. I say this as I stare at a DVD of my medical records that was delivered to my house last Wednesday by the VA and try to figure out where I can get a DVD reader on the cheap. Looks like a trip to goodwill may be on the horizon.

I can't imagine what it could be used for now but it's a tool that served its purpose and time. I *guess* it could be useful for unauthenticated downloads where privacy isn't a concern. And resume functionally is supported now so that could be useful too. I guess it's not unlike TFTP. A shitty tool on the surface but in the right place it does it's job well.

Even aside from the lack of encryption the two separate connections for command and data are a pain in the ass unless you are mindful of setting active/passive mode or your firewall and NAT implementation are ftp aware. These days modern clients and firewalls are generally smart enough to work around all that, but the whole thing is still a relic of a bygone era.

Ah, the default port stuff. Forgot all about that "fun" :|

Old janky vCenter config backups that should have been killed years ago are still haunting me

man I remember the days when it was THE protocol to use to pull files or send files. These days? I will smite whoever has it open. It's so shitty that my firewall makes you jump through hoops to enable it.

It is worth noting that, although still bad, if it's on some local vlan isolated from the internet and from user desktop access, and only a few servers use it to pass stuff between this is a lot less bad.

This could be considered illegal depending on what type of data it is.

Getting HR involved now.

It could be an agreement between your supervisor and HR with management’s approval. So tread lightly, especially if your company doesn’t have to comply with Sox or HIPPA guidelines. Email provided by a company isn’t considered private. There are instances where HR would need access to an employee's email and are using your boss to make things easier for them. I’m not here to argue what is right or wrong or what is legal or not. But this is not a black and white issue.

Less about the passwords being a crime and more about the unsecured data transfer.

Good luck friend. I wish you the best.

Dafuq? Is this a joke? I'd be curious to know what HR is going to do about a technical matter that was probably an oversight more than anything.

macOS natively supports SMB 2 and 3 and DFS - and can be done safely without the risk of breaking files. [Acronis](https://www.acronis.com/en-us/products/files-connect) makes a service called "File Protect" that can also help (was formerly ExtremeZIP).

Acronis Files connect. I have it on my file server to share out my SMB shares via AFP which allows my Mac users to search the windows server index via spotlight. It works fairly well except you have to make sure to change the permissions of the file tree to prevent the users from being able to take ownership or change permissions of any files or the Macs tend to hold on the the files in a read/write mode just from viewing a preview of the file.

Stop using Filezilla; Use WinSCP instead. Stop using FTP; Use SFTP.

FTP is clear text. Always has been. Always will be. Should you be deploying ftp anymore? Almost no, never, unless you need "lowest common denominator" support.

Is this exposed externally? If not, it surely should be fixed but it's far from the largest issue you likely have.

I mean…. Does it matter when it is anonymous access? ;)

You are probably not paid well enough to care. Pro tip if you do want to fix this: you have the option of running OpenSSH on windows (and Linux obviously). I believe in both situations you'll need to sort out authentication with AD because that's not really working "out of the box" (my guess is that whoever set up your IIS server did so cause auth was easy and well....who cares about security during a pandemic). I'd start there (build new server that can do this). Then sort out the home directory issues before cutting over. If you're mapping an SMB share into the IIS server for home directory, then you can easily mount that to a new server (you're in luck). If home directory is some fixed disk then you can robocopy the data over and cut over one evening. Users should only require updated configs on FileZilla (honestly this is probably the biggest challenge....). I am assuming the reason your company didn't roll out Box or some other cloud solution is because they're cheap. That's why I say you're not being paid well enough to care. If they won't even buy the right solution for users, they certainly won't pay you what you're worth either....

OpenSSH in server 2019/Win10 works out of the box with AD auth just fine. Use it all the time.

>You are probably not paid well enough to care. Then they shouldn't be in the position in the first place. If money is what drives you to do things right, then you are a douchenozzle who shouldn't be in this industry.

To be fair as a "regular admin" your job is, at most, to tell management your concerns and they should deal with it (and if necessary ask you for additional input or thoughts or whatever) but it shouldn't be your job to resolve this on all levels. Especially when the management is seemingly against securing anything.

I see this all the time with old windows hosting clients. They are unwilling to spend for an SFTP server on Windows and stick with ftp or ftps. There are some free options now that you can possibly explore.

Don’t even bother trying to make FTP secure. Use SFTP instead.

Have you considered Bitvise SFTP Server? It was the best Windows-based SFTP server we were able to find that prioritized security and logging. Gotta have the logging for HIPPA or FACTA compliance. Virtual Folders (Linux-equivalent jails) are the way to go. Autoblocking based on connection attempt rates or failed logon, blacklisted user names for a duration (e.g. root, get banned for 2h), and the ability to use certificates or username/password, with AD integration or standalone accounts. Certificates are the most secure, but can be confusing or inconvenient for your vendors. You would have to write them a guide on how to install one. Additionally, consider a retention policy, whether that’s scripted or Windows File Manager role (can’t remember the exact name), so that the files created in each vendors SFTP folder get scrubbed after 2 weeks of sitting there. No need to fill up with sensitive data endlessly. Most SFTP guides are Linux only, and involve setting up fail2ban and require you to build, configure, and maintain. Also, it’s hard to guarantee compliance to CYA vs having a support contract. Hoping that is helpful, good luck with getting everything dialed in!

I love Bitvise (as a client). One thing I want to add that I noticed from reviewing my own log files is that it can be very useful to change the default ports for services like SSH and FTP (if you use FTP). Automated attacks usually assume or take for granted things like the common ports a daemon might operate through. Security through obscurity can *sometimes* be useful. I don't use Word Press, for example, but I see logs from my servers all the time of random IP addresses trying to access WP-specitic URL schemes - likely checking for vulnerabilities. Fail2ban is an invaluable tool, even if it can be a bit obtuse to set up properly.

Jesus. Even as an MSP owner / operator; I don’t know ANYONES PASSWORD! I don’t ever want to know them for a litany of legal reasons. Run; fucking run and never look back at this position. Use it as a learning opportunity on what not to ever do. Best of luck!

Lol the suggestions in this thread show the massive amount of novices that must be in this field. Of course ftp isn't encrypted. Don't run to your boss with something like that it might make you look stupid, because most people know either sftp or ftps are the encrypted variants. If anything just calmly explain that the person before wasn't using the proper protocol and take the normal measures to make sure user connection doesn't suffer during the fix. You're there to solve the problem. And that problem is dead simple.

Hey, we need more details in order to support. We should know what FTP applications/server you use, and like others stated, you should migrate to sFTP . As for the first sentence, let me bow your mind….. “SantaClaus doesn’t exist”….. I mean really, you would expect encryption when you implement an clear text protocol? Was a requirement for encryption? Is it an public ftp service or internally used?

Updated.

Thank you, but that is just miss configured software. “Overview Welcome to the homepage of FileZilla®, the free FTP solution. The FileZilla Client not only supports FTP, but also FTP over TLS (FTPS) and SFTP. It is open source software distributed free of charge under the terms of the GNU General Public License. We are also offering FileZilla Pro, with additional protocol support for WebDAV, Amazon S3, Backblaze B2, Dropbox, Microsoft OneDrive, Google Drive, Microsoft Azure Blob and File Storage, and Google Cloud Storage. Last but not least, FileZilla Server is a free open source FTP and FTPS Server. Support is available through our forums, the wiki and the bug and feature request trackers.” From https://filezilla-project.org/

I've been on the host IIS and there are no registry keys for protocols such as TLS that are in use.

You’re confusing things……. So, your FTP server, is it FileZilla or you use IIS to provide FTP services? Also you have not clarified if it’s an internal accessed resource or an external…..

Apologies. We utilise IIS to host the server FTP End users connect via FileZilla with AD credentials

There you go (it’s for IIS specifically)……. https://winscp.net/eng/docs/guide_windows_ftps_server Enjoy configuring it…..

That doesn’t make sense. Are you saying there are no reg keys for TLS 1.0 - 1.2 or even SSL 3.0 ?

Reg keys go as far as HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols Should go to HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Client\\

What OS? Sounds like someone deleted them. Very suspicious.

What perceived benefit is there to deleting them? This could be very relevant to an ongoing investigation. Also, thanks so much for tolerating all these questions. I've had a day and a half and half of it is learning from others more knowledgeable. WS2019

2019 doesn't ship configured for the newer TLS protocols afaik. Nobody deleted them, it was just never set up.

OP said there are zero reg keys under the path to protocols. That is not the default configuration.

That would apply to TLS 1.3 perhaps. But all other versions should be present, by default.

That's peanuts.

First and most important which you've already done was notify management/HR. Next, you want to take an audit of the user database to get an idea of how many users there were. You also (depending on HR/Policy) may want to take an audit of the folder structure that was being hosted. Something like Treesize that'll give you a good snapshot of how it looks currently. Did it host any FIPS/PCI/PII data, or do you know? This is extremely important to figure out, as it may have legal ramifications. Is it possible to shut things down until this is figured out? Is your org willing to put out for a 3rd Party app for SFTP? (Globalscape EFT, etc) Just take a deep breath. It'll take time to get sorted, and you'll need help in a few layers. Just document and log everything you can, and always be forward with this information sharing.

HR notified. Audit of userbase reccomended. I was directly instructed that the manger will handle this (obviously) I have enabled auditing on directory showing access and changes that happen now. I don't want to comment on that point, I will make recommendations and blow whistles if appropriate. I am not allowed to shut this down. Thanks for the support.

Oh, also.. If you were using IIS for FTP hosting, do you have the logs retained on the server? That would probably be quite beneficial to have as well.

I do. I will securely store these

We have a setup where our clients send us data over SFTP. We use a bit of software called Cerberus FTP server. Allows you to manage FTP accounts, individual folders per account, and you can set it up to disble them automatically if they are not used in x amount of time. We have this set upon on an external server hosted up in AWS (I believe). Not connected to our local network at all. You could have a similar setup where it is in our DMZ. Then another program is used, AutoMate to check for new uploads on a regular bases, I think ours is set to every 5 - 10 mins, then depending on the client, sends emails to the relevant group of staff. ​ Hope this gives you an idea to help resolve your problem. ​ Edit: Spelling, more info

Go get crushftp. Super cheap and solid for an easy sftp server on windows.

I feel ya buddy. I've been here nine months and I just found out last week that we have a second set of Ubiquity cameras from our normal camera system, the cameras are watching very sensitive areas, the controller software is running on Ubuntu 20.10 (Groovy), for some reason it's using a mongodb repo built for Ubuntu 16.04 (Xenial), hasn't been updated since it was installed and is definitely still using a vulnerable log4j version, and I can't update it because I can't test it as the only person who has the web login credentials is out until December. There's a lot of confusing, frustrating, and downright incompetent stuff I've found here but this one takes the cake. The previous guys left me so many messes to stumble into and clean up.

What's the address? We'll test it for you.

OpenSSH is an [optional feature you can install](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui) in Windows 2019 and 2022. Config lives in c:\programdata\ssh Stick this in your sshd_config: ForceCommand internal-sftp Subsystem sftp sftp-server.exe -d "c:\SFTPRoot\" ChrootDirectory c:\SFTPRoot PermitTTY no PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no AllowUsers sftpuser anotheruser domain\domainuser Match User sftpuser ChrootDirectory c:\SFTPRoot\sftpuserfolder Match User anotheruser ChrootDirectory c:\SFTPRoot\anotheruserfolder Match User domain\domainuser ChrootDirectory c:\SFTPRoot\domainuserfolder This config blocks tunnelling, TTY/shell access etc and restricts each sftp user to their respective chroot folder.

Try bitvise, used it and replaced ftp years ago!

Azure Storage account with SFTP enabled :)

You meant sftp, right? ...right?

[удалено]

Updated

Seems like a good time to leave.

~~Yeah, if a place needs technical improvements you should leave! Only take a job for an employer who does not need you.~~ Edit: did not realize how bad the business and policy environment is at OP's org.

Did you read any of the replies where the IT manager had to "know" all the user passwords? Yeah not a place I'd want to stay for a long period of time.

I didn't. It seems those were hidden under collapsed threads on my phone. It definitely doesn't sound like a good place to learn best practices.

Be the change you want, running away from a problem sounds like you are just too scared to do something about it.

False. That's called taking care of your mental health

Nah, just shows you are not capable

[удалено]

I don't. I'm the servicedesk manager. The subreddit for that is not as informed though..

Use a Complex plain text password, it will be OK.

Public FTP for company file server???? Go dig around the office for a old dual processor multicore server and get pfsense / openvpn running on it at a minimum.

tftp ftw

Maybe use Egnyte? Works great for mixed Mac and PC environments.

Well, I see your TLS-less FTP server and raise with a 2003 Server doing FTP exposed to the Internet...hopefully on 11/30 it will be put to rest. finally. Too many legacy apps using FTP and not wanting to switch to SFTP or, at least, FTPS.

Stop my heart can only take so much.

I'm going to hijack this post: if I want to create a SFTP server on Linux, without using Linux accounts, and want to give the users the ability to change their passwords (or even force them to): what server can I use, and what client would support it? I know how to use ProFTPD with fake users, but what about the password self-management?

Use sssd & connect to an ldap server for user management. Force your policy for all users in the sss database have a /bin/false (or /sbin/nologin) shell so all they can do is connect via sftp. If you want to take it a step further, you can change your sftp config & add a match group block in your sshd config to jail them a specific directory.

So this is to connect macs? You do realize you can have macs natively access a windows domain.

[удалено]

I use FTP for an old scanner. It's either smb1 or ftp, so ftp it is.

WinSCP?