We have a business partner who regularly needs to send a file to our server over the Internet. Our only option is FTP, and we can't use VPNs, IP Security (IPSec), or FTP over Secure Sockets Layer (SSL). We've thought about encrypting the file, but we also realize FTP authentication is weak because the password is sent in clear text. We don't want an attacker who manages to capture our password to be able to wait for the transfer to complete, then log on and download or delete the file. Can we set up the transfer so that attackers between us and our partner firm can't benefit should they capture our FTP password?
Yours is an interesting challenge, but you can meet it by using an encryption utility and implementing proper user permissions. First, create a user account for the business partner—for demonstration purposes, I'll call the account Acme-FTP. To properly limit the new account, remove Acme-FTP from the Users group to which Windows automatically adds all new accounts. Create a folder in your FTP server's root folder called AcmeFileDrop. Open the folder's Properties page, click the Security tab, then click Advanced and clear the check box that lets the folder inherit permissions from the parent folder. When Windows asks whether to copy or remove the permissions, select Remove. Then, add the Administrators and SYSTEM groups to the folder and give them Full Control. Add any other groups that need to be able to access the files that Acme delivers, and grant those groups Modify or Read access, as appropriate.
Next, add the Acme-FTP account and give it the specialized set of permissions that Figure 2 shows. As you can see, I grant Acme-FTP only the ability to create new files in the AcmeFileDrop folder. Finally, arrange to have Acme encrypt the file before sending it; Acme can use any of the several available encryption utilities that use shared keys or public/private key pairs.
Now, when Acme sends an encrypted file to your system, your security risk is much lower. An attacker who manages to capture Acme-FTP's clear-text username and password and use them to access your FTP server will be successful only if he or she can also spoof Acme's IP address. If the attacker manages to log on to your FTP server, he or she will be able to create new files but won't be able to download or change existing files.
The two risks that remain are that the attacker could create spurious files or fill up your system volume. Always validate new files (e.g., confirm they were encrypted with the proper key) before processing them. If you place AcmeFileDrop on a separate volume or if your FTP server is on a version of Windows that supports user disk quotas, you can prevent an attacker from filling up the system volume.
The only way an attacker could get an existing file is to reconstruct it from captured FTP packets, then work on cracking the encryption key. In case an attacker modifies the file in transit between you and your business partner, be sure you use a well-written encryption utility that uses a standard encryption protocol and detects modifications to the file after encryption. Never choose encryption software that uses proprietary encryption. One sign of a good utility is that the author explains the encryption methods used; a better sign is that he or she has made the utility's source code available for review by an encryption specialist. If the utility uses shared key encryption, make sure you select long, hard-to-guess keys, and don't exchange keys with Acme over the Internet (e.g., do it by phone). Many such utilities are available on the Internet, but I prefer WinZip 9.0 because it supports 256-bit Advanced Encryption Standard (AES) encryption and provides compression as well.