Limiting Access to FTPS by customer userid

  • 1
  • Idea
  • Updated 6 months ago
Security issue: Need to be able to only allow certain users (customer and employee) access to FTPS rather than everyone or nobody as today. Customers ask us for this capability to comply with their own security controls. 
Photo of Jerry Corvino

Jerry Corvino

  • 2 Posts
  • 1 Reply Like
  • Anxious

Posted 6 months ago

  • 1
Photo of Leo

Leo, Official Rep

  • 367 Posts
  • 25 Reply Likes
Hi Jerry,

In order to fully utilize FTP/FTPS, the user would need upload and download access to folders.  Without any folder access, users cannot do anything other than login and logout because a) they can't see any directories to access and b) the root level does not allow files.  It would be no different than logging in to the website with the user account and seeing nothing because you were not granted any access.  You would also need access to a large range of outbound ports in order to use FTPS, and restricting access to those would prevent the user from functioning properly on an FTPS connection to us.  So even if you have a login, if all the outbound ports we need are blocked, the connection would end up self-terminating after looking like it succeeded because it cannot communicate.  I realize that it is not you but your customers who are requesting this.  Did they elaborate on how this is a security issue?

-Leo
Photo of Jerry Corvino

Jerry Corvino

  • 2 Posts
  • 1 Reply Like
Leo,

You are absolutely correct. We reviewed the client request again and have decided to respond along the lines you suggested. Thanks for your help. 

Jerry