Thank you for taking the time to write to me. The best (and secure) way to transfer files to a production server, is to implement the following steps:
- Implement security beginning with your border router (ACL); that is, restrict external port access to production server(s).
- Disable FTP, File shares, and other common and insecure programs.
- Install and configure a remote control (with file transfer capability) program that supports the following features:
- Encryption - to secure your data.
- TCP/IP filtering - limit access to server to the firewall.
- Change default TCP/IP port -- to use a unique port.
- NT/Win2K integrated authentication.
- Block access to unique (above) port in your border router and firewall. Set up a rule in your firewall to only allow selective developer workstations to transfer files.
- Define unique account names and passwords for developers that require access. For QA purposes, consider being the primary point of contact when it comes to updating "your" production server -- that is, the server that you are responsible for. Try to reduce or eliminate the need for direct developer access.
Another viable option is to implement SSH to "move files"; however, SSH (including Cisco's version) has its share of security vulnerabilities, including gaining admin-level access. If you decide to use SSH, make sure that you patch it. In either case, apply as much of the above security steps as possible with your solution. Avoid using the leading remote control software, as this would attract unnecessary attention. There is plenty of good remote control software out there that support the above features.
Remember to enable session logging and to maintain your server and remote control software with the latest, tested, and certified patches and hotfixes.
This was first published in December 2002