THE INFORMATION IN THIS ARTICLE APPLIES TO:
Penetration testing reports indicate that uploading files to EFT is a security risk. How can I prevent that?
Web application vulnerability scans are not always applicable to EFT.
It is important to understand that EFT is essentially a file server, not a web server. Its intended purpose is for *authorized* users to upload, download, create folders, move files, rename files, and otherwise manage files. Therefore, allowing *authorized* users to upload files is not a security vulnerability, but a feature of EFT.
Still, what if, purposely or otherwise, an authorized user uploads malicious files, or files with content that violates company policy? EFT provides various means of mitigating this risk:
- Disable uploads altogether by removing the upload permission; however, that would be desirable only for situations where you want to limit customers or partners to file downloads (e.g., insurance forms, invoices, reports, documentation, etc.).
- Leverage EFT’s banned extensions feature - You can ban certain file types from being uploaded, even by authorized users. (e.g., Perhaps you want to prevent users from uploading music and video files.)
- Leverage EFT’s ICAP feature to inspect uploaded files - EFT event rules can be defined to scan files to look for viruses, personally identifiable information, and so on, and prevent its transfer.
- Enforce standard best practices for user accounts and password security, such as not allowing anonymous uploads, creating a unique account for each user, frequently changing passwords, using complex passwords, not reusing former passwords, etc.
EFT employs numerous tactics to protect the security of your data. For details of configuration and security best practices, please refer to https://kb.globalscape.com/KnowledgebaseArticle11312.aspx Where you will find the Security Best Practices checklist, which provides recommendations for increased security when managing your data with EFT.