THE INFORMATION IN THIS ARTICLE APPLIES TO:
DISCUSSION
Services Security
To ensure proper operation, the EFT Server, DMZ Gateway, and related modules must have appropriate access to requisite folder paths, registry locations, and program execution components.
Generally, the EFT service is set to be an administrator of the system or domain. This may work for a time but can impose a problem in the future if permissions become restricted/de-escalated. These permissions settings are recommended so that if, in the future, the EFT Service account becomes more restrictive, interruption in service will be minimized or prevented.
| Checklist |
Value |
|
Create a specific AD or local account on which EFT’s service is to run with the minimum necessary permissions
|
<EFTServiceAccount> |
For best security, you should set the least permissions necessary to run EFT on Windows Server 2022 and Windows Server 2019.
Instructions are provided below.
Once the service account is created, ensure the account follows the least privileged access as:
Open Component Services > Computers > My Computer > DCOM Config or run dcomcnfg.exe
| Functionality |
Name |
Launch and Activation Permissions |
Access Permissions |
Configuration Permissions |
| Advanced Workflow Engine (AWE v10 only) |
GSAWE |
<EFTServiceAccount>, Full Control
|
<EFTServiceAccount>, Full Control
|
<EFTServiceAccount>, Full Control
|
Compression Engine
|
GSCompressionAgent Class
|
<EFTServiceAccount>, Full Control
|
<EFTServiceAccount>, Full Control
|
<EFTServiceAccount>, Full Control
|
RSA Auth Agent (RSA)
|
GSRSAAuthAgent Class |
<EFTServiceAccount>, Full Control
|
<EFTServiceAccount>, Full Control
|
<EFTServiceAccount>, Full Control
|
| VS Report |
GSVSReport |
<EFTServiceAccount>, Full Control
|
<EFTServiceAccount>, Full Control
|
<EFTServiceAccount>, Full Control
|
Access Permission
A specific domain account (<EFTServiceAccount>) is recommended to run the EFT or DMZ gateway. The following table defines the recommended permissions.
| Name |
Path |
Value |
Notes |
| EFT Program |
C:\Program Files\Globalscape\EFT Server
|
Full Control |
Your directories may differ
|
| EFT Configuration |
C:\ProgramData\Globalscape\EFT Server |
Full Control |
Your directories may differ |
| EFT COM API |
C:\Program Files\Common Files\Globalscape\SFTPCOMInterface |
Full Control |
|
| EFT Site Root Folder |
C:\InetPub\EFTRoot\<SiteName>\ |
Full Control |
Full Control recommend* |
| Advanced Workflow Engine |
C:\ProgramData\AutoMate |
Full Control
|
|
| Advanced Workflow Registry |
HKEY_LOCAL_MACHINE\SOFTWARE\Automate |
Full Control |
|
| Windows Temp |
C:\Windows\Temp |
Full Control |
Full Control recommend** |
| EFT Registry Legacy |
HKEY_LOCAL_MACHINE\SOFTWARE\Globalscape
|
Full Control |
|
| EFT Registry |
HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc. |
Full Control |
|
| EFT Class Libs |
HKEY_CLASSES_ROOT |
Read |
|
| EFT Registry 2 |
HKEY_USERS |
Read |
|
| DMZ Gateway |
C:\ProgramData\Globalscape |
Full Control |
|
| DMZ Gateway Registry |
HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE Inc |
Full Control |
|
*NOTE: You may use different Full Control if you use an AD auth site with permissions managed by Windows, as the EFT Service will impersonate using the client's credentials to access these folders instead of using the service account. Combined with “Alternative Credentials” at each event rule and action. This is only recommended when creating a new empty site for the first time. Otherwise, you must inspect all event rules and Workflow to ensure they work correctly.
** Windows Temp location: Ensure the hard drive where Windows temp is located (e.g., C:\Windows\TEMP ) has enough space and fast write/read operations. Automate (EEFT Advanced Workflows module) uses it as scratch disk space for certain operations (PGP, compression, etc).
Also refer to Security Best Practices.
|
C:\InetPub\EFTRoot\<SiteName>\
|
|
C:\InetPub\EFTRoot\<SiteName>\
|
|
C:\InetPub\EFTRoot\<SiteName>\
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Globalscape
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Globalscape
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Globalscape
|