Security Settings

Files.com achieves its best-in-class security by providing customers with a file server platform that is tuned for maximum security out of the box, with no manual configuration necessary. This means that things like strong encryption enforcement, brute force protection, and IP address pinning for web sessions come built-in and enabled by default.

We also realize that every organization has unique security requirements, so we give site administrators full control over these security features, allowing you to fine-tune your site settings to meet your needs.

Transfer Protocols

For compliance reasons, it may be desirable to prevent any users from connecting with specific protocols. Files.com provides the ability to completely disable all FTP/FTPS traffic and/or all SFTP traffic.

Enable FTP

When this setting is enabled, users who have been granted permission to connect via FTP or FTPS will be able to connect. When this setting is disabled, no users can connect via FTP or FTPS, even if their individual user permissions grant them FTP access.

Web UI

Site administrators can type FTP in the search box at the top of each page, then click on the matching result. Click the FTP Enabled toggle to change the value.

CLI

Site admins can use the Command-Line Interface (CLI) App to view the current setting with this snippet:

files-cli sites get --format csv  --fields ftp_enabled

Update the setting using this CLI snippet. Replace NEW_VALUE with either true (to enable) or false (to disable):

files-cli sites update --ftp-enabled=NEW_VALUE

If your site has dedicated IPs and this setting is disabled, all of the ports used for FTP (21, 3021, 990, 3990, 40000-50000) will be entirely closed.
For sites that don't have dedicated IPs, disabling FTP access will not close any ports. Even though the ports will be "active", users will not be able to connect via FTP or FTPS when FTP is disabled; after authenticating, the system will immediately close each FTP or FTPS connection and display an error message.

Enable SFTP

When this setting is enabled, users who have been granted permission to connect via SFTP will be able to connect. When this setting is disabled, no users can connect via SFTP, even if their individual user permissions grant them SFTP access.

If your site has dedicated IPs and this setting is disabled, port 22 will be entirely closed. For sites that don't have dedicated IPs, disabling SFTP access will not close port 22, but users will still not be able to connect via SFTP.

Web UI

Site administrators can type SFTP in the search box at the top of each page, then click on the matching result. Click the SFTP Enabled toggle to change the value..

CLI

Site admins can use the Command-Line Interface (CLI) App to view the current setting with this snippet:

files-cli sites get --format csv  --fields sftp_enabled

Update the setting using this CLI snippet. Replace NEW_VALUE with either true (to enable) or false (to disable):

files-cli sites update --sftp-enabled=NEW_VALUE

Encryption

Plain/unencrypted FTP Support

By default, Files.com will reject FTP connections to your site that do not use secure encryption. If you need to support very old devices or clients of the FTP protocol, you can update the global setting to allow unencrypted FTP connections (port 21 without SSL). To access thi global setting, type Plain/unencrypted FTP Support in the search box at the top of every page, then click on the matching entry.

You can also allow unencrypted FTP connections on a per individual user basis via the Plain/unencrypted FTP Support user setting. Edit the desired user, click on the Other connections tab, then change the Plain/unencrypted FTP support setting.

Note:Allowing unencrypted connections is dangerous because it will cause passwords and file contents to be transmitted across networks in clear text.

Default: Require SSL on all FTP connections (recommended)

HTTPS, FTPS, and SFTP ciphers

Type Ciphers in the search box at the top of every page, and then click the result for HTTPS, FTPS, and SFTP ciphers. This setting allows compatibility with old browsers and old SFTP/FTP clients by allowing SSLv3, TLSv1.0, SHA1, and other ciphers that are known to be insecure but required by older versions of clients.

Note: Enabling this option is dangerous because an uninformed user of your site might think that they are using secure encryption when they are actually using encryption that is broken. You should treat all connections to your site as if they are fully insecure if you use this option.

SFTP ciphers


Key Exchange	diffie-hellman-group-exchange-sha256
Encryption	aes128-ctr aes192-ctr aes256-ctr
MAC	hmac-sha2-256 hmac-sha2-512 hmac-sha1

The following insecure SFTP ciphers are supported only when allowing connections with insecure ciphers.


Key Exchange	ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 diffie-hellman-group-exchange-sha1 diffie-hellman-group18-sha512 diffie-hellman-group17-sha512 diffie-hellman-group16-sha512 diffie-hellman-group15-sha512 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 diffie-hellman-group1-sha1
Encryption	arcfour128 arcfour256 aes128-cbc 3des-cbc blowfish-cbc aes192-cbc aes256-cbc
MAC	hmac-md5 hmac-sha1-96 hmac-md5-96

Default: Only allow connections with secure, contemporary ciphers (recommended)

IP Whitelisting

Site-wide IP whitelist

Site administrators can limit which IP addresses your users are allowed to connect from. Type Whitelist in the search box at the top of each page, and then select the matching result for IP Whitelist/Blacklist. Enter the allowed IPs, one per line. You may specify a range in CIDR format, such as 192.168.1.0/27.

If you have also set up user-specific IP whitelists, users connecting from an IP address matching in either whitelist will be allowed to log in.

User-specific IP whitelist

You can manage IP whitelisting for individual users via the IP whitelist user setting, found in the settings for an individual user. If you are also using a site-wide IP whitelist, users connecting from an IP address matching in either whitelist will be allowed to log in.

Advanced Security Settings

Brute force protection

This feature is an extra layer of protection for organizations that desire an aggressive level of security, as general brute force protection is already provided by Files.com. For security reasons, we do not publicly publish the details of our default brute force settings. We have carefully implemented a configuration that applies to the overwhelming majority of our customers. Refer to Compliance and Security for more details about our SOC-2 compliance and Information Security programs.

Brute Force Protection will lock users out after a given number of failed login attempts. However, bot attacks which use common usernames can quickly cause your users to be locked out. The ability to customize this setting is provided only for the rare circumstances in which your own organization's compliance procedures require you to specify exact settings. Only enable the custom option if you absolutely require it to meet a compliance need and if your usernames are suitably obfuscated.

To find this setting, type Brute force protection in the search box at the top of every page and click the matching result, or navigate to Security > Passwords > Brute force protection.

Note: We strongly recommend leaving this set to Use default Files.com protection. Care should be taken when enabling the custom setting to avoid accidental user lockouts. We recommend having at least one backup administrator user who will be able to unlock another administrator in the event of an accidental lockout.

Default: Use default Files.com protection

Session IP address pinning

This setting helps to secure your site against session hijacking attempts by pinning user sessions to the IP address they originated from.

With this setting enabled, users will be asked to log in again if their IP Address changes. This could occur when they change networks, such as moving their laptop from the office to their home network. Disabling this setting is required at some office networks which rotate public IP addresses.

To find this setting, type Session IP address pinning in the search box at the top of every page and select the matching result.

This setting does not apply to the Desktop app, which uses longer-lived session tokens (see Desktop Session IP Pinning).

Enabling or disabling this setting will not impact, affect, or disconnect any currently existing connected sessions.

Default: Enabled (recommended)

Session expiration

Web interface sessions will automatically expire after a period of inactivity. Use this setting to customize the session idle timeout if needed. To find this setting, type Session expiration in the search box at the top of every page and select the matching result.

Default: 6 hours

Desktop Session IP Pinning

Similar to the Session IP address pinning setting, enabling this setting will force users of the Files.com Desktop app to log in again if their IP address changes while they are logged in to the Desktop app. To find this setting, type Desktop Session IP pinning in the search box at the top of every page and select the matching result.

Default: Disabled

Desktop Session Lifetime

The Desktop app uses session tokens which have a limited lifetime. Use this setting to customize how long those sessions last once a user has logged into the app. To find this setting, type Desktop session lifetime in the search box at the top of every page and select the matching result.

Default: 720 hours (30 days)

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.

Start My Free Trial

Features

Security & Compliance

Customer Stories

Sync/Mount

SSO

SDKs

Apps

Folder Settings

Documentation

API and SDKs

Support & Status

Downloads

Company

Partner Programs

Recent Blog Posts