Security Settings
Files.com achieves its best-in-class security by providing customers with a file server platform that is tuned for maximum security out of the box, with no manual configuration necessary. This means that things like strong encryption enforcement and brute force protection come built-in and enabled by default.
We also realize that every organization has unique security requirements, so we give site administrators full control over these security features, allowing you to fine-tune your site settings to meet your needs.
Transfer Protocols
For compliance reasons, it may be desirable to prevent any users from connecting with specific protocols. Files.com provides the ability to completely disable all FTP/FTPS traffic and/or all SFTP traffic.
Enable FTP
When this setting is enabled, users who have been granted permission to connect via FTP or FTPS will be able to connect. When this setting is disabled, no users can connect via FTP or FTPS, even if their individual user permissions grant them FTP access. FTP is enabled by default for new sites.
If your site has dedicated IPs and this setting is disabled, all of the ports used for FTP (21, 3021, 990, 3990, 40000-50000) will be entirely closed.
For sites that don't have dedicated IPs, disabling FTP access will not close any ports. Even though the ports will be "active", users will not be able to connect via FTP or FTPS when FTP is disabled; after authenticating, the system will immediately close each FTP or FTPS connection and display an error message.
Enable SFTP
When this setting is enabled, users who have been granted permission to connect via SFTP will be able to connect. When this setting is disabled, no users can connect via SFTP, even if their individual user permissions grant them SFTP access. SFTP is enabled by default for new sites.
If your site has dedicated IPs and this setting is disabled, port 22 will be entirely closed. For sites that don't have dedicated IPs, disabling SFTP access will not close port 22, but users will still not be able to connect via SFTP.
Enable WebDAV
WebDAV is not recommended for most organizations, and we'd strongly prefer that your users connect with our Desktop application instead. The Desktop app supports Windows and Mac and is faster, easier to use, and more secure than WebDAV. WebDAV is enabled by default for new sites. You should disable WebDAV access on your site unless it is required for your organization.
When this setting is enabled, users who have been granted permission to connect via WebDAV will be able to connect. When this setting is disabled, no users can connect via WebDAV, even if their individual user permissions grant them WebDAV access.
Encryption Settings
Files.com allows you to control the ciphers used to connect securely to your site. We have chosen sensible defaults that will work for the vast majority of sites, but we understand that many business-critical transfers are made with legacy installations that may not have access to the latest technologies. We offer optional support for legacy insecure ciphers, including enabling insecure ciphers on a per-user basis.
IP Whitelisting
Files.com provides IP whitelists to limit what addresses your users can use to connect to your account. We understand that many organizations mandate the use of IP allow lists as part of their own security posture, and so we provide multiple levels of whitelists that can be defined throughout your site.
That said, Files.com does not recommend the use of static IP lists because it creates frustrating authentication problems and work disruption for minimal security benefit. The Files.com platform includes a number of built-in security tools to prevent unauthorized access attempts that offer much more value than IP whitelisting.
Please only use these settings if your internal security or compliance programs absolutely require it.
Site-wide IP Whitelist
Site administrators can limit which IP addresses your users are allowed to connect from. In the web interface, you can enter the allowed IPs, one per line, or specify a range in CIDR format, such as 192.168.1.0/27.
If you have also defined user-specific IP whitelists, users connecting from an IP address matching either whitelist will be allowed to log in.
User or Group Specific IP Whitelist
You can manage IP whitelisting for individual users or groups via the IP whitelist user setting, found in the settings for an individual user or groups. If you are also using a site-wide IP whitelist, users connecting from an IP address matching in either whitelist will be allowed to log in.
Brute Force Protection
This feature is an extra layer of protection for organizations that desire an aggressive level of security, as general brute force protection is already provided by Files.com. For security reasons, we do not publicly publish the details of our default brute force settings. We have carefully selected a configuration that applies to the overwhelming majority of our customers. Refer to Compliance and Security for more details about our SOC-2 compliance and Information Security programs.
Brute Force Protection will lock users out after a given number of failed login attempts. However, bot attacks which use common usernames can quickly cause your users to be locked out. The ability to customize this setting is provided only for the rare circumstances in which your own organization's compliance procedures require you to specify exact settings. Only enable the custom option if you absolutely require it to meet a compliance need and if your usernames are suitably obfuscated.
We strongly recommend leaving this set to Use default Files.com protection. Care should be taken when enabling the custom setting to avoid accidental user lockouts. We recommend having at least one backup administrator user who will be able to unlock another administrator in the event of an accidental lockout.
Session Settings
You can customize how often users' session are invalidated, requiring them to log in again. By default, your site is configured to balance security with convenience.
Session expiration
Web interface sessions automatically expire after a period of inactivity. This setting allows customization of the session idle timeout if needed. The default value for your site is 6 hours, and the maximum value that can be set is 168 hours (7 days).
Desktop Session Lifetime
The Desktop Session Lifetime setting controls how long a Files.com Desktop App session token stays valid after a user signs in. Files.com recommends keeping it at the default of 30 days, or 720 hours, for optimal security and user experience. The default works for most sites.
Only Site Administrators can change the Desktop Session Lifetime. The setting applies to every Desktop App user on the site.
If you need to lower the lifetime for any reason, set it to at least three times the duration of your longest typical file transfer. This buffer helps long-running transfers complete before the session expires. If a session token expires while a transfer is in progress, the Desktop App pauses the transfer until the user signs in again.
Setting it to 0 will prevent users from accessing the app after their current session expires.
What Happens When the Value Changes
Changing the Desktop Session Lifetime does not immediately invalidate existing session tokens. Existing sessions keep working until their original expiration time. The new lifetime applies only to newly issued tokens.
For example, if a Site Administrator changes the Desktop Session Lifetime from 30 days to 7 days, a user who signed in 10 days before the change keeps their existing token for another 20 days. A user who signs in after the change receives a new token that expires in 7 days.
Disconnecting and reconnecting in the Desktop App reuses the existing token. A reconnect does not issue a new token and does not pick up the new lifetime.
How To Revoke Active Desktop Connections
A Site Administrator can revoke any active Desktop App connection from the Active Desktop Connections list at the site level or on each user's page under user details. Revoking a connection ends the session immediately, and the user must sign in again the next time they open the Desktop App. Files.com does not support revoking Desktop App connections in bulk.
Desktop Session IP Pinning
The Desktop Session IP Pinning setting ties a Desktop App session to the IP address the user signed in from. When the setting is enabled, a change to the user's IP address signs them out of the Desktop App and requires them to sign in again. Files.com disables this setting by default, and the default works for most sites.
Desktop Session IP Pinning is not required for security. It exists to support compliance programs that specifically mandate IP pinning. Only enable the setting if an internal security or compliance program requires it.
IP addresses change for many legitimate reasons. A user who moves a laptop from the office to a home network, switches Wi-Fi networks, or connects through a VPN will see their IP address change. With Desktop Session IP Pinning enabled, each of those changes signs the user out of the Desktop App. Repeated forced sign-ins frustrate legitimate users and are a frequent source of support requests.
Files.com recommends leaving Desktop Session IP Pinning at its default of disabled.
Get The File Orchestration Platform Today
4,000+ organizations trust Files.com for mission-critical file operations. Start your free trial now and build your first flow in 60 seconds.
No credit card required • 7-day free trial • Setup in minutes