Security Settings

Files.com achieves its best-in-class security by providing customers with a file server platform that is tuned for maximum security out of the box, with no manual configuration necessary. This means that things like strong encryption enforcement, brute force protection, and IP address pinning for web sessions come built-in and enabled by default.

We also realize that every organization has unique security requirements, so we give site administrators full control over these security features, allowing you to fine-tune your site settings to meet your needs.

For compliance reasons, it may be desirable to prevent any users from connecting with specific protocols. Files.com provides the ability to completely disable all FTP/FTPS traffic and/or all SFTP traffic.

When this setting is enabled, users who have been granted permission to connect via FTP or FTPS will be able to connect. When this setting is disabled, no users can connect via FTP or FTPS, even if their individual user permissions grant them FTP access. FTP is enabled by default for new sites.

If your site has dedicated IPs and this setting is disabled, all of the ports used for FTP (21, 3021, 990, 3990, 40000-50000) will be entirely closed.

For sites that don't have dedicated IPs, disabling FTP access will not close any ports. Even though the ports will be "active", users will not be able to connect via FTP or FTPS when FTP is disabled; after authenticating, the system will immediately close each FTP or FTPS connection and display an error message.

When this setting is enabled, users who have been granted permission to connect via SFTP will be able to connect. When this setting is disabled, no users can connect via SFTP, even if their individual user permissions grant them SFTP access. SFTP is enabled by default for new sites.

If your site has dedicated IPs and this setting is disabled, port 22 will be entirely closed. For sites that don't have dedicated IPs, disabling SFTP access will not close port 22, but users will still not be able to connect via SFTP.

WebDAV is not recommended for most organizations, and we'd strongly prefer that your users connect with our Desktop application instead. The Desktop app supports Windows and Mac and is faster, easier to use, and more secure than WebDAV. WebDAV is enabled by default for new sites. You should disable WebDAV access on your site unless it is required for your organization.

When this setting is enabled, users who have been granted permission to connect via WebDAV will be able to connect. When this setting is disabled, no users can connect via WebDAV, even if their individual user permissions grant them WebDAV access.

Files.com allows you to control the ciphers used to connect securely to your site. We have chosen sensible defaults that will work for the vast majority of sites, but we understand that many business-critical transfers are made with legacy installations that may not have access to the latest technologies. We offer optional support for legacy insecure ciphers, including enabling insecure ciphers on a per-user basis.

Files.com provides IP whitelists to limit what addresses your users can use to connect to your account. We understand that many organizations mandate the use of IP allow lists as part of their own security posture, and so we provide multiple levels of whitelists that can be defined throughout your site.

That said, Files.com does not recommend the use of static IP lists because it creates frustrating authentication problems and work disruption for minimal security benefit. The Files.com platform includes a number of built-in security tools to prevent unauthorized access attempts that offer much more value than IP whitelisting.

Please only use these settings if your internal security or compliance programs absolutely require it.

Site administrators can limit which IP addresses your users are allowed to connect from. In the web interface, you can enter the allowed IPs, one per line, or specify a range in CIDR format, such as 192.168.1.0/27.

If you have also defined user-specific IP whitelists, users connecting from an IP address matching either whitelist will be allowed to log in.

You can manage IP whitelisting for individual users or groups via the IP whitelist user setting, found in the settings for an individual user or groups. If you are also using a site-wide IP whitelist, users connecting from an IP address matching in either whitelist will be allowed to log in.

This feature is an extra layer of protection for organizations that desire an aggressive level of security, as general brute force protection is already provided by Files.com. For security reasons, we do not publicly publish the details of our default brute force settings. We have carefully selected a configuration that applies to the overwhelming majority of our customers. Refer to Compliance and Security for more details about our SOC-2 compliance and Information Security programs.

Brute Force Protection will lock users out after a given number of failed login attempts. However, bot attacks which use common usernames can quickly cause your users to be locked out. The ability to customize this setting is provided only for the rare circumstances in which your own organization's compliance procedures require you to specify exact settings. Only enable the custom option if you absolutely require it to meet a compliance need and if your usernames are suitably obfuscated.

We strongly recommend leaving this set to Use default Files.com protection. Care should be taken when enabling the custom setting to avoid accidental user lockouts. We recommend having at least one backup administrator user who will be able to unlock another administrator in the event of an accidental lockout.

You can customize how often users' session are invalidated, requiring them to log in again. By default, your site is configured to balance security with convenience.

Web interface sessions will automatically expire after a period of inactivity. Use this setting to customize the session idle timeout if needed. The default value for your site is 6 hours.

The Desktop app uses session tokens which have a limited lifetime. Use this setting to customize how long those sessions last once a user has logged into the app. The default value is 720 hours (30 days).

This setting helps to secure your site against session hijacking attempts by pinning user sessions to the IP address they originated from. By default, IP address pinning is disabled for your site. Enabling this setting is not required for security.

Session IP address pinning exists to allow compliance with programs that specifically require this capability. Please do not enable this setting unless your internal security or compliance programs absolutely require it. Enabling session IP address pinning is only recommended for organizations with users who will only connect from corporate networks whose IP addresses do not change, which is not common. Use of this setting is known to cause legitimate sessions to fail, leading to frustrating customer support interactions.

With this setting enabled, users will be asked to log in again if their IP Address changes. This could occur when they change networks, such as moving their laptop from the office to their home network. Similarly users who connect from some office networks which rotate public IP addresses could find themselves repeatedly prompted to log in again.

This setting does not apply to the Desktop app, which uses longer-lived session tokens (see Desktop Session IP Pinning).

Enabling or disabling this setting will not impact, affect, or disconnect any currently existing connected sessions.

Similar to the Session IP address pinning setting, enabling this setting will force users of the Files.com Desktop app to log in again if their IP address changes while they are logged in to the Desktop app. By default, desktop session IP address pinning is disabled for your site. Enabling this setting is not required for security.

We have provided this setting to allow compliance with programs that specifically require this capability. Please do not enable this setting unless your internal security or compliance programs absolutely require it. Use of this setting is a frequent contributor to frustrating customer support interactions when legitimate users are repeatedly forced to log in because their IP address has changed. This could occur when they change networks, such as moving their laptop from the office to their home network.

We recommend leaving this setting at its default, disabled state.