Skip to main content
Documentation

Security Settings

Files.com ships with strong security defaults out of the box, with no manual configuration necessary. Strong encryption enforcement and brute force protection are built in and enabled by default.

Every organization has unique security requirements, so Site Administrators have full control over these security features and can fine-tune the site settings to meet their needs.

Transfer Protocols

For compliance reasons, you may need to prevent all users from connecting with specific protocols. Files.com lets you completely disable all FTP/FTPS traffic, all SFTP traffic, or both.

Enable FTP

When this setting is enabled, users who have been granted permission to connect via FTP or FTPS will be able to connect. When this setting is disabled, no users can connect via FTP or FTPS, even if their individual user permissions grant them FTP access. FTP is enabled by default for new sites.

If your site has dedicated IPs and this setting is disabled, all of the ports used for FTP (21, 3021, 990, 3990, 40000-50000) will be entirely closed.

For sites that don't have dedicated IPs, disabling FTP access will not close any ports. Even though the ports remain active, users cannot connect via FTP or FTPS when FTP is disabled. After authenticating, the system immediately closes each FTP or FTPS connection and displays an error message.

Enable SFTP

When this setting is enabled, users who have been granted permission to connect via SFTP will be able to connect. When this setting is disabled, no users can connect via SFTP, even if their individual user permissions grant them SFTP access. SFTP is enabled by default for new sites.

If your site has dedicated IPs and this setting is disabled, port 22 will be entirely closed. For sites that don't have dedicated IPs, disabling SFTP access will not close port 22, but users will still not be able to connect via SFTP.

Enable WebDAV

WebDAV is not recommended for most organizations. The Files.com Desktop App is faster, easier to use, and more secure than WebDAV, and supports both Windows and Mac. WebDAV is enabled by default for new sites. Disable WebDAV access on your site unless your organization requires it.

When this setting is enabled, users who have been granted permission to connect via WebDAV will be able to connect. When this setting is disabled, no users can connect via WebDAV, even if their individual user permissions grant them WebDAV access.

Encryption Settings

Files.com lets you control the ciphers used to connect securely to your site. The defaults work for the vast majority of sites. Many business-critical transfers are made with legacy installations that may not have access to the latest technologies, so Files.com also offers optional support for legacy insecure ciphers, including enabling insecure ciphers on a per-user basis.

IP Whitelisting

Files.com provides IP whitelists to limit which addresses your users can connect from. Many organizations mandate IP allow lists as part of their own security posture, so Files.com supports multiple levels of whitelists that can be defined throughout your site.

Files.com does not recommend static IP lists. They create authentication problems and work disruption for minimal security benefit, and the platform's built-in security tools prevent unauthorized access attempts more effectively than IP whitelisting.

Only use these settings if your internal security or compliance programs require it.

Site-wide IP Whitelist

Site Administrators can limit which IP addresses your users are allowed to connect from. You can enter the allowed IPs one per line, or specify a range in CIDR format, such as 192.168.1.0/27.

If you have also defined user-specific IP whitelists, users connecting from an IP address matching either whitelist can log in.

User or Group Specific IP Whitelist

You can manage IP whitelisting for individual users or groups via the IP whitelist user setting, found in the settings for an individual user or group. If you are also using a site-wide IP whitelist, users connecting from an IP address matching either whitelist can log in.

Brute Force Protection

This feature is an extra layer of protection for organizations that need an aggressive level of security. General brute force protection is already provided by Files.com. For security reasons, the details of the default brute force settings are not publicly published. The configuration applies to the overwhelming majority of customers. Refer to Compliance and Security for more details about Files.com's SOC-2 compliance and Information Security programs.

Brute Force Protection locks users out after a given number of failed login attempts. Bot attacks using common usernames can quickly cause your users to be locked out. The custom setting is provided for the rare circumstances in which your own organization's compliance procedures require you to specify exact settings. Only enable the custom option if you require it to meet a compliance need and if your usernames are suitably obfuscated.

Files.com strongly recommends leaving this set to Use default Files.com protection. When enabling the custom setting, take care to avoid accidental user lockouts. Maintain at least one backup administrator user who can unlock another administrator in the event of an accidental lockout.

Session Settings

You can customize how often users' sessions are invalidated, requiring them to log in again. By default, your site is configured to balance security with convenience.

Session Expiration

Web interface sessions automatically expire after a period of inactivity. This setting customizes the session idle timeout. The default value is 6 hours, and the maximum is 168 hours (7 days).

Desktop Session Lifetime

The Desktop Session Lifetime setting controls how long a Files.com Desktop App session token stays valid after a user signs in. Files.com recommends keeping it at the default of 30 days, or 720 hours, for optimal security and user experience. The default works for most sites.

Only Site Administrators can change the Desktop Session Lifetime. The setting applies to every Desktop App user on the site.

If you need to lower the lifetime for any reason, set it to at least three times the duration of your longest typical file transfer. This buffer helps long-running transfers complete before the session expires. If a session token expires while a transfer is in progress, the Desktop App pauses the transfer until the user signs in again.

Setting it to 0 will prevent users from accessing the app after their current session expires.

What Happens When the Value Changes

Changing the Desktop Session Lifetime does not immediately invalidate existing session tokens. Existing sessions keep working until their original expiration time. The new lifetime applies only to newly issued tokens.

For example, if a Site Administrator changes the Desktop Session Lifetime from 30 days to 7 days, a user who signed in 10 days before the change keeps their existing token for another 20 days. A user who signs in after the change receives a new token that expires in 7 days.

Disconnecting and reconnecting in the Desktop App reuses the existing token. A reconnect does not issue a new token and does not pick up the new lifetime.

How to Revoke Active Desktop Connections

A Site Administrator can revoke any active Desktop App connection from the Active Desktop Connections list at the site level or on each user's page under user details. Revoking a connection ends the session immediately, and the user must sign in again the next time they open the Desktop App. Files.com does not support revoking Desktop App connections in bulk.

Desktop Session IP Pinning

The Desktop Session IP Pinning setting ties a Desktop App session to the IP address the user signed in from. When the setting is enabled, a change to the user's IP address signs them out of the Desktop App and requires them to sign in again. Files.com disables this setting by default, and the default works for most sites.

Desktop Session IP Pinning is not required for security. It exists to support compliance programs that specifically mandate IP pinning. Only enable the setting if an internal security or compliance program requires it.

IP addresses change for many legitimate reasons. A user who moves a laptop from the office to a home network, switches Wi-Fi networks, or connects through a VPN will see their IP address change. With Desktop Session IP Pinning enabled, each of those changes signs the user out of the Desktop App. Repeated forced sign-ins frustrate legitimate users and are a frequent source of support requests.

Files.com recommends leaving Desktop Session IP Pinning at its default of disabled.