Securing FileCloud with On-Premise Installations
FileCloud provides secure file storage and sharing infrastructure to corporations for data storage. FileCloud can be easily accessed through any device. Files can be easily stored, shared, and synced across different channels. Although the FileCloud application is fully compliant with HIPPA, FIPS, ITAR data governance policies, it is still critical to perform basic hardening of the FileCloud server to ensure that its security is foolproof. In this blog, we will be discussing common practices that should be followed to secure the FileCloud server at the application level.
Remove Install Folder (applicable only for on-premise installation)
After a new installation or upgrade to the latest version, we recommend removing the install folder path. (For Windows : Xampp\htdocs Linux: /var/www/html)
Install SSL Certificate with Intermediate Certificate and Enforce TLS 1.2.
SSL certificates are acclimated to create an encrypted channel between the client and the server. Transmission of data during upload/download, account authentication, and any other sensitive information must be encrypted to avert eavesdropping.
With an SSL certificate, data is encrypted prior to being transmitted via the Internet. Encrypted data can be decrypted only by the server to which you authentically send it. This ascertains that the information you submit to websites will not be stolen or compromised.
To install an SSL certificate on FileCloud, we do provide technical documentation to help you configure it properly.
You can refer to the detailed documentation for FileCloud SSL configuration here: https://www.getfilecloud.com/supportdocs/display/cloud/SSL+Configuration
Enforcing TLS1.2 will provide more security with data encryption. The relevant documentation can be found here: https://www.getfilecloud.com/supportdocs/display/cloud/Enforcing+TLS1.2+and+Strong+ciphers
Rename the Admin Username to a Custom Username
The default admin password can be changed from FileCloud admin dashboard.
Login to FileCloud Admin >> Settings >> Admin Tab.
Here you should be able to change the default admin username to the custom name of your choice.
Enable 2FA for Admins and Users
2FA will always add an extra layer of security apart from the normal login methods.
For default admin users, we support email 2FA which can be configurable via FileCloud Admin >> Settings >> Admin Tab.
2FA for users should be configured from the policy. This includes email, TOTP, and SMS as well.
Configure AD/LDAP Server Though SSL Port
We highly advise using the 636 port to connect AD/LDAP with SSL, so that data transfer during the authentication will also be encrypted.
Configure Strong Passwords for Public Share and Default Users
Although FileCloud is one of the most secure Enterprise File Sharing and Sync (EFSS) solutions on the market, its security is still highly dependent on your passwords and authentication measures.
The following 3 options will ensure that users set a strong, alpha-numeric password and disallow the commonly used password to make sure the passwords are hack-proof.
The below settings are applicable only for public shares and default users in FileCloud.
For AD/LDAP user passwords, it should be dealt at AD/LDAP level which FileCloud does not intercept and change.
Enable Anti-Virus Scanning
Anti-virus scanning for file uploads helps to detect any sort of ransomware or payload vulnerabilities.
You can configure ClamAV or ICAP supported anti-viruses.
More information can be found here: https://www.getfilecloud.com/supportdocs/display/cloud/Enable+Antivirus+Scanning
FileCloud supports Google ReCAPTCHA. To configure this, you will require Google ReCAPTCHA API keys.
The main advantage of enabling this will make sure that the FileCloud is not getting any fraud or abuse attacks.
ReCAPTCHA configuration can be found here: https://www.getfilecloud.com/supportdocs/display/cloud/reCaptcha+Settings.
Configure Managed Storage Encryption for Managed Storage
Encryption abstracts the peril of data breach and unauthorized access. It ascertains that the data remains secure regardless of how it is stored and accessed.
If your FileCloud is running on managed storage/AWS S3, we do support encrypting your data in AES 256-bit
After you enable encryption, the initialization process begins so that a plain file key can be created.
A plain file key will be used to encrypt and decrypt all files using symmetric encryption.
If you set a password when you enable encryption, you will need to supply the master password before the initialization process can start.
Once the storage encryption is enabled and the plain file key is generated, it will be automatically used to encrypt all files stored in FileCloud.
Since this encryption process is a symmetric operation, the impact on your system to encrypt files is insignificant.
The documentation below will help you configure storage encryption: https://www.getfilecloud.com/supportdocs/display/cloud/Enabling+Storage+Encryption
Enable Account Lockout
To protect your system from unauthorized use, FileCloud provides account lockout policies. This can greatly help in the event of a brute force attack, in which a malicious user guesses your password through trial and error.
You can configure account lockouts from FileCloud admin UI.
Login to the Admin UI >> Settings > Misc >> Password
The below screenshot demonstrates the account lockout settings.