Securing FileCloud with On-Premise Installations

March 4, 2021

  FileCloud provides secure file storage and sharing infrastructure to corporations for data storage. FileCloud can be easily accessed through any device. Files can be easily stored, shared, and synced across different channels. Although the FileCloud application is fully compliant with HIPPA, FIPS, ITAR data governance policies, it is still critical to perform basic hardening […]

Compliance security

 

FileCloud provides secure file storage and sharing infrastructure to corporations for data storage. FileCloud can be easily accessed through any device. Files can be easily stored, shared, and synced across different channels. Although the FileCloud application is fully compliant with HIPPA, FIPS, ITAR data governance policies, it is still critical to perform basic hardening of the FileCloud server to ensure that its security is foolproof. In this blog, we will be discussing common practices that should be followed to secure the FileCloud server at the application level.

Remove Install Folder (applicable only for on-premise installation)

After a new installation or upgrade to the latest version, we recommend removing the install folder path. (For Windows : Xampp\htdocs Linux: /var/www/html)

Install SSL Certificate with Intermediate Certificate and Enforce TLS 1.2.

SSL certificates are acclimated to create an encrypted channel between the client and the server. Transmission of data during upload/download, account authentication, and any other sensitive information must be encrypted to avert eavesdropping.

With an SSL certificate, data is encrypted prior to being transmitted via the Internet. Encrypted data can be decrypted only by the server to which you authentically send it. This ascertains that the information you submit to websites will not be stolen or compromised.

To install an SSL certificate on FileCloud, we do provide technical documentation to help you configure it properly.

You can refer to the detailed documentation for FileCloud SSL configuration here: https://www.filecloud.com/supportdocs/display/cloud/SSL+Configuration

Enforcing TLS1.2 will provide more security with data encryption. The relevant documentation can be found here: https://www.filecloud.com/supportdocs/display/cloud/Enforcing+TLS1.2+and+Strong+ciphers

Rename the Admin Username to a Custom Username

The default admin password can be changed from FileCloud admin dashboard.

Login to FileCloud Admin >> Settings >> Admin Tab.

Here you should be able to change the default admin username to the custom name of your choice.

[caption id="attachment_29738" align="alignnone" width="741"]Filecloud Admin Filecloud Admin[/caption]

Enable 2FA for Admins and Users

2FA will always add an extra layer of security apart from the normal login methods.

For default admin users, we support email 2FA which can be configurable via FileCloud Admin >> Settings >> Admin Tab.

[caption id="attachment_29741" align="alignnone" width="741"]Enable 2FA for Admins and Users Enable 2FA for Admins and Users[/caption]

2FA for users should be configured from the policy. This includes email, TOTP, and SMS as well.

[caption id="attachment_29744" align="alignnone" width="998"]Configured From Policy Configured From Policy[/caption]

Configure AD/LDAP Server Though SSL Port

We highly advise using the 636 port to connect AD/LDAP with SSL, so that data transfer during the authentication will also be encrypted.

[caption id="attachment_29747" align="alignnone" width="1084"]SSL Port SSL Port[/caption]

Configure Strong Passwords for Public Share and Default Users

Although FileCloud is one of the most secure Enterprise File Sharing and Sync (EFSS) solutions on the market, its security is still highly dependent on your passwords and authentication measures.

The following 3 options will ensure that users set a strong, alpha-numeric password and disallow the commonly used password to make sure the passwords are hack-proof.

The below settings are applicable only for public shares and default users in FileCloud.

[caption id="attachment_29750" align="alignnone" width="1081"]Public Shares and Default Users Public Shares and Default Users[/caption]

For AD/LDAP user passwords, it should be dealt at AD/LDAP level which FileCloud does not intercept and change.

 

Enable Anti-Virus Scanning

Anti-virus scanning for file uploads helps to detect any sort of ransomware or payload vulnerabilities.

You can configure ClamAV or ICAP supported anti-viruses.

 

[caption id="attachment_29756" align="alignnone" width="1051"]Enable Anti-virus Scanning Enable Anti-virus Scanning[/caption]

More information can be found here: https://www.filecloud.com/supportdocs/display/cloud/Enable+Antivirus+Scanning

Enable ReCAPTCHA

FileCloud supports Google ReCAPTCHA. To configure this, you will require Google ReCAPTCHA API keys.

The main advantage of enabling this will make sure that the FileCloud is not getting any fraud or abuse attacks.

[caption id="attachment_29759" align="alignnone" width="1074"]Enable ReCaptcha Enable ReCaptcha[/caption]

ReCAPTCHA configuration can be found here: https://www.filecloud.com/supportdocs/display/cloud/reCaptcha+Settings.

Configure Managed Storage Encryption for Managed Storage

Encryption abstracts the peril of data breach and unauthorized access. It ascertains that the data remains secure regardless of how it is stored and accessed.

If your FileCloud is running on managed storage/AWS S3, we do support encrypting your data in AES 256-bit

After you enable encryption, the initialization process begins so that a plain file key can be created.

A plain file key will be used to encrypt and decrypt all files using symmetric encryption.

If you set a password when you enable encryption, you will need to supply the master password before the initialization process can start.

Once the storage encryption is enabled and the plain file key is generated, it will be automatically used to encrypt all files stored in FileCloud.

Since this encryption process is a symmetric operation, the impact on your system to encrypt files is insignificant.

The documentation below will help you configure storage encryption: https://www.filecloud.com/supportdocs/display/cloud/Enabling+Storage+Encryption

Enable Account Lockout

To protect your system from unauthorized use, FileCloud provides account lockout policies. This can greatly help in the event of a brute force attack, in which a malicious user guesses your password through trial and error.

You can configure account lockouts from FileCloud admin UI.

Login to the Admin UI >> Settings > Misc >> Password

The below screenshot demonstrates the account lockout settings.

[caption id="attachment_29765" align="alignnone" width="692"]Enable Account Lockout Enable Account Lockout[/caption]

By abhishek bakshi