Creating a High Security Site

You can create a Site with features that will help you comply with PCI DSS requirements--or if you just want a higher level of security with a Site that can monitor, report, and/or warn you when any of the high security settings are changed to a less secure mode. When you run the Server and Site creation wizards, you have the option to create a Site with or without high security features. If you choose to create a high security Site, the Site Setup wizard also determines the status of the Auditing and Reporting Module (ARM); if high security is enabled, but ARM is not, a warning message appears to inform you that you must enable ARM on EFT Server before creating the Site.

For details of configuring Servers and Sites, and enabling ARM on EFT Server, refer to the following topics:

Server Setup Wizard
Configuring the Auditing and Reporting Module
Before creating a high security Site, review all of the topics in The High Security Module section.

You will need the following information to create and configure a high security Site:

Site name, listening IP address, and administrator port (you should use a port other than the default of 1100)
Site root folder path (location)
User authentication type (for HS-enabled Sites, only EFT Server authentication and ODBC authentication are available)
Connection information (host IP address, etc.)
DMZ Gateway (Server designed to reside in the demilitarized zone to provide secured communications with EFT Server behind intranet firewalls without requiring any inbound firewall holes between the internal network and the DMZ.) IP address and port (you should use a port other than the default of 44500)
SSL keys/certificate/ciphers/version information

Compliance with PCI DSS (Multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.) requires that users change their password upon initial login. Because the SSL certificate-based login and the SFTP Public key only login methods do not use a password, they potentially violate the PCI DSS and are, therefore, not available with HS-enabled Sites.

IP address and port for Auditing and Reporting database (ARM (Auditing and Reporting Module; captures the transactions passing through EFT Server and provides an interface in the Administrator where you can use preconfigured or your own custom reports to query, filter, and view transaction data.) must be enabled for HS-enabled Sites)

If the SMTP server requires authentication, you will need to know the administrator e-mail address and SMTP server name, port, and login information (for e-mailing the compliance Report).

If you use default values for administrator port (1100), DMZ Gateway port (44500), FTP banner message, or SFTP banner message, a warning appears in which you must change the value or provide a reason for using the default. The reason that you provide will appear in the Description field of the compliance report.

The wizard performs several checks and asks you to provide information based on the results of those checks, including:

Is the HS module in the trial period?
If not in trial period, is the module activated?
Is ARM enabled?
Which authentication method are you using to authenticate users?
Is remote administration enabled?
Is SSL enabled for remote administration?
Are password security options for delegated administration set?
Is the daily PCI DSS report enabled?
Is FTPS/HTTPS/SFTP enabled?
Is the default banner for SFTP used?

The wizard is quite intuitive and provides instructions where necessary. The wizard pages change based on your selections. The procedure below walks you through the most common scenarios.

Because EFT Server does not manage NT/LDAP accounts, when you create a High Security Site that uses LDAP or Windows Active Directory authentication, the following features are not available and not audited for the compliance Report:

To configure a high security Site

Do one of the following:

After Server setup is complete, the Site Setup wizard appears.
In the Administrator, click Configuration > New Site.

The Site Setup wizard Welcome page appears.

Click Strict security settings, then click Next. The Site name page appears.
In the Site name box, type a name a unique name for the Site. The default name is MySite, but you change it to anything you want. The name you provide here will appear in EFT Server tree in the left pane of the Administrator and in reports and messages.
In the Listening IP box, specify the IP address the Site should listen on, or leave the default of All Incoming.
Click Next. The Site Root Folder page appears.
In the Site root box, leave the default or click Browse to specify the root folder.
In the Additional options area, select the check boxes as needed:

Select the Create UNIX-style subfolders check box to create Usr, Pub, Bin, and Incoming folders with appropriate permissions under the root folder. This is only necessary if you are trying to mimic a typical default *nix Server setup.
Select the Automatically assign home folders to newly created users to create a user folder automatically under \Site Root\Usr\ when a new user is added.

Click Next. The User Authentication page appears.
In the Authentication type list, specify one of the following authentication methods that this Site will use to authenticate user connections:

GlobalSCAPE Server Authentication
Windows Active Directory Authentication - If you are using this method, also refer to Windows Active Directory Authentication.
LDAP Authentication - If you are using this method, also refer to LDAP Authentication.
ODBC authentication - If you are using ODBC authentication, also refer to ODBC Authentication.

Click Next. The Server Authentication settings page appears.
The default path to store the user database appears in the box. If you want to store the user database in a different location, click the Browse icon or type the path in the box.
Click Next. The Perimeter Network Security page appears.
Specify whether to connect the Site to EFT Server's DMZ Gateway.

If you choose not to connect to DMZ Gateway, click in the text box and provide a reason for not using DMZ Gateway. (The reason will appear in the Description box of the compliance report.)
If you choose to connect to DMZ Gateway, click Connect this Site to DMZ Gateway Server, specify its IP address and port, then click Test Connection.

Click Next. If you specified a default port for DMZ Gateway, the Vendor Defaults page appears.
Change the port number to a non-default number, or provide a reason for keeping the default port. (The reason will appear in the Description box of the compliance report.)
Click Next. If EFT Server was configured with the default Administrator port of 1100, the Vendor Defaults page appears for you to change the Administrator port or provide justification for using the default.
Click Next. The Data Retention and Disposal page appears.
Do one of the following:

Specify the file extensions to be deleted, the frequency, and the folder from which to delete them.
Click Don't set a data retention and disposal policy, then, in the text box, provide the justification and compensating control. (The reason will appear in the Description box of the compliance report.) Refer to Specifying File Deletion Options for more data wiping options.

Click Next. The Administrator Account Password Security page appears.
Keep the default of enabling the administrator account password security settings or click Continue without changing administrator account password security settings, then provide the justification and compensating control. (The reason will appear in the Description box of the compliance report.)
Click Next. The Daily PCI DSS Audit Report page appears.
Do one of the following:

Click Audit and send report daily, then provide the recipient's e-mail address. (The SMTP settings were configured during Server setup.)
Click Do not generate daily report and type a reason for not generating the report automatically. For example, you can generate the report on the fly in the Administrator. (The reason will appear in the Description box of the compliance report.)

Click Next. The Data Sanitization page appears.
Do one of the following:

Click Enable data wiping, then, in the Data sanitization method box, click which method EFT Server is to use to wipe data.
Click Windows default (no wipe) and type a reason for not specifying a data sanitization method for EFT Server to use. For example, you might be using a third-party tool for sanitization. (The reason will appear in the Description box of the compliance report.)

Click Next. The Connection Protocols page appears.
Select one or more check boxes for the protocol(s) and specify the port numbers that this Site will use to connect to EFT Server.

If you specify plain-text FTP or HTTP, after you click Next, EFT Server will prompt you to disable these unsecure protocols or continue and supply justification.

If you choose SSL, click SSL options and SSL certs for further configuration.

Click SSL options to define the allowed SSL versions and ciphers.

Most Web browsers do not have TLS turned on by default, which causes things like redirecting to the account management page to fail, because the browser cannot make the SSL connection, and it returns an error. For this reason, default SSL security options for a High Security Site include SSL 3.0 in addition to TLS 1.0.

Click SSL certs to define the SSL certificate to use for this Site.

If you do not enable SSL, you will not be able to connect to EFT Server from a remote the Administrator. Refer to Creating Certificates, Importing a Certificate into the Trusted Certificate Database, and Importing Certificates from Microsoft IIS 5 for information regarding certificates.

Regarding SSL certificate-based login, compliance with PCI DSS (Multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.) requires that users change their password upon initial login. Because SSL certificate-based login does not use a password, it potentially violates the PCI DSS and is, therefore, not available with HS-enabled Sites.

If you choose SFTP, click SFTP options and SFTP keys for further configuration. EFT Server will automatically generate SFTP keys if SFTP is selected.

Because the SFTP Public key only method does not use a password, it potentially violates the PCI DSS and is, therefore, not available with High Security Sites. You can, however, use the Public Key and Password method.

If you choose AS2 over HTTP/S, click Configure to specify your AS2 identifier and certificate information.

Click Next. The Vendor Default page appears if the default SFTP banner message is used on EFT Server.
Do one of the following:

Click Change SFTP message banner to, then provide the software version and, optionally, comments.
Click Continue without making any changes, then type the reason for keeping the default banner message.

Click Next. The Site Setup Completed page appears.
You are offered the option of continuing to the User Creation wizard or quitting the wizard. Click an option, then click Finish. If you chose Run New User Creation wizard, the User Creation wizard Welcome page appears.

The HS-enabled Site appears in the tree on the Server tab.

Did this topic solve your problem/answer your question?

- For the most up-to-date information regarding EFT Server and its modules;

- To view version history, updates, and activation instructions;

- To download a PDF of this user guide;

- And to search the Knowledge Base and User Forum,

Visit the GlobalSCAPE Support Center, http://www.globalscape.com/support .

Refer to Copyright Information for copyright information.

Last modified: October 14, 2009