Certain security features in the HS module (e.g., administrator password expiration and forced reset) are not compatible with the Secure Ad Hoc Transfer Module. If you are using the HS module and the SAT module with EFT Server, you should create a separate, non-PCI DSS Site that is used only for the Secure Ad Hoc Transfer module. Alternately, you can disable the features that are not compatible, but that would take the Site out of compliance with the PCI DSS.
Administrator password expiration and forced reset are features that help your Site remain in compliance with the PCI DSS; however, those same features can cause problems with the SAT module. If the administrator password expires or changes, the value stored in the SAT module's configuration file is no longer valid. Since the value stored in the configuration file is not plaintext, you cannot change it by typing the new password in the file. (Refer to Creating a Base64-Encoded Password for the procedure for encoding the password, which you can then paste into the configuration file.)
If your Site's complex password settings require more than 20 characters, be sure to configure the EFTAdHoc User Settings Template to override the Site's password settings so that complex passwords for SAT temporary users contain fewer than 20 characters. |
The SAT module uses a temporary user account to upload files from the IIS computer to the temporary user's home directory on EFT Server. If the UploadProtocol value in the configuration file is set to anything other than -1 (file copy), the file cannot be uploaded to the temporary user account, because the password has not been reset on first logon, as required for PCI DSS compliance. When UploadProtocol is set to anything other than -1 (the default is 5), the force reset password feature should be disabled.
The "force users to reset their password on initial login" option can be enabled on an HS-enabled Site, if the UploadProtocol setting in the configuration file is set to -1 (which means File Copy). Since this is not the default option, an EFT Server administrator must edit the file. Also, setting UploadProtocol to -1 (File Copy) is only a viable option if both EFT Server and IIS are installed on the same computer. The available settings for the UploadProtocol value are:
-1 = File copy
0 = FTP
1 = FTPS_IMPLICIT
2 = FTPS_EXPLICIT
3 = SFTP2
4 = HTTP
5 = HTTPS
6 = SOCKS4
7 = SOCKS5
8 = FTPS_AUTH_TLS
The recommended configuration is to create a non-PCI Site for exclusive use by the SAT module, and disabling the password expiration and forced reset options. As always, if you have any questions or concerns regarding installing and configuring EFT Server for use with any of the modules, contact GlobalSCAPE Technical Support.
Installing and Configuring Secure Ad Hoc Transfer
Using the Secure Ad Hoc Transfer Module
Secure Ad Hoc Transfer's Configuration file
Security and Secure Ad Hoc Transfer (procedure for encoding the password)