Secure file sharing among Windows systems across the Internet
How would you securely share a set of files among a group of Windows users distributed across the Internet?
I'm sure there are many different possibilities, but I think using WebDAV plus proper encryption and authentication probably gives the best balance between security and usability. I'll try to explain this option here but please do not hesitate to post comments with arguments for or against it, success/failure stories or any other solution you think is best. If you prefer, you can send me comments directly to radajo_AT_gmail.com and I'll post a summary of those.
Note that I will be assuming a Windows-only environment to reduce the scope of the task at hand but a similar solution can be implemented using other platforms.
WebDAV (Web Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol that were defined in RFC2518 and related RFCs. Among other things, WebDAV defines a set of new HTTP methods (PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK) that allow a WebDAV client to interact with a web server and do things like modify the contents of files in the server, move them to new locations inside the server, and, importantly, lock a file while updates are being conducted on it so that modifications done by one client are not lost by another client saving different modifications at the same time.
In simpler words, a WebDAV enabled web server can expose content to users just as a common file server would: users will be able to read and write the contents of the shared files and directories. Only, the communication mechanism between the clients and the server will be WebDAV, which is an extended version of HTTP.
For the server side, IIS (Microsoft Internet Information Server) can be configured to support WebDAV for specific files or folders. For the client side, Windows Explorer is already WebDAV capable, so users will be able to simply add a new folder to their My Network Places folder pointing to the shared content.
So far, so good. But, how secure is this? Obviously, there are two main problems to solve:
1.- Because traffic will be travelling the Internet, encryption will be needed to prevent unauthorized access to the information in transit.
2.- Only authorized users should be allowed to access the files and only with the appropriate rights and permissions.
The first problem can be solved using SSL (or TLS) with the appropriate encryption strength. The server will need a certificate so that clients can verify its authenticity, but this can be easily generated using Windows Certificate Services (included in Windows Server 2000/2003) or obtained from a third-party certification authority (CA).
The second problem is actually twofold: user authentication and authorization.
Different methods for user authentication are possible, but for maximum security we can require user certificates, which again can be generated using Windows Certificate Services or obtained from a third party CA. IIS should be configured to map these identities to specific Windows users in the server (local or domain). Once authentication is solved, authorization can be performed and this can be done by setting the appropriate permissions (both NTFS and ISS permissions) on the files and folders. These permissions should reference those Windows (local or domain) user accounts in the server to dictate who can do what on each file and directory.
With this setup, Windows users will be able to securely access the shared files across the Internet as a simple network shared drive.
Again, any comments welcome.
David.
I'm sure there are many different possibilities, but I think using WebDAV plus proper encryption and authentication probably gives the best balance between security and usability. I'll try to explain this option here but please do not hesitate to post comments with arguments for or against it, success/failure stories or any other solution you think is best. If you prefer, you can send me comments directly to radajo_AT_gmail.com and I'll post a summary of those.
Note that I will be assuming a Windows-only environment to reduce the scope of the task at hand but a similar solution can be implemented using other platforms.
WebDAV (Web Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol that were defined in RFC2518 and related RFCs. Among other things, WebDAV defines a set of new HTTP methods (PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK) that allow a WebDAV client to interact with a web server and do things like modify the contents of files in the server, move them to new locations inside the server, and, importantly, lock a file while updates are being conducted on it so that modifications done by one client are not lost by another client saving different modifications at the same time.
In simpler words, a WebDAV enabled web server can expose content to users just as a common file server would: users will be able to read and write the contents of the shared files and directories. Only, the communication mechanism between the clients and the server will be WebDAV, which is an extended version of HTTP.
For the server side, IIS (Microsoft Internet Information Server) can be configured to support WebDAV for specific files or folders. For the client side, Windows Explorer is already WebDAV capable, so users will be able to simply add a new folder to their My Network Places folder pointing to the shared content.
So far, so good. But, how secure is this? Obviously, there are two main problems to solve:
1.- Because traffic will be travelling the Internet, encryption will be needed to prevent unauthorized access to the information in transit.
2.- Only authorized users should be allowed to access the files and only with the appropriate rights and permissions.
The first problem can be solved using SSL (or TLS) with the appropriate encryption strength. The server will need a certificate so that clients can verify its authenticity, but this can be easily generated using Windows Certificate Services (included in Windows Server 2000/2003) or obtained from a third-party certification authority (CA).
The second problem is actually twofold: user authentication and authorization.
Different methods for user authentication are possible, but for maximum security we can require user certificates, which again can be generated using Windows Certificate Services or obtained from a third party CA. IIS should be configured to map these identities to specific Windows users in the server (local or domain). Once authentication is solved, authorization can be performed and this can be done by setting the appropriate permissions (both NTFS and ISS permissions) on the files and folders. These permissions should reference those Windows (local or domain) user accounts in the server to dictate who can do what on each file and directory.
With this setup, Windows users will be able to securely access the shared files across the Internet as a simple network shared drive.
Again, any comments welcome.
David.
posted by David Perez at 9:55 AM
3 Comments:
What about FolderShare (www.foldershare.com) or similar services? Granted, you have to have the "server" on (but with IIS/WebDav the issue is the same). OTOH, you can share "transparently" and is easier to set-up in smaller shops...
The only "gotcha" is that you need a Passport account to get the info, but...
I haven't looked into the details of foldershare (now belonging to Microsoft). Just looking at their web page FAQ this is what they say about the security of their setup:
[...] All P2P communication on FolderShare is authenticated via RSA and encrypted via AES over SSL.
All I can say is that he protocols are good. If the implementation is correct, I have nothing at all against it and I do agree with you: it sounds like a good alternative, specially for small environments.
Plus it seems to provide file/folder synchronization features that WebDAV plus Windows Explorer or MS Office applications do not, as far as I know.
Thank you for sharing!
David.
Just a small note to other posters: please post comments in English so that all readers of RaDaJo can understand it (comments in other languages will have to be rejected).
On the other hand, if you want to send as a private comment in Spanish (or any other language we may understand, for that matter) you are more than welcome to do so by sending us an e-mail to radajo-at-gmail.com. You can also post the comment anonymously, but please understand that we will not be able to publish it.
Sorry for any inconvenience.
David.
Post a Comment
<< Home