Best Practices for Using Cached Credentials
If you use cached credentials for SFTP directories or mapped drives, the best way to control user access to network resources is by using the default [Client user] option and configuring network access using Windows user and group settings.
Caution: If you decide to grant access to client users by specifying an alternate credential, you should review the information presented here to understand how to create a configuration that provides users with access to the data for which they are authorized, but does not grant them access to data for which they are not authorized.
Concerns
The following issues can affect user access when you specify a credential other than [Client user].
- Because of how Windows domains handle authentication, if you specify an account that can access multiple locations on the same server, knowledgeable client users with permission to create a terminal session (the default) can access all of those locations.
Note: In a Windows domain, where multiple physical file servers are configured to be accessed through a single host name, authentication and authorization are the same as if you are using a single physical file server.
- When new client connections are established using the session reuse feature (a default for Reflection Windows Secure Shell clients and FTP client sessions configured using the GUI), rights established in the original connection are available for all subsequent connections. This means that rights established for an SFTP connection will also be available in a terminal session.
- Client users can only update their own passwords. If the password for a specified alternate credential expires, other users will lose access to locations for which this credential is required until the password is updated in the credential cache database by the administrator or owner.
- The Reflection for Secure IT server will use only one alternate credential during a session to create drives or virtual directories on any given server. If you configure additional drives or directories on the same server using different credentials, some of these locations will not be available to the client user.
Recommended practices
Review these guidelines to help ensure that you are providing access to authorized data only.
- Use only the default [Client user] credential and control user access to network resources using Windows user and group settings. This option is recommended.
If you use an alternate credential, use any or all of the following to help ensure that client users can't access unauthorized data by using the privileges associated with another user's credentials.
- Use a dedicated file server to provide data access for client users. Use alternate credentials only to provide access to this server; for all other network resources, limit access to the [Client user] credential.
- If you are providing access to a specific folder on a server that is used for other purposes, use a credential that has access only to that specific folder.
- If users require only SFTP access, disable access to terminal sessions using Allow terminal shell.
- Use the same credential to access all drives or directories on any given server.
Sample scenarios
The following two scenarios involve two users, Mary and Joe, in an organization that has two folders, downloads and payroll, on the same server (acme.com).
Mary's account does not have access to any folders on the acme.com server.
Joe's account (acme\joe) has access to two locations on the acme.com server:
\\acme.com\downloads
\\acme.com\payroll
The following scenario shows how an administrator configuring mapped drives might open up a potential leak of information stored in the payroll folder.
Drive |
Network path |
Credential |
O: |
\\acme.com\downloads |
acme\joe |
P: |
\\acme.com\payroll |
[Client user] |
When Mary connects, Joe's credentials are used to provide access to the O: drive. Although the P: drive is not mapped, Mary is still able to access the payroll folder (and any other folders on acme.com to which Joe has rights). For example, Mary can manually map a drive to \\acme.com\payroll from her terminal session without having to authenticate because she is already using Joe's credential, which gives her access to this folder.
To prevent this, the administrator should move the downloads folder to a different server and/or change the credential used for drive O: to a user who only has access to the downloads folder.
The next scenario shows how an administrator configuring SFTP directories might open up a potential leak of information stored in the payroll folder.
Virtual directory |
Network path |
Credential |
downloads |
\\acme.com\downloads |
acme\joe |
payroll |
\\acme.com\payroll |
[Client user] |
When Mary logs onto the server using an SFTP client, Joe's credentials are used to provide access to the downloads directory. Mary's SFTP client session won't show the payroll directory. However, she might use the connection reuse feature to open a terminal session that will use the credentials that were already established for the SFTP connection. From this terminal session, Mary can access content in the payroll folder by manually mapping a drive using Joe's privileges.
To prevent this, the administrator should move the downloads folder to a different server, change the credential used for the downloads virtual directory to a user who only has access to the downloads folder, and/or disable access to the terminal shell.
 |