No announcement yet.
  • Filter
  • Time
  • Show
Clear All
new posts

  • FTP secure password

    Lately security audits don't like the FTP with ShoreTel and have asked customer to complain to us. They are finding it to be a security flaw and want to disable it or have a secure password or a different account than the anonymous. Thoughts? Is it possible?

  • #2
    We've hit the same issue with more than just the FTP stuff. We are at 14.2 (19.47.5900.0) and I've had to remove our external facing conference bridge as it has a few too many security vulnerabilities, can't patch the OS, can't firewall the servers, for any of the kit so I've to get Director level approval for a security variation and am having to fight off putting the whole shebang behind dual firewalls.

    Great solution..


    • #3
      We have customers that restrict ftp access by ip ranges or disable it until they need it again. You can also restrict the access to read only but you will have to put these setting all back to do updates or any changes.

      You can lock down the system very heavily if you want to spend the time poking can use the firewall with lots of agony..but it is possible yet not supported. You can go as far as removing the windows gui but its a real pain to deal with after that and i dont recommend doing that. On a side though having your system in a virtual environment you can restrict access by shaping the Vm access rules to the whole system and make it so only director and the server is only visible from 1 machine.

      Lance Paddock
      BTX | Business Telephone eXchange
      1(800) 289-0299


      • #4
        First, I agree about the security concerns. Partners have been pushing back on this for years and that is part of what is driving Connect, which has much better security. Secondly, you do not want to add a password to FTP. FTP is inherently insecure and adding a password just advertises a plain-text set of credentials to your server. At least the anonymous account only allows reading and writing to the FTP folder from which nothing can run, and also keeps you from sharing password that can log into the box.
        Last edited by blanning; 03-07-2017, 03:40 AM.