Secure Methods of file transfer over network shares

Hello, I am not sure if this is the right forum for this, if not could
you please point me in the right direction.

I work at a large Univeristy and we are taking over hosting a website
for another department. What we are looking for is a secure way for
the users of the other department to transfer the files to our web
server using network share.

When you transfer files this way does it encrypt your user name and
password or does it send them across as clear text? If it is clear
text is there a way to encrypt it?

Thank You

If it is done through normal file shares then it is doing Windows
Challenge/Response with usually Integrated Authentication. So, not only is
the password not in clear text, the password doesn't even go over the wire
to begin with,...that is what Challenge/Response is all about.

The worst way to do it would be via FTP,...which does send the whole thing
in Clear Text.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Eric" <(E-Mail Removed)> wrote in message
news:4ea46979-05b0-403f-80ff-(E-Mail Removed)...
> Hello, I am not sure if this is the right forum for this, if not could
> you please point me in the right direction.
>
> I work at a large Univeristy and we are taking over hosting a website
> for another department. What we are looking for is a secure way for
> the users of the other department to transfer the files to our web
> server using network share.
>
> When you transfer files this way does it encrypt your user name and
> password or does it send them across as clear text? If it is clear
> text is there a way to encrypt it?
>
> Thank You

Thank you for the response Phillip. I should have explained alittle
better how we are set up. Even though we are within the same
univeristy we manange our own network where as the department whos
website we are hosting is not managed by us. We are not on the same
domain. We use Active Directory and they use Novell The only thing
would be we are on the same IP range as the rest of campus but they
are 2 completely differnet networks.

What we would like to do is share the folder under wwwroot that holds
their website files, with them over windows share such as setting up a
user account on our server and than have them map the drive using the
user account.

And in that case would it be encrypted or sent as clear text?

Thanks again Phillip

On Jan 3, 3:33*pm, "Phillip Windell" <philwind...@hotmail.com> wrote:
> If it is done through normal file shares then it is doing Windows
> Challenge/Response with usually Integrated Authentication. *So, not onlyis
> the password not in clear text, the password doesn't even go over the wire
> to begin with,...that is what Challenge/Response is all about.
>
> The worst way to do it would be via FTP,...which does send the whole thing
> in Clear Text.
>
> --
> Phillip Windellwww.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> "Eric" <ericsta...@gmail.com> wrote in message
>
> news:4ea46979-05b0-403f-80ff-(E-Mail Removed)...
>
>
>
> > Hello, I am not sure if this is the right forum for this, if not could
> > you please point me in the right direction.
>
> > I work at a large Univeristy and we are taking over hosting a website
> > for another department. What we are looking for is a secure way for
> > the users of the other department to transfer the files to our web
> > server using network share.
>
> > When you transfer files this way does it encrypt your user name and
> > password or does it send them across as clear text? If it is clear
> > text is there a way to encrypt it?
>
> > Thank You- Hide quoted text -
>
> - Show quoted text -

If it is done with Windows Sharing then it is still Callenge/Response,...it
just doesn't have the Integrated Authentication element because there is no
Trust between the Domains.

Integrated Authentication just means that it automatically uses the
credentials the user logged into their machine with,...while the
Callenge/Response is the method via which the authentication happens. When
the user is prompted for credentials they are simply doing manually what the
Integrated part would have done otherwise,...but the Ch/Resp still happens
as far as I know.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Eric" <(E-Mail Removed)> wrote in message
news:594a4330-08c9-4377-99e1-(E-Mail Removed)...
Thank you for the response Phillip. I should have explained alittle
better how we are set up. Even though we are within the same
univeristy we manange our own network where as the department whos
website we are hosting is not managed by us. We are not on the same
domain. We use Active Directory and they use Novell The only thing
would be we are on the same IP range as the rest of campus but they
are 2 completely differnet networks.

What we would like to do is share the folder under wwwroot that holds
their website files, with them over windows share such as setting up a
user account on our server and than have them map the drive using the
user account.

And in that case would it be encrypted or sent as clear text?

Thanks again Phillip

On Jan 3, 3:33 pm, "Phillip Windell" <philwind...@hotmail.com> wrote:
> If it is done through normal file shares then it is doing Windows
> Challenge/Response with usually Integrated Authentication. So, not only is
> the password not in clear text, the password doesn't even go over the wire
> to begin with,...that is what Challenge/Response is all about.
>
> The worst way to do it would be via FTP,...which does send the whole thing
> in Clear Text.
>
> --
> Phillip Windellwww.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> "Eric" <ericsta...@gmail.com> wrote in message
>
> news:4ea46979-05b0-403f-80ff-(E-Mail Removed)...
>
>
>
> > Hello, I am not sure if this is the right forum for this, if not could
> > you please point me in the right direction.
>
> > I work at a large Univeristy and we are taking over hosting a website
> > for another department. What we are looking for is a secure way for
> > the users of the other department to transfer the files to our web
> > server using network share.
>
> > When you transfer files this way does it encrypt your user name and
> > password or does it send them across as clear text? If it is clear
> > text is there a way to encrypt it?
>
> > Thank You- Hide quoted text -
>
> - Show quoted text -

Phillip,

So using this method it does not send the password to the server at
all? You would think at some point it would have to send the password
to be able to authenticate.

Do you know what it sends or can you point me in the direction of some
documents that would tell me?

Thank you for your help.

Eric

On Jan 3, 4:01*pm, "Phillip Windell" <philwind...@hotmail.com> wrote:
> If it is done with Windows Sharing then it is still Callenge/Response,...it
> just doesn't have the Integrated Authentication element because there is no
> Trust between the Domains.
>
> Integrated Authentication just means that it automatically uses the
> credentials the user logged into their machine with,...while the
> Callenge/Response is the method via which the authentication happens. *When
> the user is prompted for credentials they are simply doing manually what the
> Integrated part would have done otherwise,...but the Ch/Resp still happens
> as far as I know.
>
> --
> Phillip Windellwww.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> "Eric" <ericsta...@gmail.com> wrote in message
>
> news:594a4330-08c9-4377-99e1-(E-Mail Removed)...
> Thank you for the response Phillip. I should have explained alittle
> better how we are set up. Even though we are within the same
> univeristy we manange our own network where as the department whos
> website we are hosting is not managed by us. We are not on the same
> domain. We use Active Directory and they use Novell The only thing
> would be we are on the same IP range as the rest of campus but they
> are 2 completely differnet networks.
>
> What we would like to do is share the folder under wwwroot that holds
> their website files, with them over windows share such as setting up a
> user account on our server and than have them map the drive using the
> user account.
>
> And in that case would it be encrypted or sent as clear text?
>
> Thanks again Phillip
>
> On Jan 3, 3:33 pm, "Phillip Windell" <philwind...@hotmail.com> wrote:
>
>
>
> > If it is done through normal file shares then it is doing Windows
> > Challenge/Response with usually Integrated Authentication. So, not only is
> > the password not in clear text, the password doesn't even go over the wire
> > to begin with,...that is what Challenge/Response is all about.
>
> > The worst way to do it would be via FTP,...which does send the whole thing
> > in Clear Text.
>
> > --
> > Phillip Windellwww.wandtv.com
>
> > The views expressed, are my own and not those of my employer, or
> > Microsoft,
> > or anyone else associated with me, including my cats.
> > -----------------------------------------------------
>
> > "Eric" <ericsta...@gmail.com> wrote in message
>
> >news:4ea46979-05b0-403f-80ff-(E-Mail Removed)...
>
> > > Hello, I am not sure if this is the right forum for this, if not could
> > > you please point me in the right direction.
>
> > > I work at a large Univeristy and we are taking over hosting a website
> > > for another department. What we are looking for is a secure way for
> > > the users of the other department to transfer the files to our web
> > > server using network share.
>
> > > When you transfer files this way does it encrypt your user name and
> > > password or does it send them across as clear text? If it is clear
> > > text is there a way to encrypt it?
>
> > > Thank You- Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

In news:a4876da7-3771-4811-b757-(E-Mail Removed),
Eric <(E-Mail Removed)> typed:
> Phillip,
>
> So using this method it does not send the password to the server at
> all? You would think at some point it would have to send the password
> to be able to authenticate.
>
> Do you know what it sends or can you point me in the direction of some
> documents that would tell me?
>
> Thank you for your help.
>
> Eric

I must agree and affirm Phillip's response. The password does NOT get send
across during a Ch/Resp transaction but rather the hash does. The server
creates a hash of the username and password, then the client connecting
enters their user/pass and the worktation creates it's own hash based on the
same algorithm (a proprietary method shared among all Microsoft products)
and sends the hash across the wire. The server then compares the hash it
received with the hash it created. If it matches, you are in. If not, you
are not.

HOwever I must point out there are tools out there to crack the hash. So if
someone is deliberately running one of these tools targeting your machine or
sitting there watching hashes fly across the wire, then it may be caught and
the tool may crack it. If the solution you seek MUST secure traffic between
two hosts so no one can get in, tools or not, use IPSec. That is your only
choice with such a high secure requirement.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

"Ace Fekay [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> HOwever I must point out there are tools out there to crack the hash. So
> if someone is deliberately running one of these tools targeting your
> machine or sitting there watching hashes fly across the wire, then it may
> be caught and the tool may crack it.

There isn't much chance of that happening on a fully switched network
(Layer2). They would have to hack into a Switch in the path and configure a
Monitoring Port and then physically plug the tool into that monitoring port.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Phillip, Ace,

Thank you for your help. You have answered my questions.

Thanks again.

Eric
On Jan 4, 12:54*pm, "Phillip Windell" <philwind...@hotmail.com> wrote:
> "Ace Fekay [MVP]" <PleaseAs...@SomeDomain.com> wrote in messagenews:(E-Mail Removed). ..
>
> > HOwever I must point out there are tools out there to crack the hash. So
> > if someone is deliberately running one of these tools targeting your
> > machine or sitting there watching hashes fly across the wire, then it may
> > be caught and the tool may crack it.
>
> There isn't much chance of that happening on a fully switched network
> (Layer2). *They would have to hack into a Switch in the path and configure a
> Monitoring Port and then physically plug the tool into that monitoring port.
>
> --
> Phillip Windellwww.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------

In news:O9%(E-Mail Removed),
Phillip Windell <(E-Mail Removed)> typed:
> "Ace Fekay [MVP]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > HOwever I must point out there are tools out there to crack the
> > hash. So if someone is deliberately running one of these tools
> > targeting your machine or sitting there watching hashes fly across
> > the wire, then it may be caught and the tool may crack it.
>
> There isn't much chance of that happening on a fully switched network
> (Layer2). They would have to hack into a Switch in the path and
> configure a Monitoring Port and then physically plug the tool into
> that monitoring port.

True, Phillip, because of the switch discerning source/destination on each
port. Good point. I caught someone that got into the server room where the
switch was located and he put in a hub inline between the switch and the
router. He was grabbing packets, but he didn't get any authentication
traffic since that was not outbound. However I am always leary when it comes
to security...

:-)

Ace

"Ace Fekay [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> True, Phillip, because of the switch discerning source/destination on each
> port. Good point. I caught someone that got into the server room where the
> switch was located and he put in a hub inline between the switch and the
> router. He was grabbing packets, but he didn't get any authentication
> traffic since that was not outbound. However I am always leary when it
> comes to security...

Did you take him out into the back parking lot and "explain" it to him with
a little violence sprinkled in.

:-)

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------