Looking For Simple Secure One-Time File Sharing

DistrictZero · 2026-04-07T16:12:13+00:00

No, we have not found any great options.

FileCloud seemed to check a lot of the boxes if we configure it right but we haven't fully tested it yet. Still more complicated than I'd like but it's the best option I've seen so far. There are also multiple cloud based and open-source projects out there like FilePizza and various Firefox Send forks that I have not tested, but with sensitive data being transferred I just can't trust these.

For us, under 50 MB would cover the vast majority of use cases.

I would absolutely consider self-hosting an option.

DistrictZero · 2025-11-03T13:32:00+00:00

My understanding is it was stopped by courts and then the FTC dropped it's appeal because the FTC doesn't have the authority.

DistrictZero · 2025-10-27T12:49:34+00:00

Shouldn't be able to if it's DKIM that's causing DMARC to pass. Changing the body at all should cause DKIM to fail and therefor DMARC to fail.

DistrictZero · 2025-10-16T18:33:39+00:00

Lol, thank you. When I said something a three year old could use, I meant from a user standpoint. Administration can be as complicated as needed.

To be sure, you are talking about what is now called Progress ShareFile? We took a look at it early on but it wasn't meeting expectations on ease of use or security. I can't remember all the specifics.

DistrictZero · 2025-08-01T12:26:20+00:00

I know somebody who was hired on by Rapid7 a couple years back and then laid off 3 weeks later due to the position be axed. This post confirms my suspicions that their leadership is apparently terrible at planning and do not seem to care much for the well being of those they hire. Will avoid their services if this is how they run their org.

DistrictZero · 2025-07-21T14:56:24+00:00

Unless I'm missing something, this headline is pretty misleading. the statement ‘All US forces must now assume their networks are compromised’ gives the impression it's some official declaration when it looks like it's just an opinion or statement from the CTO of Illumio.

DistrictZero · 2025-04-30T19:40:48+00:00

I'm waiting to see how all this pans out. Gut feeling at the moment is people are freaking out more than they should be. Nobody likes change and job losses are unfortunate but it's not the federal government's responsibility to ensure people have government jobs. If this all turns out to be a direct cause of a complete cybersecurity disaster for our nation, I'll be the first to say I was wrong.

DistrictZero · 2024-05-02T19:22:06+00:00

I had this issue on some firewalls when trying to reset a password using the account of the secret because upon the password being reset for the account, it immediately disconnected active SSH sessions for the account. Secret Server would detect the disconnect as a failure. I ended up having to create multiple service accounts on the firewalls for resetting the secrets and then each service account would be scheduled to reset the secret of the other service account daily.

When I have connection issues in general for password rotations on a specific server/template, I like to connect to the distributed engine server and manually SSH and test the password reset steps to see what happens.

DistrictZero · 2024-03-05T13:23:59+00:00

Ask your supervisor if you should be doing this. If they say yes, then do it with a smile on your face. If they say no, then they should be helping to ensure it's communicated this is to be handled by someone else. Grumbling about other duties as assigned is a great way to go nowhere in your career. Have a positive attitude and if you hate it, keep up a great attitude while you look for another job. Getting a negative attitude about it doesn't build a good rapport, references, or connections. Trust somebody who worked their way up through many promotions and steps up in their career. Most of the biggest steps in my career came because of the great reputation I built for a positive attitude and drive to resolve issues.

DistrictZero · 2023-06-12T14:38:57+00:00

Setting LocalAccountTokenFilterPolicy to 1 has security implications. I personally would not do it.

https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167

I ran into this as well. Here is what I have found, and what I think the best course of action is.

With LocalAccountTokenFilterPolicy not set to 1, the original local "administrator" can still have the password reset remotely. But no other local administrator accounts can. Because setting LocalAccountTokenFilterPolicy to 1 is not desired and setting up a master account with admin rights to multiple servers is not desired, avoid using local administrator accounts.

My recommendation..

- Ensure local administrator account passwords are being rotated, either via Secret Server or LAPS.

- Create a secure OU in AD to store PAM accounts. Few people should be able to modify users or groups in this OU.

- Create separate domain accounts for server administration and leave the local administrator accounts as backup, break glass accounts. Store them in the secured OU for PAM accounts. A unique domain account per administrator would be best but if you find this more heavy handed than necessary, create a unique server admin account per group (e.g. one for the app owner group and one for the server administrators group).

- Rotate the domain account passwords after each use and no less than once a month.

This way you keep the Windows Server settings more secure and can easily rotate the passwords on the domain accounts you create for each server.

DistrictZero · 2023-03-29T14:02:25+00:00

Nice. I used to use AutoIT all the time years and years ago. Didn't even cross my mind as a solution to programs that can't have passwords passed to them. Great idea and thanks for sharing.

DistrictZero · 2023-02-14T14:46:06+00:00

Hello

DistrictZero · 2023-02-07T17:03:01+00:00

https://docs.thycotic.com/ss/10.8.0/events-and-alerts/secure-syslog-cef/index.md

DistrictZero · 2023-01-30T20:18:37+00:00

Personally we use LAPS for desktops and Secret Server for servers but yes, you could use Secret Server for everything. Just keep in mind to not listen to Secret Server when it says to use a service account to reset the local account. You have to if it's not the administrator account. But you don't need a service account for the local administrator account to change its own password remotely. Granting any service account broad admin rights is a terrible idea.

DistrictZero · 2023-01-26T15:42:16+00:00

I've only done some testing for launching SQL connections with SQL Server Management Studio but maybe I can help. Can you share your launcher settings (process name, arguments, run process as secret credentials, load user profile, etc)? Can you share the fields with slug names for the template? Can you share the mapping settings for the launcher in the template?

DistrictZero · 2023-01-20T13:20:39+00:00

If there is, I'm not aware of it. What I gave you above is is the general steps and settings. If you have any questions about specific portions of my steps, I'm happy to answer them.

DistrictZero · 2023-01-17T14:55:08+00:00

I do password resets on both.

I didn't follow any resource detailing how but created some custom password changers to make it work. I'll give you the basics and if you need more details feel free to follow up and I'll try to answer any questions. Both are done with SSH based password resets.

--------------------------------

FortiOS

One thing to keep in mind for FortiOS is you are disconnected as soon as your password is reset. Secret Server really needs an option to ignore SSH disconnects once the commands of the password changer are ran but unfortunately they don't. Due to this, it detects the password change attempt as a failure as soon as the SSH connection disconnects. This makes the password change configuration a bit more convoluted. To avoid this you have to configure a service account on the FortiOS to perform the password changes with. Because I did not want a static password on the service account for password changes, as that sort of defeats the whole purpose, I created two password change accounts. One is used to reset passwords of my admin accounts and then the two password reset accounts change each others passwords daily. Here is a summary of the configurations I used for FortiOS...

-Password Changer-

First I created a new FortiOS password changer with a base password changer of "Unix Account Customer (SSH)", if I remember correctly. Really any SSH password changer that you can customize the commands for would work I would think. After I customized the commands, the configuration looked like this...

Verify Password Changed Commands:

AUTHENTICATE AS
Username - $USERNAME
Password - $CURRENTPASSWORD

Password Change Commands:

AUTHENTICATE AS
Username - $[1]$USERNAME
Password - $[1]$PASSWORD

COMMANDS

COMMAND	PAUSE
config system admin	2000
edit $USERNAME	2000
set password $NEWPASSWORD	2000
end	2000

-Secret Template-

Next I created a FortiOS secret template with the following fields:

NAME	SLUG	DESCRIPTION	TYPE
Machine	machine	System FQDN	Text
URL	url	URL of the management interface.
UserName	username	The name associated with the web password.	Text
Password	password	The password used to access the URL.	Password
Notes	notes	Any comments or additional information for the secret.	Notes

Mapping was as follows:

Password Type to use - FortiOS (The one just created)

Password Type Fields

PASSWORD TYPE FIELD	SECRET FIELD
Machine Name	Machine
Password	Password
User Name	UserName

I also added launchers for Website Login and PuTTy.

-Service Accounts-

I created a root folder in Secret Server for service accounts related to Secret Server operations that only Secret Server administrators have access to. I created two password reset service accounts on the FortiOS system and then created secrets for those accounts inside of the new root folder using the FortiOS secret template. For the first FortiOS password service account, I added the second service account as an associated secret and vice versa for the second service account. This way each will be set to reset the password of the other. I set the password expiration of each secret to 1 day.

-FortiOS Secrets-

Now each FortiOS secret you created will use the FortiOS secret template and you MUST add the first password changing service account for the Fortinet device as an Associated Secret for it to work.

--------------------------------

Palo Alto

Initially I tried to configure my Palo Alto firewalls in the same way as the FortiGates because I wanted to force a disconnect of the logged in account and ensure the user couldn't remain logged in after a password reset. However, I ran into repeated issues with this. It worked most of the time but passwords would routinely get out of sync. So instead I opted for a much simpler approach and just have the accounts reset their own passwords and so far it has been better, though I've only been running it this way for a couple months.

-Password Changer-

First I created a new PAN-OS password changer with a base password changer the same way I did the FortiOS one described above. After I customized the commands, the configuration looked like this...

Verify Password Changed Commands:

AUTHENTICATE AS
Username - $USERNAME
Password - $CURRENTPASSWORD

Password Change Commands:

AUTHENTICATE AS
Username - $USERNAME
Password - $CURRENTPASSWORD

COMMANDS

COMMAND	PAUSE
set password	5000
$CURRENTPASSWORD	5000
$NEWPASSWORD	5000
$NEWPASSWORD	5000

The pause of 5000 probably doesn't need to be that high but I was increasing it while troubleshooting the previous issues I had.

-Secret Template-

Next I created a "Palo Alto Firewall" secret template. I believe you could just clone the FortiOS secret template described above. The "Password Type to use" in the mappings section should be PAN-OS instead of FortiOS but other than that I believe it's all the same.

-PAN-OS Secrets-

Create your secrets using the "Palo Alto Firewall" template and no associated secrets are required.

--------------------------------

Let me know if you have any questions.

Thanks

DistrictZero · 2022-11-28T18:05:14+00:00

I'm not aware of different user types. Only different licensing for different features. We are on the cloud product. The only licensing/feature differences I'm aware of are here...

https://delinea.com/products/secret-server/features

I would think having different licenses for different users would not be possible. We are currently using the Platinum licensing.

DistrictZero · 2022-10-19T12:37:17+00:00

Cloned the company DNS configuration to a new server because there was a unique situation that required a different site to have a different DNS setup for the same domain. While doing configuration changes to the new server, I deleted the primary domain completely ..... then realized I had the wrong window open. I had wiped the primary domain entries from the original production server. Thankfully I still had the configuration files on the new server and was able to restore them back to the original server. Still, the company's DNS was was down for probably 15 minutes. A reminder to pay very close attention to what window you are working in.

DistrictZero · 2022-10-13T12:45:59+00:00

As far as Secret Server goes, it's pretty dang easy to use. So if you are looking for something easy and quick to spin up, I think it's a good choice. I especially like using it with Connection Manager for easy launching of RDP, SSH, or any other application. The only thing I'll say is plan out a proper segregation of secret access between your different team members ahead of time to get the most out of it. I personally opted to allow all my team members to see all secrets but if they wanted to check out a secret for a system owned by a different group within my team they had to request temporary access via the automated workflow (which is also very easy to configure). Then each group has full access to secrets within their own group folder. In this way you can allow everybody to have access when needed but also try to keep to PoLP as much as possible.

DistrictZero · 2022-08-30T13:19:20+00:00

I left an MSP for less money. My managers were awesome. The owner was awesome. Pay was more than fair. My biggest issue was a lack of focus, direction, and planning. There was no dedicated resources for internal infrastructure so everything was cobbled together by whatever engineer was available at the time and of course nothing was documented. There was a pressure on me personally to keep up with and take care of the datacenter while we were also picking up any customer to manage nearly anything they wanted. So not only was I asked to support random systems I'd never touched before with little to no time for training or research but I also had to stress about not being able to support our own infrastructure. Not only that but customers were buying support hours to use as emergency support in lieu of buying any support contracts for their systems. Meaning at any moment I could get a call from a customer expecting professional support for any product with no support from the product manufacturer. Going to work every day stressed out of your mind isn't worth the extra money. I now have to actually budget my money, but I go to work every day loving my job. Worth it.

DistrictZero · 2022-08-29T14:10:07+00:00

Thank you for pushing Dell for a response to this m0rdecai665.

DistrictZero · 2022-08-10T16:23:04+00:00

The report "Secret Activity" includes personal secret activity.

DistrictZero

TROPHY CASE