Windows Server for a long time only supported an FTPS server (FTP over SSL\/TLS) via the included Internet Information Server. But FTPS in not very firewall friendly and is rather difficult to configure.
SFTP (FTP over SSH) is currently considered the best option to use, and is recognized by (nearly) all firewalls out of the box. If not, only port 22 needs to be opened up.<\/p>\n\n\n\n
You can install OpenSSL on a computer using the GUI, but for easy repicability we will use powershell commands. Second, we will install everything form the online source. You could adapt the commands to use the windows server 2022 installation media.<\/p>\n\n\n\n
First lets check if it’s not already installed:<\/p>\n\n\n\n
If the answer is like below, it’s already installed, so skip the installation part.<\/p>\n\n\n\n Retrieve installed an not intalled capabilities\/options<\/strong><\/p>\n\n\n\n Get-WindowsCapability -Online | Where Name -Like “OpenSSH*”<\/strong><\/p>\n\n\n\n This will reveal the real names we must use in further commands:<\/p>\n\n\n\n If it’s not installed you can install it by: The installed service will not automatically start if you do not tell it so. So let’s do that, and also start it for the very first time in one go: The OpenSSL config file, is located in %ProgramData%\\ssh\\sshd_config (being c:\\ProgramData\\ssh\\sshd_config.) Inspecting the usage of port 22 to see if opensll is running and listening, we use a powershell command. It returns the processid owning the port, and we translate that to the process name for readability: It returns:<\/p>\n\n\n\n After a default installation, both sftp and ssh have been enabled. So, after setting up security (see further) a users may use both. In our case, we want to ristrict this to only allow SFTP, and only allow access to one folder on the system, to which sftp access will be possible::<\/p>\n\n\n\n The OpenSSH server in windows is configured in this file. It also allows you to connect it’s unix style of configuration to the windows styte of security. You can use windows security to tie op windows groups to this file based security. To do so you will use the directives DenyUsers, AllowUsers, DenyGroups and AllowGroups<\/strong> in de configuration file. Also, place DenyUsers, AllowUsers, DenyGroups and AllowGroups<\/strong> before the Match Group Administrators<\/strong> directive for the same reason. Remark<\/strong>: Specify account name in lowercase only. Specify domain accounts in UPN format, replacing @ with ? to avoid conflcts with regular Linux expressions (Example: mve@aca.nl -> mve?aca*)<\/p>\n\n\n\n Use the ChrootDirectory directive to reach this goal. It’s considered good practice to use logging of the connections to your server. OpenSSH supports ETW (Event Tracing for Windows) based logging and file based logging. If you want to use file based logging, It’s controlled by the SyslogFacility <\/strong>and LogLevel <\/strong>directives in the configuration file. The logfiles will be save to the %ProgramData%\\ssh\\logs<\/strong> directory if you add below lines to your windows OpenSSL configuration file. If you leave out the Syslogfacility line, it will use ETW. But when using file based logging, you are responsible for cleanup!
Get-Service -Name “sshd”<\/strong><\/p>\n\n\n\nStatus Name DisplayName \n------ ---- ----------- \nRunning sshd OpenSSH SSH Server <\/code><\/pre>\n\n\n\nName : OpenSSH.Client~~~~0.0.1.0\nState : Installed\n\nName : OpenSSH.Server~~~~0.0.1.0\nState : Installed<\/code><\/pre>\n\n\n\n
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0<\/strong>
if you also want the clienttools:
dd-WindowsCapability -Online -Name<\/strong> OpenSSH.Client~~~~0.0.1.0<\/p>\n\n\n\n
Get-Service -Name “sshd” | Set-Service -StartupType Automatic -PassThru | Start-Service -PassThru<\/strong><\/p>\n\n\n\nCommon changes to the OpenSSL config file.<\/h2>\n\n\n\n
You can make changes in this file like changing commented out #Port 22 to Port 2223 (removing the # at the front), to tell OpenSSH to use port 2223 for example.
After every change to this file, you will need to restart OpenSSH with the powershell command:
Restart-Service “sshd”<\/strong><\/p>\n\n\n\n
Get-NetTCPConnection -LocalPort 22 | select Local*, State, @{n=”ProcessName”;e={(Get-Process -Id $_.OwningProcess).ProcessName}}, @{n=”ProcessPath”;e={(Get-Process -Id $_.OwningProcess).Path}} | ft -Auto<\/strong><\/p>\n\n\n\nLocalAddress LocalPort State ProcessName ProcessPath \n------------ --------- ----- ----------- ----------- \n:: 22 Listen sshd C:\\Windows\\System32\\OpenSSH\\sshd.exe\n192.168.1.75 22 Established sshd C:\\Windows\\System32\\OpenSSH\\sshd.exe\n0.0.0.0 22 Listen sshd C:\\Windows\\System32\\OpenSSH\\sshd.exe<\/code><\/pre>\n\n\n\nOnly Allow SFTP and not SSH into a system<\/h2>\n\n\n\n
#Locate this line and place below:\n\n# override default of no subsystems\n#Added to allow not ssh and only sftp\n#Force the use of the openssl internal sftp server\r\nForceCommand internal-sftp\n\r#Restricht the sftp server to c:\\sftproot\nSubsystem sftp sftp-server.exe -d \"c:\\sftproot\"\n#Make this the rootdirectory, when accessing by SFtp\r\nChrootDirectory c:\\sftproot \n#<\/code><\/pre>\n\n\n\nAllow or deny connections<\/h2>\n\n\n\n
Note that these directives are processed top to bottom in the configuration file. If one of them is processed, and you will get access or are denied access, other directives will not be processed anymore.<\/p>\n\n\n\n
Examples:<\/p>\n\n\n\nDenyUsers contoso\\admin@192.168.2.23\r\nDenyUsers contoso\\*\r\nAllowGroups contoso\\sshusers contoso\\serveroperators\n\nOr:\n\nAllowUsers localuser@192.168.2.23\r\nAllowGroups sshusers<\/code><\/pre>\n\n\n\nRestrict SFPT acces to a subfolder only<\/h2>\n\n\n\n
This directive is only supported with sftp sessions. A remote session into cmd.exe wouldn’t honor the ChrootDirectory. To set up a sftp-only chroot server, set ForceCommand to internal-sftp. You may also set up scp with chroot, by implementing a custom shell that would only allow scp and sftp.<\/p>\n\n\n\nLogging<\/h2>\n\n\n\n
<\/p>\n\n\n\nSyslogFacility LOCAL0\nLogLevel Debug 3<\/code><\/pre>\n\n\n\nMore Information<\/h2>\n\n\n\n