Home
About us
Products
     sshlib
     The 'log' utility
     WinSSHD and Tunnelier
          WinSSHD
               Users' guide
               Usage FAQ
               Activation FAQ
               History
               Pricing
               License
          Tunnelier
               Portable
               FTP bridge
               History
               Pricing
               License
          Screenshots
          Download
          Notifications
          Security
          Large scale
          Purchase
               Reseller list
               Reseller policy
               Affiliate program
          Customers
How-tos and tutorials
     About SSH
     SSH Features
     How the internet works
     Using WinSSHD for SFTP
     Port forwarding guide
     Tunnel Remote Desktop
     Tunnel Windows shares
     Tunnel WinVNC
     Tunnelier as service
Work at Bitvise
Contact

Using WinSSHD for SFTP

WinSSHD is a capable SSH server which provides multiple ways of secure remote access to Windows. However, a very frequent usage scenario is to configure WinSSHD strictly as an SFTP server, without exposing the machine to terminal shell, tunneling and other types of access. This tutorial explains step-by-step how to configure WinSSHD for a primary role as an SFTP server.

  1. Install WinSSHD. Do not start it yet.
  2. When SFTP users log in, WinSSHD must impersonate the security context of some Windows account before launching the SFTP module. The Windows account has two important functions:
    • It provides fine-grained control over which files and directories the user can access, by way of NTFS filesystem permissions.
    • It provides a security barrier in case the user is able to exploit a vulnerability in the SFTP module.

    Before you do anything else, you must decide which Windows account your SFTP users will be relying on to provide the security context. This is separate from the username and password that the SFTP users will use for login.

    For SFTP access, the security context account should be one with limited Windows rights and reasonably restricted file system permissions. If you do not yet have a suitable account, create it through Control Panel > Administrative Tools > Computer Management. Set a long and complicated password. In this guide, we will be setting up virtual accounts, so this password will not be known to the SFTP users. You will need to tell it to WinSSHD in the next step.

  3. In order for WinSSHD to log into the Windows account you have chosen, it needs to know the account password. WinSSHD stores such passwords in an obfuscated (difficult-to-read) form in the system registry. The passwords' main protection are security settings on the registry key that allow only the Local System account and local administrators to access them.

    Open the WinSSHD Control Panel and go to the Settings tab. The lower half of the window is titled Password cache for Windows usernames. Enter the full and correct login info for the Windows account you have chosen to provide the security context for SFTP.

  4. Click Edit/view settings. If you have already performed any changes to the settings here, click 'Load defaults', enable 'Reset settings to defaults in all descendant pages in the hierarchy', and click OK. This will bring you back to the initial default configuration.

  5. Go to Access control > Windows groups. You should see a single group of type 'everyone'. Edit the settings for this group. Disable the Login allowed setting. Click OK. This will prevent direct login into WinSSHD with Windows usernames and passwords.

  6. Go to Access control > Virtual groups. There should be a single group called 'Virtual Users'. Edit the settings for this group.

    1. In Windows account domain and Windows account name, enter the domain and username for the Windows account that will provide the security context for SFTP. If the account is local to the server, leave the domain field empty.

    2. Disable the following settings:

      • Permit terminal shell. This prevents your SFTP users from accessing the command interpreter.
      • Permit exec requests. This prevents your SFTP users from executing arbitrary programs via SSH.
      • Permit SCP. WinSSHD supports SCP file transfer, but in the current versions the SCP module does not support SFTP root directories, and you will probably want to set an SFTP root directory. Those clients which provide an SCP-like interface, but actually use SFTP, will still work. Other clients which support only SCP will not work.
      • Permit C2S port forwarding. This prevents your SFTP users from accessing other network services through WinSSHD.
      • Permit S2C port forwarding. This prevents your SFTP users to provide access to their own network services through WinSSHD.

    3. Change also the setting SFTP root directory: set it to a harmless, empty directory. This protects against failure to configure a proper SFTP root directory for an SFTP user.

  7. Now, go to Access control > Virtual accounts and set up as many accounts as you like. For each account, you only need to set the following settings:

    • Virtual account name. This is the name that your SFTP user will use to log in.
    • Virtual account password. This is the password that your SFTP user will use to log in (unless you set up public key authentication).
    • Virtual group. Unless you create additional groups, or rename the existing one, you only have one option here: the default group, 'Virtual Users'.
    • Use default SFTP root directory. Turn this off to configure an SFTP root directory for the user.

    • SFTP root directory. Set this to the directory to which you want to restrict the user. Make sure that the backing Windows account has the desired read or write permissions to this directory.

      You will probably not want to use the default setting here ('\\'): it provides access to all parts of the filesystem accessible with the backing Windows account's permissions. This is good for remote administration, but not as much for a more restricted setup as an SFTP server.

Having configured WinSSHD in this way, it will only accept connections from users who know one of the Virtual account usernames and passwords you have defined. WinSSHD will allow these users to only use SFTP and none of the other SSH protocol features, and will restrict their SFTP access to each user's SFTP root directory.

What is SSH?

The protocol implemented by our products is SSH Secure Shell version 2, or SSH2. Click here to learn more about it.

How-Tos and Tutorials

How the internet works

Using WinSSHD for SFTP

Port forwarding guide

Tunnel Remote Desktop

Tunnel Windows shares

Tunnel WinVNC

Try out WinSSHD!

WinSSHD is an advanced SSH server for Windows with secure remote access, file transfer and tunneling features. Supports public key authentication, SCP, SFTP. Its advantages include speed, reliability, ease of use, configurability, and bvterm - the best remote console on the Windows platform. Try it free for up to 30 days!

Try out Tunnelier!

Tunnelier is a friendly and flexible SSH client for Windows which includes state of the art terminal emulation, graphical as well as command-line SFTP support, an FTP-to-SFTP bridge, powerful tunneling features, and also remote administration for WinSSHD. Free for individual use!


This website is Copyright © 2001-2008 by Bitvise Limited. All rights reserved.
Unauthorized copying or distribution of any part or whole is prohibited.