Configuring Bitvise SSH Server for SFTP, SCP file transfer

Bitvise SSH Server provides multiple types of secure remote access to Windows. A frequent usage scenario is to configure the SSH server specifically for file transfer, without exposing the machine to terminal shell, tunneling and other types of access. This tutorial explains step-by-step how to configure Bitvise SSH Server for a primary role as a file transfer server using SFTP and SCP.

  1. Install Bitvise SSH Server. Do not start it yet.

  2. When you install Bitvise SSH Server, the Easy settings wizard should appear. You can also access Easy settings at any later time by clicking Open easy settings.

    If you have already performed any changes to SSH server settings, click 'Restore', and then 'Reset settings to default values'.

  3. The first tab of Easy settings is named Server settings. When you are ready for your server to accept connections over the internet, you will need to open this tab and enable the checkbox 'Automatically configure router (requires UPnP)'. You will also need to change the setting 'Open Windows Firewall' to 'Open port(s) to any computer'.

    We recommend that you wait with the router and firewall settings until you have configured the server, and have tested your configuration by connecting to the server with an SSH or SFTP client installed on the same computer, or in your local network.

  4. The next tab of Easy settings is named Windows accounts. This tutorial describes how to configure Bitvise SSH Server for file transfer using virtual accounts. Therefore, disable the checkbox 'Allow login to any Windows account'. This will prevent anyone from logging into your SSH server using accounts not configured in SSH server settings.

    To use Bitvise SSH Server with virtual accounts only, do not add any Windows account entries under 'Windows accounts'.

  5. The final tab of Easy settings is named Virtual accounts. Click the 'Add' button to add a virtual account, or use the 'Edit' button to edit an existing virtual account. Edit the virtual account settings as follows:

    • Virtual account name. This is the name that your user will use to log in.

    • Virtual account password. This is the password that your user will use to log in (unless you set up public key authentication).

    • Login allowed. Enable this if the account should be able to connect to your server. You can disable this to prevent access without deleting the account.

    • Allow file transfer. Enable this checkbox to allow SFTP and SCP access.

    • Allow terminal. Disable this checkbox to prevent the user from accessing the Windows command interpreter and other programs over SSH.

    • Allow port forwarding. Disable this checkbox to prevent the user from accessing other network services over SSH.

    • Virtual filesystem layout. Set this to either 'Limit to root directory', or to 'Advanced filesystem layout'.

      When using 'Limit to root directory', you can set up the user so they are able to access only a single directory and its subdirectories over SFTP. When using 'Advanced filesystem layout', you can configure multiple directories that the user can access through virtual filesystem mount points.

      To guarantee that your users can access the directories you configure for them, make sure that the Windows account BvSsh_VirtualUsers has Windows filesystem permissions to access those directories. This account is a member of the Users group, so if the Users group has sufficient access, the virtual account will have access as well.

  6. When you are done configuring virtual users, click 'Save changes' to exit Easy settings. You can now start Bitvise SSH Server and try connecting with an SCP or SFTP client. We also recommend trying to connect with an SSH terminal client to ensure that users cannot access terminal shell and port forwarding.
  7. Once you have tested your configuration and ensured that it works correctly, click 'Open easy settings' again and edit the router and firewall settings on the 'Server settings' tab to open your server to internet connections.

Having configured Bitvise SSH Server in this way, it will only accept connections from users who know one of the Virtual account usernames and passwords you have defined. The SSH server will allow these users to only use SFTP or SCP, and none of the other SSH protocol features, and will restrict their file access to each user's root directory, or to their virtual filesystem mount points.

If you installed Bitvise SSH Server on a domain controller, the above steps will not be sufficient. Domain controllers do not have local accounts, so the SSH server cannot manage a local account to provide the security context for virtual users. In this case, you will need to use the SSH server's Advanced settings and configure a domain account to provide security context. Consult Configuring groups and accounts to learn more about how Bitvise SSH Server operates, so that you can configure it properly.