Securing Windows File Shares with SSH Port Forwarding
This article is not about SFTP or SCP file transfer. It is instead about accessing Windows file shares - folders exposed to a local network using built-in Windows functionality - via SSH tunneling (port forwarding).
We no longer support tunneling Windows file shares over SSH. Changes in Windows design have made this usage scenario between difficult and impossible. The following is old information that we continue to provide only as a courtesy. We do not recommend that you try this. We recommend finding a way to use SFTP access to the file share instead.
Recent Windows Versions
In recent versions of Windows, including Vista, Windows 7, and 2008, setting up port forwarding of file shares over SSH is now considerably more difficult. We recommend adapting your approach so that you can use SFTP or SCP for file transfer instead.
If you would still like to port forward Windows file shares, you may be able to achieve this using an approach described by Jan Just Keijser in this tutorial. Jan's tutorial was written with PuTTY in mind, but the crucial steps will work identically with Bitvise SSH Client.
Note: Following this tutorial will cause SMB to run much later after booting the computer. This may cause problems if your computer is joined to the domain, because Group Policy is distributed via SMB from the domain controller. Other boot-time tasks such as virus scanner updates also sometimes use SMB, and may fail.
In the event that Jan's tutorial becomes unavailable, the following is a summary:
- Note that all command lines shown below will require an elevated administrative Command Prompt.
- You will need an additional (real or virtual) network adapter on which you can disable the Client for Microsoft Networks functionality. An easy way to obtain this additional adapter is by installing a Microsoft Loopback Adapter. You can do so through the Add Hardware Wizard:
- Run hdwwiz.exe.
- Select "Install the hardware that I manually select from a list". Click Next.
- Select "Network Adapters". Click Next.
- Select manufacturer "Microsoft" and then adapter "Microsoft Loopback Adapter". Click Next until finished.
- Configure the network adapter to disable Client for Microsoft Networks functionality, and give it an IP address:
- Open the Network Connections Center.
- Open Properties for your loopback adapter.
- Disable the checkboxes Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks.
- The checkbox for Internet Protocol Version 4 must remain enabled.
- Select Internet Protocol Version 4. Click Properties.
- Select Use the following IP address. Enter a private IP address such as 10.255.255.1. Enter subnet mask 255.255.255.0.
- Click on Advanced to open Advanced TCP/IP Settings.
- Deselect Automatic metric and enter 9999 as Interface metric.
- Switch to the WINS tab, and select Disable NetBIOS over TCP/IP.
Disable automatic starting of the smb driver by executing the following command:
sc config smb start= demand
Note the space between start= and demand.
Execute the following command to reroute TCP port 445 to a port of your choice. For example, 44445:
netsh interface portproxy add v4tov4 listenaddress=10.255.255.1 listenport=445 connectaddress=10.255.255.1 connectport=44445
- Since the smb driver has been set up to not start on system startup, add a scheduled task to start it when anyone logs in:
- Start Task Scheduler from Administrative Tasks.
- Name the task as you prefer, e.g. "Start SMB".
- In the Trigger tab, select "When I log on".
- In the Action tab, select "Start a program".
- In the Start a program tab, enter "c:\windows\system32\net.exe" under Program/script. Enter "start smb" under Arguments.
- Before clicking Finish, select the checkbox Open the Properties dialog.
- Click Finish and the task Properties window will show up.
- Select Run whether user is logged on or not. Then, select Do not store password.
- Select Run with highest privileges.
- Go to the Triggers tab, and right click to edit the At log on trigger.
- In the Edit Trigger window, change the setting Specific user or group to Any user.
- Click OK to close the Edit Trigger window, then switch to the Conditions tab.
- In the Conditions tab, make sure that the option Start the task only if the computer is on AC power is not set.
- Reboot your computer, login, and verify:
sc query smb
The SMB driver should be in the Running state.
netstat -an | find ":445"
You should see an entry such as:
TCP 10.255.255.1:445 0.0.0.0:0 LISTENING
If you see '0.0.0.0:445' instead, then the portproxy rule was not applied correctly.
- You can now set up your SSH client to forward local port 44445 on interface 10.255.255.1, to destination port 445 on your desired destination server (the one hosting the network share).
You can now use UNC paths of the form \\10.255.255.1\sharename\ to access file shares on the destination server.
Older Windows Platforms
On Windows versions prior to Windows Vista, you can forward file shares over an SSH connection by forwarding connections on port 139 on the sharing-consumer machine via SSH to the sharing-provider machine. The exact setup differs depending on the version of Windows on the sharing-consumer machine:
- Windows 2000: configure the SSH client to listen on interface 127.0.0.2 and connect to '\\127.0.0.2\sharename'. This is all that is necessary.
- Windows XP: same as for Windows 2000, but before using the forwarded share, the local (client's) Windows file sharing server needs to be stopped via 'net stop server'. To disable it permanently, run 'sc config lanmanserver start= disabled'. To re-enable it at a later time, run 'sc config lanmanserver start= auto'. Note the space between 'start= ' and the following parameter - sc will fail without it.
If you want to avoid disabling the file sharing server on the client machine because you want to retain remote access to the client machine's shared resources, there is another alternative. You can install the Microsoft Loopback Adapter according to instructions relevant to your version of Windows:
- The Loopback Adapter and file share tunneling: Windows XP and 2003
- The Loopback Adapter and file share tunneling: Windows 2000
- The Loopback Adapter and file share tunneling: Windows NT4
If using the Microsoft Loopback Adapter, remember to setup your SSH client appropriately: use the Loopback Adapter's IP instead of 127.0.0.1 or 127.0.0.2. If you assigned the Loopback Adapter the IP address 10.10.10.10, configure a client-to-server port forwarding rule to listen on 10.10.10.10, port 139; then you can connect to '\\10.10.10.10\sharename'.
If the instructions on this page fail for you, try some of the file share tunneling tips contributed by our users.
Note that, in all cases, you will not be able to browse to the sharing-provider machine via point-and-click - the network path needs to be typed in manually.
Follow these steps if you wish to get quickly up and started with Windows file sharing over SSH. It is advised that you try to understand what is being done by each one of the steps presented. The difference between understanding and not understanding is frequently the difference between a security measure which works and one that only appears to.
On the server machine: (the file-sharing provider)
- Install Bitvise SSH Server on the server - the machine that has the resources you wish to access with Windows file sharing.
- No changes to the default SSH Server configuration are required to use Windows file sharing over SSH. You may wish to make changes to the default SSH Server configuration later on, to restrict what SSH features are accessible to remote users. However, for the time being, keep your SSH Server settings at default until your file sharing over SSH is up and running.
- Apart from installing the SSH Server, the only thing you need to do on the server is ensure that there is a Windows account which you can use to log on locally, and which you are comfortable using through Bitvise SSH Client and Server. If such an account does not yet exist, create one and use it to log on for the first time through the local Windows console to make sure all settings for the new account are initialized.
- Start the SSH server from the Bitvise SSH Server Control Panel.
On the client machine:
- If the client is running Windows XP or 2003 and you wish to retain the ability to share the client's resources, install and configure the Microsoft Loopback Adapter.
- Install Bitvise SSH Client on the client (the machine from which you wish to be accessing the server machine's shared resources).
- Configure the following settings on the Login tab of the SSH Client. Click also the 'Help' link on the Login tab for help with any of these settings.
- Host: The IP address or DNS name of the server that you are accessing.
- Port: You will normally use the default value, 22. This must match the port that the SSH Server is listening on. If you have made no changes to the default SSH Server configuration to change the port it is listening on, use 22.
- Username: The Windows account name with which to log into the server. This must be a valid Windows account name with local logon permissions on the side of the server.
- Password: The password with which to log into the server, belonging to the account name specified by Username.
- Store encrypted password in profile: You may optionally wish to enable this setting so that you will not be asked to reenter the password each time when logging in after the SSH Client has been restarted.
- In the C2S Forwarding
tab of Bitvise SSH Client, add a new entry and configure the following settings
for this entry. Click also the 'Help' link on the C2S Forwarding tab
for help with any of these settings.
- Status: This will be 'enabled' by default, leave it that way.
- Listen interface: The default value is 127.0.0.1. If the client machine is running Windows XP, leave this as it is; you will need to uninstall file and printer sharing on the client machine anyway. If the client machine is running Windows 2000, change this to 127.0.0.2 so that you will not need to uninstall file and printer sharing.
- List. Port: 139.
- Destination Host: set this to the interface on which the file sharing server is listening for SMB connections. Setting this to 'localhost' or 127.0.0.1 will not work because the file sharing server is usually listening on a specific interface rather than all interfaces, so it will not be possible to go through the loopback connection. To determine the interface where the file sharing server is listening, execute 'netstat -an' on the server and examine the output for a line like 'xxxxxx:139 ... LISTENING'. The xxxxxx is the IP address that you need to enter in this field. Normally this will be the IP address associated with the server's main ethernet adapter.
- Dest. Port: 139.
- Click the Login button in Bitvise SSH Client and observe the log area for any errors. If the session is established without errors, the SSH setup is running.
- If you are running Windows XP, you will now need to uninstall (not just disable, but completely uninstall) file and printer sharing on the client machine. This can be done through Network Connections : (each connection) : Properties - select 'File and Printer Sharing' in the list box and press the Uninstall button. This needs to be done for each active network connection on the client machine.
- If you are using earlier versions of Windows (this is confirmed for Windows 2000 but is likely to apply to the 9x/Me series as well), you will not need to uninstall file and printer sharing if you specified 127.0.0.2 as the C2S rule listening interface in the SSH Client (above).
- Once the above steps have been completed, you will be able to connect securely to the shared resources on the server machine using syntax such as \\127.0.0.1\sharename or \\127.0.0.2\sharename, respectively. This will work as long as the SSH connection remains established.
- You can make sure that your file sharing connections are going through Bitvise SSH Client by checking the SSH Client log area for a message saying 'Accepted client-to-server connection from ... to ...:139' corresponding to each connection attempt you make. Likewise, when your file sharing connection closes, the SSH Client should output a log message stating 'Closing client-to-server forwarding channel from ... to ...:139'.
If you encounter problems establishing the SSH session, you will receive diagnostic information in the SSH Client log area, as well as in the log entries recorded by SSH Server on the server side. Especially in the case of an authentication failure, the SSH Server log entries will contain important diagnostic information. Inspect the SSH Server log entries using the Windows Event Viewer on the server side.
Please see our contact and support page for more information and links to documents about how to go about resolving problems with Bitvise SSH Client and Server.