Setting up sFTP server on a Windows Domain

The goal of this project is to set up secure encrypted FTP services on a Windows based machine without integrating security with Active Directory (AD).  The reason that I did not want to integrate with AD is that I did not want to allow normal Windows users access to the site.  The site is for individuals external to my organization that need access to a location to upload and retrieve files without having to grant them access to physical data stores on the network.

Most of these instructions were harvested from and modified by notes made during my installation of the software.  I have made minor modifications to clarify user account creation to ensure that it is outside the scope of a Windows domain. 

All resources exist on one machine.  Find a machine on your network that does not contain private information and that can handle ample storage for your needs.  In fact, since it is not integrated with AD, it can be installed on a standalone workstation in a workgroup if desired.  To further control access and security, anonymous access will not be enabled.

There is a great potential that a user can traverse to the root directory of the machine and cause damage.  Though you will presumably only give user access to users you trust, you may one day find that you no longer trust a particular user.  For this reason, it is best to limit the number of accounts created and to change the passwords on those accounts frequently.  The paranoiac may wish to go so far as to change the password once the user has completed their current access.  You can also run this in a sandbox so that all access is only to the sandboxed environment.  For further information on sandboxes, research VMWare or Microsoft VirtualPC.

To Install

  1. Login as an administrator on the machine.  By default, an Enterprise or Domain Administrator account can be used as well as a local administrator account.
  2. Create a folder c:\cygwin
  3. Download cygwin's setup.exe from and save setup.exe in c:\cygwin
    1. Click Start | Run and type c:\cygwin\setup.exe
    2. When it asks for "Local Package Directory", type c:\cyginstall.  This keeps the installation files separate from the program files.
    3. When a selection screen comes up, (you can resize the windows to see better) click the little View button for "Full" view, find the package "openssh", click on the word skip so that an  appears in Column B
    4. Click Next to start installing cygwin and ssh.
    5. Size of the basic cygwin system is about 40 Meg, this may take a while. You may wish to take a coffee break.
  4. Right click My Computer | Properties | Advanced | Environment Variables
    1. Click the New  button to add a new entry to system variables:
      1. variable name is CYGWIN
      2. variable value is ntsec
  5. Right click My Computer | Properties | Advanced | Environment Variables
    1. Select the Path variable and click the "Edit"  button:
    2. append  ;c:\cygwin\bin   to the end of the existing variable string.
  6. Open a cygwin window (by double clicking the  icon), a black screen pops open, type
    1. ssh-host-config      (it may take several minutes to generate the dsa keys)
    2. When the script asks you about "privilege separation", answer yes
    3. When the script asks about "create local user sshd", answer yes
    4. When the script asks you about "install sshd as a service", answer yes
    5. When the script asks you for "CYGWIN=" your answer is ntsec
  7. While you are still in the (black) cygwin screen, start the sshd service
    1. net start sshd or
    2. cygrunsrv  --start  sshd
      1. Note: if you need to stop the sshd service, pop open a  cygwin window
      2. net stop sshd   or   cygrunsrv  --stop  sshd
  8. Create users for the sFTP system
    1. Go to Control Panel | Administrative Tools | Computer Management | User Accounts and add the required users.
  9. Make sure every Windows user created has a password set, if not,
    1. go to Control Panel | Administrative Tools | Computer Management | User Accounts and create a password.
  10. Open a cygwin window and harmonize Windows user information with cygwin.
    1. mkpasswd --local > /etc/passwd
    2. mkgroup --local > /etc/group