Add an SFTP Server to your Windows Core Server using Powershell

How To
1

Sometimes users require SFTP access to their File storage on our Linx Cloud servers. Here’s the steps to set it up from a Server Management point of view.

  1. Remote Desktop into the machine and access Powershell

C:\> powershell

  1. Install Open-SSH

Get-Service -Name “sshd” | Set-Service -Startup “Automatic” -PassThru | Start-Service -PassThru

  1. Change the Port number to what-ever you want to use, in this case Port 2223

(Get-Content “C:\ProgramData\ssh\sshd_config”).replace(“#Port 22”, “Port 2223”) | Set-Content “C:\ProgramData\ssh\sshd_config”
Restart-Service “sshd”

  1. Check the port to see if SSH is running

Get-NetTCPConnection -LocalPort 2223 | select Local*, State, @{n="ProcessName";e={(Get-Process -Id $_.OwningProcess).ProcessName}},
@{n=“ProcessPath”;e={(Get-Process -Id $_.OwningProcess).Path}} | ft -Auto

  1. Create a new Group to assign users to

New-LocalGroup -Name “SFTPUsers”

  1. Set up a new user

$Password = Read-Host -AsSecureString
$params = @{
Name = ‘ftpuser’
Password = $Password
FullName = ‘FTPUser’
Description = ‘FTPUser’
}
New-LocalUser @params

  1. Assign user to new group

Add-LocalGroupMember -Group SFTPUsers -Member ftpuser

  1. Go to your SSH folder and open the ssh_config file with Notepad

cd \
cd ProgramData\ssh
Notepad.exe ssh_config

  1. Add the root folder you want to use for SFTP into the config. Any place is fine

ChrootDirectory “F:\MyDrive”

  1. Allow users to log in with passwords, by uncommenting this line

PasswordAuthentication yes

  1. Add the newly created Group to access SFTP

AllowGroups yourserverlocalname\SFTPUsers

  1. Save the file and close Notepad. Restart SSH

Restart-Service “sshd”

  1. Go to the root folder where the folder that we are using as SFTP Home is located. In our case F:

  2. Set the permissions for our newly created Group to have READ rights on this folder

$ACL = Get-ACL -Path “MyDrive”
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(“yourserverlocalname\SFTPUsers”,“Read”,“Allow”)
$ACL.SetAccessRule($AccessRule)
$ACL | Set-Acl -Path “MyDrive”
(Get-ACL -Path “MyDrive”).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize

  1. Set the permissions for our new Group to NOT have Write access. Thus we’re giving Read-Only access:

$ACL = Get-ACL -Path “MyDrive”
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(“yourserverlocalname\SFTPUsers”,“Write”,“Deny”)
$ACL.SetAccessRule($AccessRule)
$ACL | Set-Acl -Path “MyDrive”
(Get-ACL -Path “MyDrive”).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize

  1. Try with an SFTP client, like Linx or FileZilla to log into the our new SFT server. Should work.