If you need to provide a SFTP connection to a specific server, you can install and configure IIS. However, if your needs do not require dedicated home folders for each user or only require granting access to a small number of people, perhaps setting up the optional SFTP/SSH server available in Server 2022 will be just the ticket. To get started, Open an elevated PowerShell console and run the following command:
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
If this is successful, you should see the phrase, “Online : True”. To make the startup of the service automatic, run the next command in the same PowerShell window.
If you receive an error similar to below, the computer is not set to get its updates directly from Microsoft. This would include most of our servers still pointed to WSUS.
Add-WindowsCapability : Add-WindowsCapability failed. Error code = 0x800f0954 At line:1 char:1
To resolve the problem for Server 2022 open the file “I:\SSH-WindowsServer2022-CustomBits\20348.1.210507-1500.fe_release_amd64fre_SERVER_LOF_PACKAGES_OEM.iso” and note to which drive letter the ISO is assigned. Then issue the modified command below to install. You can see the drive letter F: is where the ISO is registered.
dism /online /add-package /packagepath:"F:\LanguagesAndOptionalFeatures\OpenSSH-Server-Package~31bf3856ad364e35~amd64~~.cab"
In either case, If the install is successful, you should see the phrase, “Online : True”. To make the startup of the service automatic, run the next command in the same PowerShell window.
Get-Service -Name "sshd" | Set-Service -Startup "Automatic" -PassThru | Start-Service -PassThru
You can verify the installation by typing the command “services.msc” into the PowerShell window. This will launch the built-in services applet. The service is named, “OpenSSH SSH Server” and you should see that it now is running and set to auto start. Here you can stop, start, or restart the service. If you prefer using the command line, the same can be accomplished with these commands:
stop-service sshd
start-service sshd
restart-service sshd
Several customizations can be made to the SSH service to restrict who has access to the server and where a user will land when connecting. The configuration fille is found by default at “C:\ProgramData\ssh\sshd_config”. To edit the file, launch Notepad.exe as Administrator or use Notepad++ to open the file in the location below. NOTE: Any time you edit this file, the service must be restarted for the changes to take effect..
By default, all local and domain users have the ability to connect to the SSH instance. When each user connects, they will be dropped into their individual profile folder on the server. If the user did not already have a folder, it will be created on first logon. Since this may not be what you desire, you can modify the config so that every user will drop into a the same folder and or configure who will be allowed to connect.
To set the server to make all connections to the same folder, find this line in the config file, “ChrootDirectory none
” and change it to read, “ChrootDirectory "DriveLetter:\Folder of your choice
“
To control who can connect to the server, copy the following lines into the sshd_config file just above the line, “Match Group Administrators” at the end of the file.
#Allow or deny users and groups
# Items must be in this order:
# DenyUsers
# AllowUsers
# DenyGroups
# AllowGroups
#AllowUsers domain\cooper.a
AllowGroups domain\SSH-Windows
All of the lines beginning with # symbol are comments and not used in the config except as reminders or placeholders. The user restrictions are processed in the order shown. In this config, I have commented an AllowUsers line while leaving the AllowGroups line as active. This is because only one of these options can be active at any one time. If you want to allow only your self to connect, use the AllowUsers version. In the example, this would allow the user cooper.a to connect and no one else. If you want more than one person to login, user the AllowGroups option.
Currently, the server does not support Entra ID accounts and cannot be protected with MFA. Test your config by connecting as an allowed user with WinSCP or your favorite SSH client.
Links to more info below
https://4sysops.com/archives/configure-an-sftp-server-on-windows/
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration
https://woshub.com/connect-to-windows-via-ssh/
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement