Information Security
windows ssh sftp
Updated Fri, 08 Jul 2022 20:23:31 GMT

SFTP on Windows - is it likely to be disabled?


I'm a software engineer and I'm maintaining a product that allows a user to run commands and scripts on Linux servers via an SSH connection. We now need to extend this functionality onto Windows.

We have a working solution, using freeSSHd on the Windows server. We're able to connect via SSH and run commands. In order to allow us to run scripts, we need to transfer the script from the Linux web server onto the Windows server via SFTP. We then delete the script once it has run and we have the output.

My question is simple: I'm unfamiliar with SSH on Windows and I'm wondering if a user has SSH configured, how likely is it that they'll have SFTP disabled. I'm aware that SSH isn't standard on Windows and that a user would need to install their own SSH server (freeSSHd in my case). I'm also aware that SFTP is a "subset" of SSH and uses the same port with the same credentials. What I'm concerned about is that a user could refuse to enable SFTP (despite having SSH enabled), meaning that our "solution" won't work.

Basically, is there a precedent or accepted security standard on Windows that would mean that a user would refuse to enable SFTP for some valid, tangible reason, or is the fact that SSH is enabled sufficient to assume that there will be no issues enabling SFTP? Is there anything that would give a user grounds to refuse to enable SFTP despite having SSH installed and enabled?




Solution

Because SFTP runs over the same protocol as SSH, there is no valid technical reason to refuse to enable SFTP.

That said, there may be company policies that prevent this. There is a big difference between an SSH connection to issue commands, and an SFTP to transfer files. A company might accept the risk of allowing an approved account to access another machine, but might balk at the transfer of data.

So, technically, the risk is the same. Functionally, there is a big difference and an organization might have a policy against it.


This is the case in an area of my organization. We allow SSH to some servers, but no data transfer to/from those servers and have monitoring to ensure that the traffic flow stays below a certain threshold. Granted, it's a special case, but there's precedent.





Comments (1)

  • +0 – Thanks - this was my feeling before asking the question so your feedback is useful. My main concern was that there would be some sort of security best practise that would mean that SFTP would be disabled pretty much by default (despite SSH being enabled), but that doesn't seem to be the case (which is good). Rather, it appears likely that the availability of SFTP will be a matter for internal policies. That being the case, we can mitigate for this. Thanks again. — Jul 06, 2015 at 11:23