Ask a Microsoft Windows NT administrator that same question, however, and you're likely to hear a groan, followed by a list of packaged solutions, none of which he or she is happy with. Part of the problem lies in the fact that Windows NT is just difficult to manage remotely. In addition, Windows administrators are often limited to the use of standard Windows file sharing, FTP or proprietary tools for transferring files. Solutions are rarely good and are usually insecure.
Fortunately for the Windows crowd, this is changing, thanks to SSH Secure Shell for Windows Servers. SSH Communications Security has done a beautiful job in porting the SSH server (SSHD) to Windows NT/ 2000 and bundling it as a commercial offering. SSH Secure Shell for Windows Servers is a single package that supports SSH version 2 (it does not support version 1), SFTP (Secure File Transfer Protocol) and SCP (Secure Copy). Although Windows-based SSH clients have existed for years, before this release the only offering on the SSH service/server side of the Windows fence was an unsupported Cygwin port of the Unix package. It worked, but it wasn't as polished as some might have liked, and it was not commercially supported.
Installation and Customization
I was able to install the product in about 60 seconds in our partner labs at Neohapsis, in Chicago. The installation was painless, and the entire distribution is less then 3 MB. SSH server for Windows installs the SSH server process as a standard service, so you can control it from the command line or from the standard "services" component of the Windows control panel.
SSH server runs adequately out of the box, but its configuration can be fine-tuned. Further configuration can be performed in one of two ways. Those of you familiar with the Unix sshd2_config configuration file will feel right at home popping it open and editing manually in Notepad.
For the more GUI-inclined, SSH Communications Security has built in a slick configuration interface that should take care of anything you want to customize. Administrators can control port forwarding (for securely tunneling other applications through SSH), time-out values, user permissions and restrictions, encryption algorithms, encryption keys, and an assortment of other features.
Secure Services
Once the service is enabled, Windows administrators will find two primary components especially to their liking. The first one is secure, remote command-line administration. Administrators can use a standard SSH client (Windows or Unix) to remotely access the Windows system and authenticate using native NT/2000-based accounts.
The service will then drop the user to a shell prompt or any other program that the administrator might have set up. This lets administrators access any of the command-line functions that Windows NT/2000 supports. Unfortunately, there are only so many things you can do from a command prompt in Windows NT/2000, but this method of access is far more secure and robust then previous remote command-line offerings.
The second component that Windows administrators will welcome is indeed a godsend: the use of standards-based secure file transfer protocols, such as SFTP and SCP. Native Windows file sharing could be an acceptable solution for internal file copying needs, but what happens when you need to copy files to a remote, collocated Web server or a third-party supplier or vendor? Or worse, what if you have to copy these files between Windows and Unix platforms?
Native FTP has been the long-standing solution because of its availability on multiple platforms and because its easy-to-use clients, such as WS-FTP and Cute-FTP, are favorites among less-experienced users. Unfortunately, FTP lacks encryption abilities. By comparison, SFTP and SCP offer a standards-based cross-platform mechanism to move files securely across unfriendly territory.
Testing It Out
I tested this functionality with both the F-Secure Corp. SSH/SFTP client and SSH Communications' own SSH/SFTP client suite. Both packages have an easy-to-use Explorer-like interface (see screen on page 36), so novice users should be able to use the solution without a hitch. I also tested the Windows SSH server with putty, an open-source SSH Windows client. I even tested SFTP and SCP from our Linux machines. All clients worked flawlessly with the SSH server.
On the encryption front, SSH Communications has built-in support for DES (Data Encryption Standard), 3DES, Blowfish and an assortment of other industry-accepted algorithms. In addition, the product was developed in Europe and avoids U.S. crypto-export laws.
The only thing that made me nervous about the product is that the default configuration made it possible for all our domain users to log in and gain shell-level access to our servers. While this isn't exactly a flaw, administrators should take note of it. Diligent administrators can use SSH server's security features and restrict logins based on user names and host addresses.
For those of you who have never used SSH, this package is about as clean an introduction as you're going to get. Unix veterans familiar with the utility will feel right at home. It works as you'd expect it to work, and it's clean, concise and free of fuss.
Although the package doesn't sport any earth-shattering technology, the SSH protocol is a much anticipated and welcomed service addition for anyone who has struggled with remote NT administration and file-transfer issues. In fact, I'm not sure how we've lived without it.
Greg Shipley is the director of security services for Chicago-based Neohapsis. Send your comments on this article to him at gshipley@neohapsis.com.
RSS
