Created a Secure FTP (SFTP via SSH) server - but user (local user) gets FULL ACCESS to the server!!???!?!?

Posted on 2006-04-04
Last Modified: 2008-01-09
Created a Secure FTP (SFTP via SSH) server - but user (local user) gets FULL ACCESS to the server!!???!?!? THE ENTIRE SERVER!!!

SFTP basically uses SSH to encrypt user login info and files being transferred. To do this, you need to create a Windows Local user and group that will be allowed into a particular folder.

I did that, but when I connect through SFTP (filezilla), I get access to the entire server. How is this more secure than regular FTP???

What did I do wrong?? How do I restrict a local user to one folder only?

Question by:vanauden
    LVL 9

    Expert Comment

    You probably have setup issues.  You need to set the root of your FTP server to something other than C:\.  Exactly what SFTP package did you use?
    LVL 1

    Author Comment

    openSSH from

    the FTP server is Filezilla and the remote client is also filezilla.

    I just found out that with SFTP you have to restrict the Windows Local User account.

    I did that, but now the SFTP only opens the OpenSSH folder - I have no idea how it gets there, but it is restricted to that folder and subfolders.

    I am going to try uninstalling OpenSSH then reinstalling it from scratch and see if that works.

    The root of my SFTP server is D:\somefolder\somesubfolder and I put user restrictions on the subfolder

    Is there another package that works better?
    LVL 1

    Accepted Solution

    Ok, figured the whole thing out: Had to unistall/re-install OpenSSH

    Here is how to do the entire thing:  (Window 2003)

    Note: I am taking some stuff from, but not all. I like this tutorial, but it is very incomplete in terms of instructions relating to Windows permissions.

    1.      Download OpenSSH for Windows here à

    2.      Run the installer and be sure to install both the client and server components.

    3.      Create a new windows user and group that will be used for SFTP only.

    4.      Now make sure that this new user is a member of the group you just created.

    5.      Create your SFTP folder/directory and name it with the exact same name as your new user.

          a.      Do NOT create this folder directly under a hard drive letter because Windows permissions will give the SFTP user access to other drives, and YOU DO NOT WANT THAT!
          b.      I suggest you create a folder for SFTP, then create a SUBFOLDER with the new user’s name. That way, you restrict the user’s group permissions on the subfolder. To be even safer, you then completely deny permissions for this user on the main SFTP folder. More on this later on.

    6.      Using WINDOWS Explorer, go to this directory: C:\Program Files\OpenSSH\etc

          a.      Make sure that the file “group” exists. If not, create it with NO extention. (it should be empty)
          b.      Make sure that the file “passwd” exists. If not, create it with NO extention. (it should be empty)

    7.      Open the Windows Command Prompt and go to this directory à C:\Program Files\OpenSSH\bin

    8.      SIDE NOTE: Local group or user is one that allows permissions for a user logged into the local machine only. (As opposed to being logged in from a domain). By default, users and groups are LOCAL.

    9.      If the group you created is a LOCAL group, type: mkgroup -l >> ..\etc\group

    10.      If the user you created is a LOCAL group, type: mkpasswd -l -u sftpuser >> ..\etc\passwd

    11.      This is one IMPORTANT point where I diverge from the setup notes in the article. You need to edit the registry BEFORE starting your SFTP service. Sometimes Windows just will not let go of settings, and if you start the service now, it will probably be started with incorrect settings (if you followed my instructions). If you started it before reading this, stop the service, follow my instructions bolow, then start the service again. (Back up your registry first.)

          a.      In your passwd file, you now have a listing of the default SFTP directory for your Windows user. You need to change the main folder (/home) location. The README file in OpenSSH provides the best method for doing this (clipped as follows).
          b.       To change the Windows directory /home corresponds to, you will need to edit a registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/home.
          c.      The value of the key named "native" is the directory that /home is. If you want all your users to enter in a directory on your machine called F:\Users, change "native" to read F:\Users.
          d.      By default, each user will then be placed in the directory F:\Users\username, where username is the name of the user account.

    12.      Start the OpenSSH server (service) by typing: net start opensshd

          a.      You can stop it by typing: net stop opensshd

    13.      On your firewall, open port 22. This is the default SFTP port.

    14.      Now you can test your SFTP server using a client from another computer. I use Filezilla. In Filezilla, create a new (S)FTP site as follows:

          a.      Host (the IP or domain name of your server)
          b.      Port 22
          c.      Server Type: SFTP (using SSH2) (It’s backwards compatible to SSH)
          d.      Logon Type: Normal
          e.      User: Windows username for the user you created
          f.      Password: Windows password for the user you created
          g.      Connect and it should work.
          h.      Note that the user has access to the entire server at this point… that’s not good.

    15.      SFTP does not provide a method for locking a user to his/her home directory
          a.      Now you MUST set your Windows permissions on the folder you created with the new user’s name to LIMIT this user to this folder.
          b.      My example folder: D\sftp\sftpuser.
          c.      Right-click on the sftpuser folder and select Properties.
          d.      Click the Security tab.
          e.      Click the “Add” button and add your USER to the folder
          f.      Here are the permissions I gave the user:
                i.      List folder contents
                ii.      Read
                iii.      Write

          g.      Now right-click on the “sftp” folder and select properties

          h.      Click the Security tab.

          i.      Click the “Add” button and add your GROUP to the folder

          j.      DENY ALL PERMISSIONS for the Group (checkmark in Deny Full control).

          k.      Now your SFTP user will be able to get into the SFTP folder and subfolders only.

    16.      Now test your SFTP again. It should work.

    LVL 1

    Author Comment

    That's it for this question.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
    by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now