KB ID 0001779
Problem
Note: This will also work on Server 2019
There’s really no excuse to be using FTP any more, it’s insecure and your username, passwords and data are sent in clear text! So let’s put the secure in FTP and deploy Windows Server 2022 SFTP instead!
Note: Yes there’s FTPS as well (and it’s not the same), that adds a secure layer to the old FTP protocol. SFTP is a completely different protocol and it runs on top os SSH (TCP Port 22).
Deploy Windows Server 2022 SFTP
Firstly let’s check what version of OpenSSH server is available to us, then install that version (in this example 0.0.1.0)
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*' Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Now start the service, and set the service ‘Startup type’ to automatic, so it will start when the server boots up.
Start-Service sshd Set-Service -Name sshd -StartupType 'Automatic'
Assuming you have the Windows Firewall on, we need to allow TCP port 22 though the local firewall.
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "C:\Windows\System32\OpenSSH\sshd.exe"
To be honest, that is the SFTP server up and running. Now you will need a user to access the service with. This can either be a LOCAL user on the SFTP server itself…
…or a Domain User (if you joined the SFTP Server to be a Domain Member).
Windows Server 2022 SFTP Upload Folder and File Locations
Be default each user that connects will have a folder created for them under the C:\Users folder that belongs to them. Some people might not like it in that location, (but remember we are essentially dealing with a *nix program here, and thats how *nix behaves).
Setup a Windows Server 2022 SFTP Default Root Folder
If you want to have another folder as the root folder (remember then everyone is then using the SAME folder!) Then create that folder.
Then edit;
C:\ProgramData\SSH\ssd.conf
Note: Remember ProgramData is a hidden folder so you might not be able to see it!
Locate ChrootDirectory and remove the word ‘none‘ after it, and then paste in YOUR folder path. Finally REMOVE the hash (or pound if your American) symbol from the start of that line (as illustrated). Dont forget to save the file and restart the ssh service (Restart-Service sshd).
ALWAYS test that it works from the same subnet first, (to save really annoying your firewall admin). Here I’m uploading a test text file using the FileZilla client from another server.
And to prove it’s not ‘smoke and mirrors‘ here’s the file.
So now to make the server available to the outside world then, you either need to ‘Port Forward TCP Port 22’ from a public IP address to their servers internal IP address, or if the server has its own public IP (or you have one free). Create a static one-to-one NAT on the firewall, and allow TCP traffic on port 22 inbound.
Related Articles, References, Credits, or External Links
NA
