SSH Secure Services on Windows 2K/XP?

jstockdale asks: "Lately I've been working on the security of the few Windows boxes I administer, specifically XP and 2000 stations. I havn't had much of a problem finding decent solutions for file/email/disk encryption (besides the fact that PGP is no longer selling their products), or for smartcard or smartcard+biometric solutions (besides the limitations on key size (2048-bit RSA maximum) and flexability). However when it comes to SSH services for remote administration, windows filesharing, and SFTP for file transfers I have hit a dead end. I have looked into SSH but their SSH for Windows Servers only runs on 2000, and costs $565. I ask what solutions have /.er's found in the realm of ssh network encryption, and also in integrating all these components simply and effectively."

CygWin

[Darth+Troll]

Works just dandy

Re:CygWin

cygwin rocks. next best thing to unix.

Re:CygWin

[Frank+of+Earth]

I don't run Cygwin on our prod servers but I do run it on my desktop and it works great.

What I do is create a batch file called scmd [super command] that opens up a connection to localhost through ssh.

Then I just create an alias to my /c and Im able to use all the great unix utilities under windows. You be surprised how something so simple like tail/head works so well when analysing log files in Windows.

Not to get too offtopic, but it's all great for running cron jobs. The AT scheduler is the worst.

Re:CygWin

Thing is, can you run netsh?

ie, manage the dhcp server, wins, etc..?

Re:CygWin

Cygwin truly rocks, especially when used with the Win32 version of Emacs. However, it doesn't provide any SSH server functionality, to my knowledge. Furthermore, the functionality of cygwin is limited in many instances. For instance, ps on cygwin only reports on processes
initiated by the current shell, not those of the underlying OS.

Re:CygWin

[Sir+Joltalot]

Excuse me, I think you mean the Win32 version of Vim :)

Otherwise, I agree, Cygwin is pretty neat. The only thing that ticks me off when using Cygwin is that when you run bash (or another shell) it's still in a Windows command prompt, and they don't really resize that well (at least not in 2k, dunno 'bout xp). And yeah, you can run X with xterms, but at that point you might as well run *nix...

Re:CygWin

[roybadami]

Though you do need to be aware of it's security limitations. That's not to say openssh under cygwin isn't a great way to remote admin machines, but you should probably only use it in circumstances where everyone who has access to the machine has legitimate admin privileges. (Of course, if the only person who has access to the machine is you then you needn't worry)

http://cygwin.com/faq/faq_4.html#SEC80

How secure is Cygwin in a multi-user environment?

Cygwin is not secure in a multi-user environment. For example if you have a long running daemon such as "inetd" running as admin while ordinary users are logged in, or if you have a user logged in remotely while another user is logged into the console, one cygwin client can trick another into running code for it. In this way one user may gain the priveledge of another cygwin program running on the machine. This is because cygwin has shared state that is accessible by all processes.

Re:CygWin

[Strog]

You can run sshd and use the server but you are right about getting to the underlying OS being an issue. It all depends on how much you are really trying to do with this box.

You can do most everything with the command line under NT/2k but documentation often needs hunted down. You also need to get the Resource Kit(s) to get all the command-line tools and addons to really do what you want to do.

The trouble with this is that you would have unixish tools available but really need to get to the nt/2k command line ones to administer the box. Maybe you can come in on ssh and have it connect to a local telnet that only accepts from localhost. Not perfect but better than telnet directly in.

when you are too lazy to hit google

[NullStream]

cygwin

Re:when you are too lazy to hit google

[Anonvmous+Coward]

Google helps you find stuff. Google does not give you informed recommendations from your peers. Duh.

Re:when you are too lazy to hit google

[Qrlx]

Google helps you find stuff. Google does not give you informed recommendations from your peers. Duh.

Google search for "SSH Secure Services on Windows 2K" (cut and paste job from article title, leaving off /XP)

Result number ten is called "How to setup SSH service on an Windows NT\2000 system." using cygwin etc.

So there.

Re:when you are too lazy to hit google

[NullStream]

And if you want impressions and suggestions then add "review" or "suggestions" to the search criteria. Joe Q. Internet hosting a site is about as acurate as your average slashdot user.

Then again this site is all about "News for sheep and stuff that barely qualifies as news."

Oh yeah.. BAAAAAAAAH!

Re:when you are too lazy to hit google

Then why the fuck are you here?

Re:when you are too lazy to hit google

Then again this site is all about "News for sheep and stuff that barely qualifies as news."
Then why the fuck are you here?

Because he's Welsh and likes to keep up-to-date with news about sheep.

www.Cygwin.com

[aaron_pet]

www.cygwin.com

openssh via cygwin.

[ssklar]

openssh works fine under cygwin. that is what we use.

Re:openssh via cygwin.

[Telastyn]

One trick that helps is using NT resource kit's srvany to install SSHD as a service instead of cygwin's service installer. A google search can show you how. But then again a simple google search could've prevented this whole article...

Re:openssh via cygwin.

[redfood]

Good information on installing an cygwin openssh server (sshd) can be found here:

http://www.jfitz.com/tips/ssh_for_windows.html#S SH _Servers

Cygwin?

Will Cygwin run on that?

- Firewall

Idea

Go to google and searching for "cygwin sshd"

Putty

[crouchingpenguin]

You can get Putty here: http://www.chiark.greenend.org.uk/~sgtatham/putty/ .

Re:Putty

[UTPinky]

I think he is referring to the need of a server, not a client

Re:Putty

[Osty]

And he can get a fancy alpha-blended PuTTY here. However, the way I understood it, he was asking for a server, not a client. PuTTY is only a client (ssh client, scp, sftp, etc).

Tried VShell?

[triffidsting]

http://www.vandyke.com/products/vshell/

Re:Tried VShell?

[xee]

Indeed, VShell is an awesome SSH server for windows. I've been using it in a production environment for a few months now and am very pleased with its performance and ability. It hasn't been a particularly smooth ride, but VanDyke tech support is excellent (you send them a logfile, they'll tell you how to fix the problem). They even supported me before I bought the product. That was impressive. I highly recommend VanDyke SSH products for windows.

Re:Tried VShell?

[Frank+of+Earth]

I agree. Vshell is great and integrates seamlessly. It's not terribly expensive and the software is top notch.

If you need Windows sftp/ssh clients, they also have the best clients on the market.

[Paying customer, but not affiliated with Vandyke, just been using their products for 5+ years now]

Re:Tried VShell?

Another positive comment to drop in the bucket...
vshell is awesome.

Re:Tried VShell?

[dmayle]

I agree completely. I've been a huge fan of Vandyke products, and continue to recommend them to clients of mine who want Windows familiarity thrown in with their security (I implement security solutions for small to medium size businesses). All of their products that I've used (SecureFX, SecureCRT and VShell) have each gotten better with each version (which you often can't say about new software).

Unless you work *real* cheap

$565 covers your employers costs for you for about a day (maybe a little more).

If you need what SSH provides, buy the damn thing and get it over with. You'd spend a helluva lot more than 10 hours getting something else working - or even just looking for something else.

Re:Unless you work *real* cheap

[dameron]

Unless there's a couple thousand client machines, then it gets pricey.

And oh, btw, $565 per day isn't cheap, it's like $135,000 a year in raw salary and, from what I'd guestimate, -far- beyond the average slashdot reader's daily take. Now your company may bill you out at $70 an hour, but that's a different story.

-dameron

Re:Unless you work *real* cheap

From what I understood, he needs the server to run on XP too, which that one doesn't.

Also... Your saying that less than US$ 70 / hour is "*real* cheap" really amazes me.

tmegapscm

Re:Unless you work *real* cheap

[GigsVT]

Cygwin with ssh takes like an hour to set up, max.

Re:Unless you work *real* cheap

"If you need what SSH provides, buy the damn thing and get it over with. You'd spend a helluva lot more than 10 hours getting something else working - or even just looking for something else."

This type of reasoning certainly doesn't demonstrate why you are allegedly worth $565 a day. Tell me where you work, I think I can help.

Re:Unless you work *real* cheap

[njdj]

And oh, btw, $565 per day isn't cheap, it's like $135,000 a year in raw salary
"Cost to the employer of $565/day" corresponds to a salary of $45k to $60k/year, depending on a lot of factors. Any manager who has costed a project will tell you this. To calculate the true cost of employing an engineer (say), you have to figure in the cost of providing office space/heating/air-con, desk space, infrastructure like HR department, line management, employer's social security tax and employment tax, and some of the benefits. All this usually adds up to a bit more than the actual salary. Then you have to figure that the average employee works about 1760 hours/year, allowing for vacation and sick leave. So if the actual salary is $60k/year, that's 60000/1760 = $34/hour or $272/day, the cost to the employer will be at least double that, usually significantly more.

Re:Unless you work *real* cheap

You've obviously never had to cost out development.

If someone sells a wheel that fits your needs, it's almost always a helluva lot cheaper to just buy it when compared to the cost of making one one your own.

From soup to nuts, figure somewhere between two and five lines of code per man hour. That's it. Throw out documentation and testing and you might get it up to 10-15 LOC an hour.

And you can't even start to get good developers until you start getting up to $100 or so.

Bitvise is nice and reasonably priced

[anaradad]

I've been running a Bitvise WinSSHD server for a while and it works just fine. Integrates with the Windows login also, which is a nice plus. Easy to install, configure, and use.

Cygwin!

[BJH]

I installed cygwin on my PC at work a couple of weeks ago (after the /. article). SSH client and server both work fine.

Cygwin?

[onby2000]

Check out cygwin. They have ports of most unix like apps and provide a framework for porting stuff. You might be able to find a solution there.

You can find some more info about it here.

Putty ssh client

[bluegreenone]

I know you are asking about server software specifically, but I thought I'd take the opportunity to mention Putty, a suite of useful SSH clients includind a SSH/telnet, Pageant their key manager, and plink their command-line version.

Errr....

[zulux]

What's wrong with cygwin?

Re:Errr....

[__aaaaxm1522]

Perhaps the poor guy just didn't know about it.

It's not very well known in the Windows world - seems to be something that us Unix folk load onto Windows machines to make them feel a little more like "home". I hope it gains more recognition by the Windows "mainstream" types, as it's one excellent bundle of useful apps.

It has Open SSH 3.4p1-4

[aaron_pet]

I don't know if Cygwin opens other security holes in windows. Haven't heard anything about it.

It has Apache, MySQL, Postgres...
XFree86... bunch of stuff.

I'd recommend

Cygwin's OpenSSH server.

Windows Programming: A related question

[Dwonis]

My question is sort of off-topic, but I don't really know where to ask it: Where is the Windows programming community? How do Windows programmers get their information and help? I am familiar with how to get information for *nix programming: just search the web, look up the manpages, and post questions on the mailing lists/newsgroups. But I have a hell of a time writing Windows programs because I can't seem to find the mutual support network that is so common in the *nix world.

Re:Windows Programming: A related question

Send your resume to Redmond. Bend over for Bill G.

Re:Windows Programming: A related question

[bmwm3nut]

www.codeguru.com - actually i don't know how good it is anymore. but about five years ago when i worked as a windows application developer i found alot of help there

Re:Windows Programming: A related question

[Col.+Panic]

USENET, just like for everything else. comp.os.ms-windows.*

Re:Windows Programming: A related question

[Osty]

www.codeguru.com - actually i don't know how good it is anymore. but about five years ago when i worked as a windows application developer i found alot of help there

I've not used CodeGuru much, so I can't really comment there. However, The Code Project seems to be rather popular, and even has some (unofficial) support through Microsoft. Another good site is WinProg.NET, the website for EFNet's #Winprog and also a site with a number of good tutorials and resources.

That said, there's really not much better than MSDN for looking up pretty much anything you want to know about developing for Windows. Of course, MSDN is more a reference than a tutorial site, so I can understand why new Windows programmers can feel lost in it. That's where sites like CodeGuru, The Code Project, et al come in.

Re:Windows Programming: A related question

[Brad1138]

When I have a question about any Windows OS (or any OS for that matter) I go to Computing.net. I usually get good answers to my probs. That is of course if slashdot is down and/or I can't get to it. :)

Re:Windows Programming: A related question

[RainbowSix]

I've been thinking about this question as well. Here is what I currently believe:

There are two main reasons people code. One is money. The second one is the appreciation of the theory and algorithms behind it.

As a result, we have Microsoft which I see as full of people in it for the money. This leaves crappy code and security holes since as long as everybody gets their paycheck they do whatever it takes to keep them from getting fired (ie, Office Space the movie)

Those people really don't care about the code, and so won't spend their free time contributing free software to the community. If they do write something, it will be for win32 and they will charge money so they can make a few dollars. They figure everything else costs money so why should theirs be free?

On the other hand, we have people who like to code, and don't care so much about the money as much as the respect of their peers and for the beauty of the code. Therefore we have a lot of free stuff in linux. Sure, some of it also has win32 ports, but are there any free office suites and full fledged graphics packages soley for win32? The answer is no (I would imagine) because win32 has such a huge user base. With something like 90% of the desktop, somebody is bound to pay for your product, so why should anybody write a free application for win32?

Re:Windows Programming: A related question

[ergo98]

Probably the best source is the microsoft.* tree (add msnews.microsoft.com as one of your news server). I've found it very helpful for those few times that Deja comes up empty. Caveat: Messages have a strange habit of spontaneously disappearing from those servers-Several times now I've posted a question that was very much ontopic to find a day later that it disappeared (though sometimes orphaning some replies). Whether they have a weak cancel authentication system and someone is abusing it, or they have overly delete-hungry moderators I'm not sure.

Re:Windows Programming: A related question

[ssafarik]

Have you looked at the MSDN Library? (http://msdn.microsoft.com). Has nearly exhaustive info on programming for all the various Windows components.

Steve.

Re:Windows Programming: A related question

www.tek-tips.com

This is a great resourse and a friendly community.

Jon

Re:Windows Programming: A related question

[daytrip00]

First, if you are a .NET programmer, one such community is dotNet247.com. They have excellent discussion threads. They, also, are indexed by google. If you use Google's Microsoft only search you'll be sure to easily find the answer to the question you are looking for.

MSDN is also an invaluable resource. Not only do they have a stream of articles, but they are searchable, and it is generally rather easy to find the answer to the question you are looking for.

I've had 99% of my programming experience in the Widnows world, so I actually suffer the reverse anomaly... I don't know where to look for my *nix answers.

Re:Windows Programming: A related question

[W2k]

My sources for programming info and help/support:

CodeGuru and CodeProject - both EXCELLENT sources of information, especially for MFC stuff. CodeProject also has lots on C#.

Microsoft Developer Network is a great source of support (especially the KB) and the MSDN library holds a full reference for the Microsoft implementations of C/C++, C#, Visual Basic, et al. MSDN is also integrated into Visual Studio.NET, so I rarely feel the need to visit the website directly.

Finally, lots of programmers gather in Usenet newsgroups and on IRC. I can recommend the channel #c++ on Quakenet (irc.quakenet.org) as a great source of help for Windows programmers, so long as you follow the (rather strict) channel rules. Don't miss the #c++ n00blist of people who have failed to observe these rules ... :)

I hope this helps...

Re:Windows Programming: A related question

[Reality+Master+101]

On the other hand, we have people who like to code, and don't care so much about the money as much as the respect of their peers and for the beauty of the code.

Obviously you have never looked at the typical open source program. It is some of the UGLIEST code ever written. I'm sure there are some examples of some clean code out there, but all the ones I've looked at have been horrible, kludgy, undocumented pieces of crap. One in particular was Perl 4. Larry Wall might be a language genius, but his code is TERRIBLE. I think you can count the number of comments on one hand.

Re:Windows Programming: A related question

[NineNine]

There's a ton of support. It's not in one place because there are just so damn many Windows developers. You get all of the Windows developers in one place, and it'd dwarf the user base of Slashdot many times over. Saying the "Windows Community" is like saying the "human community".
1. There are too many to form any kind of useful "community".
2. There's no driving common interest, like here at Slashdot. You write code, it works, period.
3. 99% of all *nix geeks can be described in a single paragraph. Windows users are all different kinds of people, with virtually nothing in common.

Re:Windows Programming: A related question

[slickwillie]

Here's how you get Windoze programming help:

- Get out your credit card(s)
- Clear your calendar for the next week
- Call Micro$oft
- Sign up for MSDN (make sure your credit cards(s) have a high limit)
- Wait for a large box full of disks (are they still using CD's or have they switched to DVD's?)
- Try something (it wil fail)
- Call M$, goto previous line forever

Re:Windows Programming: A related question

[Vinson+Massif]

Apparently in the Perl FAQ: "Perl 4 is a dead, flea-bitten carcass". It's old, ancient.

Please make the same comment about 5.8.0.

Re:Windows Programming: A related question

this was insightful? it was a blatant troll, and a poor attempt at one too.

Re:Windows Programming: A related question

[Stonehand]

Pure, unadulterated bullshit of the worst sterotypical kind. Having actually /been/ there, and being aware of their recruitment procedures and also of their penchant for hiring damn fine academics who know their stuff, I can tell you that if you are a clod who can't think on his feet and doesn't know what he's doing, you won't get in. And the people that were there were pretty damn motivated to do well -- one has to be, in order to work at a company that's all but compared to the Third Reich these days.

Compare that to the unclean drivel in the Linux kernel, laden with intelligent comments like "Sun fucking blows me", clearly broken VMs that get released despite all those allegedly useful eyes staring at the code and supposedly testing it, and the unprofessional spats between the dev community.

And if you think caring about something means that it's so obviously superior, I would suggest that you consider the fanatical behavior of assorted cults throughout history -- or, alternately, the idiots on "American Idol" who clearly /care/ about their art, but can't do it worth a damn. The people who did the art for "Craft" and for that Warcraft clone and for that FreeCiv (clone...) probably /care/ about their art too, but graphically... there's no comparison with that produced by the pros.

As for why I code, when I do -- it's a method. Algorithms aren't too interesting if never tested, and I'm sure as hell not doing large amounts of repetitive mathematics by hand. So for me, programming is merely an extremely efficient way of getting things done, and not an ends in of itself. When it comes to recreation, I find classic literature or photography much more interesting than implementing Nelder-Mead simplex routines for function minimization, or their ilk.

Re:Windows Programming: A related question

[tcc]

Obviously the parent is a flamebait.

Yes microsoft switched MSDN to DVD and even offers a substancial rebate for people to switch to DVD subscription.

Depending on which kind of subscription you want, MSN can be in the 3 or 4 digits. The Universal subscription is huge and most of the people don't need it for simple application, as a matter of fact, having only the MSDN library on cd and a copy of visual studio is enough for most people. Unless you are writting huge-ass datacenter application or you need evey single microsoft product (server and client) readily installable, well usually you can shell out the money that will be needed to get such a package. No it's not open source, no it's not free, yes it's microsoft. While I don't really agree with some of their ways of doign things, if you don't like it, don't buy it and go find something else; if you can't, well now you know what it's going to cost you and you'll appreciate the litterature of the MSDN subscription. I find it very immature and non professional to post such biased comments, and even worse, people modding this up like mad.., when it's completely OT to the current subject and not helping in any case.

The only negative thing I have to say about MSDN is when you get a universal subscription, they are trying to SELL you a magazine on top of that, and the Technet library isn't included, with all of the stuff they give, this is really lame :), aside from that, if you need MS documentation, grab the MSDN cd, it's not THAT expensive, and most of the stuff there is loaded with samples and it's more readable than most unix HOWTOs for the newbies.

Re:Windows Programming: A related question

How much does MSDN spellchecker and grammar filter cost?

BTW, I agree that Linux (not Un*x) HOWTO's can be less than useful.

Re:Windows Programming: A related question

Wow, Quakenet #c++ looks like a steaming pile of idiots. I'm there!

Re:Windows Programming: A related question

When it comes to recreation, I find classic literature or photography much more interesting...

Bill Gates' "The Road Ahead" doesn't count as classic literature.

Cygwin

[ar]

Like everyone says, cygwin is the winner.

You might want to check here for some hints on installation. (In addition to the user guide and readmes of course).

Check out the VanDyke products

[mdb31]

You may want to have a look at vandyke.com; their VShell SSH server has a 'personal' edition which works very well for systems management and is cheaper than the SSH product. I've used their products for years on the server as well as client-side, and found them very reliable, as well as very well-behaved Windows services...

Lots of Options

[photon317]

There's lots of options available for SSH on Win32, a simple Google search turns them up. Specifically there's a free zipfile out there called ssh-win32.zip that contains a basic SSH terminal that works well. There's also GPL port-attempts of the unix commandline ssh tools, some of which work ok. In the cheapware/shareware category there's stuff like SecureCRT and F-Secure SSH. The list goes on and on... apparently some people like PuTTY.

Re:Lots of Options

Oh, there's lots of posts about ssh clients, some with links, discussion of various clients, secure crt and F-Secure etc. The list goes on and on... apparently some people don't realize the question is about ssh server solutions and not clients .

Same except for manpages.

[jag111]

Search the web, look up things in the MSDN Library, and post questions on the mailing lists/newsgroups. =)

Re:Same except for manpages.

[Dwonis]

Do you know what the licensing for code snippets from MSDN is? They always provide them but I can't find a copyright release anywhere. Maybe I'm not looking hard enough (or recently enough).

Re:Same except for manpages.

[SynKKnyS]

They are free, unless they suddenly licensed the code to create a HWND.

Have you looked at remotely anywhere?

[slacker_bovine]

Rather than some *cough* *cough*....I wish to actually try to provide some help. I've been using Remotely Anywhere for remote administration of my win2k network. It does a lot more than it sounds like you're asking for, but it is extremely useful and runs an ssh server. It is relatively cheap, but not free. Website

Look again...

[Psx29]

I have looked into SSH but their SSH for Windows Servers only runs on 2000, and costs $565.

According the the link provided:

SSH Secure Shell for Windows Servers provides strong Secure Shell version 2 connectivity, encryption and authentication for servers running Windows NT 4.0, 2000 and XP.

CuteFTP Pro has SFTP

[jaylen]

CuteFTP pro has excellent very good Sftp cababilities, I use it all the time between work and home.

Works fine for win2k, XP, and is cheap to buy.

______
Jaylen

Re:CuteFTP Pro has SFTP

I personally like the spyware Globalscape has embedded in it's products.

Re:CuteFTP Pro has SFTP

[Luke-Jr]

CuteFTP Pro is also a resource hog and is very unstable.

Safetp

We use safetp as a client and server on a number of Windows and Linux servers and it works brilliantly. And its free!

http://safetp.cs.berkeley.edu/

OpenSSH + CygWin + libsectok

[dmiller]

As a few people have mentioned OpenSSH is supported on Windows via CygWin. What hasn't been mentioned is that OpenSSH supports smartcards through the use of libsectok. I use it with Schlumberger Cyberflex Access cards.

I don't know whether libsectok has been built on Windows before, but it uses the standard /dev/tty interface so it should be too difficult to get working.

Re:OpenSSH + CygWin + libsectok

[philovivero]

Mod parent up.

Basically, I've gotten Cygwin with OpenSSH working on Win2K with zero problems.

It's an eery feeling typing "ssh philov@win2kbox" and then getting a Bash prompt.

Remember, once you install Cygwin to learn how to install *ANY* Unix server as a service on your Windows box. I got Apache and SSHd and a few others working trivially once I figured out that strange Cygwin addservice command.

Re:OpenSSH + CygWin + libsectok

[ajs]

What's even scarier is being on an XP box, starting up a shell, typing "startx", get an xterm, run "ssh -XCfc blowfish me@linuxbox evolution" and getting a usable mail client on windows! :-)

Re:OpenSSH + CygWin + libsectok

I agree with the basic idea, I sometimes like to ssh run a x win proggy on windows, but instead of the built it Xserver of Cygwin, see if you can get your hands on LAN Workplace Pro 5.2 from Novell, It's X Server integrates perfectly with windows, if you run Mozilla or anything else, it looks like a nearly native windows app.

Google search "lwp52.zip oklahoma u" will find it for you... but I didn't tell you that and I do NOT work or go there(never even been there).

Re:OpenSSH + CygWin + libsectok

[mikiN]

...it uses the standard /dev/tty interface so it should be too difficult to get working.

Wow!, now that is what I call a teaser. Took me several times reading the post before I got it. Very funny!

Re:OpenSSH + CygWin + libsectok

I bet the scariest thing to you is the thought of meeting a real female in person.

Re:OpenSSH + CygWin + libsectok

[ajs]

Evolution is the best mail client I've used, and I've used a LOT of them. I still use mutt a fair amount for quick things (the way I use vi for quick things and emacs for large work). I loved emacs' VM mode mailer, but evolution adopted it's virtual mailbox concept and made it easier to use (though not quite as powerful as emacs').

MH was always a pain to use. pine and elm were more limited than mutt. Mozilla was nice, but too limited.

The things I like about Evolution:

• Virtual mailboxes -- insanely useful feature. I have a virtual mailbox for example that shows me any mail from a known list of friends across all of my IMAP and local mailboxes.
• Wonderfully smooth and responsive IMAP and POP handling
• Very good handling of attachments and all sorts of strange document types
• Drag and drop between accounts
• Well protected against malicious HTML mail (doesn't do javascript or load images by default, etc).
• Excellent searching capabilities

Had you had some problems with it that made you unhappy?

Re:OpenSSH + CygWin + libsectok

[philovivero]

Hmmmm. You know, I hadn't even thought about that as being scary, but you know, it is.

It's mighty cool having X working under Cygwin, I'll admit that.

Saaay, why does RXVT run without X, but XTERM must run with X???

Rambling rambling. Really, the thing that struck me is your post, which makes me laugh out loud is moderated "interesting" but my post, which I don't consider the slightest bit funny is moderated "funny."

Moderation is... +1 funny.

This may seem incredibly obvious

[david.given]

...but if you install Cygwin, fire up an rxvt and type 'ssh user@foo.bar.com', it Just Works.

Although, I have had problems that if you try and resize the rxvt it stops responding, and stupid Windows doesn't kill the children if you kill the rxvt so you end up with dead processes hanging around if you're not careful, but in principle it all works fine. ssh, scp, the lot. It all interoperates with Unix beautifully.

The Oxy* Project

In unison, now: "Windows Security" : ....

winscp (freeware)

[hrdluk0]

There is a freeware windows scp program callled, not surprisingly, winscp. It is freeware and uses some code from Putty. Everyone I know has found this program very useful. Main web page: http://winscp.vse.cz/eng/ and download here: http://winscp.vse.cz/eng/download.php I found version 2.0 to be quite stable even though it is called beta.

networksimplicity

[meatspray]

this guy packages openssh and cygwin hooks into one installer, we use it for all kinds of admin.

Re:networksimplicity

[homer_ca]

I've used it too. It's the easiest install I've seen yet of the Cygwin+OpenSSH ports. www.networksimplicity.com

But be careful

[captain_craptacular]

My unit recently started using the SSH product and had issues with it. When SFTP'ing files from our windows boxes to our *nix servers random sections of text files would mysteriously dissapear. Also the term client has been flaky for me, when I'm in emacs (my editor of choice) and I backscroll it will occasionally insert random sections of my backscroll into my emacs buffer... So if you go with SSH for Windows clients, watch your text ftp's and save before you scroll up ;)

Re:But be careful

A much overlooked but usually more appropriate Ben quote in these situations is:

"I would gladly give up my right to slander others if I am in turn protected from being slandered." - Benjamine Franklin.

Re:But be careful

Then call their tech support. After all, you spent $565 or more on the product...

Erm...

[rakslice]

OpenSSH on Cygwin. It's free. I'm not sure if Cygwin provides enough unixy hooks to support sftp, but I'd imagine it does...

Re:Erm...

[whatparadox]

I run cygwin's SSH server at home on win2k and connect from schoolt using SSH.com's client that is command line and graphical file transfer.

Re:Not Interested

[saarbruck]

but wait!

you could still suggest that the he replace all his 2K/XP boxes with Linux, or that he simply take the $565 it costs to get SSH server software for windows and instead get an entry level Dell Poweredge server and install your fav. Linux distro for free! :-)

putty + cygwin

[joe_n_bloe]

putty is a nobrainer to install and use and now does tunneling.

ssh under cygwin is also fine.

It's not really a difficult problem, unless you are looking for a good product that you actually have to pay for. :-)

Fingerprint Biometrics: DigitalPersona.com

[Dr.+Ion]

If you're looking for fingerprint login that integrates well with Win2k, check into the DigitalPersona U.are.U stuff.

I have their inexpensive "UareU Pro" system, and it works great for (literally) one-touch Win2k logins. You can integrate it with your domain server to make fingerprint logins universal, but even just on a local workstation, it works fine.
Unfortunately, zero Linux support.

You can use the fingerprint biometrics for an encrypted virtual drive with additional software, but without any documentation or peer review of their encrypted storage, it's impossible to evaluate their security.

Re:Fingerprint Biometrics: DigitalPersona.com

If you go with DigitalPersona, don't loose your driver disc. I tried to get some drivers from them. holy fuck, I was on the phone with some lady there for 15 mins trying to get them.

Apparently they don't make them?

What's wrong with Win2k server?

[gcshaw2nd]

This is slightly off topic, but I'm curious as to why you went with 3rd party solutions for encryption and smartcard support instead of using Windows Server, which has those capabilities built in. Mostly I'm curious about the limitations of Windows Server products (this is not a troll, and I'm not interested in flames about M$).

I always thought of PGP as a personal resource, not something capable of effectively encrypting entire network environments. Why do you choose not to use the EFS capabilities of Windows, which, to my knowledge, are very secure and transparent to the user (provided (s)he has permission to decrypt).

The same question applies to Smartcard technology. Windows supports the PKINIT protocol, RSA and CryptoAPI etc. You can install Certificate Authority software as part of your install. Why specifically go with cryptoflex?

And specifically regarding your SSH question, it's not SSH but Windows Server supports Remote Access services via which you could set up a VPN and have a secure connection to the company servers.

Please share your knowledge.

Re:What's wrong with Win2k server?

[new500]

. . .

I'm curious as to why you went with 3rd party solutions for encryption and smartcard support instead of using Windows Server, which has those capabilities built in. Mostly I'm curious about the limitations of Windows Server products

Well for one thing, for every client that uses Windows Server for _authentication_ you have to pay up for an extra internet Client Access License. As far as I understand this (and I re- read the terms not so long back) that's each _individual_ client, not concurrent or pooled / proxied clients.

Win2k has excellent smartcard suport, out of the box, highly recommended to lock down _physical access_. But, if like me, you're interested in smartcard authentication for a fair number of users _remotely_ it may not be the best solution to work with your existing toolchain (e.g. Cygwin, OpenSSH etc.)

That's just what comes immediately to mind. I've not delved all I should, so further comment very welcome.

I'll just part with the thought that in your example of installing Certificate Services, if you used this to authenticate users for a web site in even a small installation, you could be talking about hundreds of required licenses. Up to you, though, of course :)

Re:What's wrong with Win2k server?

[gcshaw2nd]

I just read that there are two cases where a CAL is not required for access to Win2k Server: One, when the client makes http requests (ie the server is acting as a web server); Two, the client makes ftp requests.

Certificate Services is, I believe, used to create authentication certificates for use on smartcards and similar access devices, not secure web transactions. But I could be wrong about that.

And I thought that Win2k support for smartcards was especially for remote authentication, say on a laptop. I'm not sure what you mean by physical access, perhaps local access?

Re:What's wrong with Win2k server?

[Mr.+Firewall]

I cannot answer the other questions, but I can answer this one:

And specifically regarding your SSH question, it's not SSH but Windows Server supports Remote Access services via which you could set up a VPN and have a secure connection to the company servers.

Actually, you DON'T have a secure connection to your servers through Windows RAS. Micro$oft uses weak encryption in their VPN tunnels, and it's not that difficult to crack it.

To answer your question -- that, my friend, is what's wrong with Win2K server. What *I* would do is set up either a Cisco router or an OpenBSD server in front of it with an IPSec VPN, but I'm not you.

Good luck with your project, and may the Force be with you.

Re:What's wrong with Win2k server?

Psst...
Windows does Ipsec, AH and ESP.

Is it just me ...
or do these people have some problems with what 2k will and will not do?

Prolly a bad time to talk about RDP and GPO.
I'll just go away now. LOL

Re:What's wrong with Win2k server?

[new500]

. . .

And I thought that Win2k support for smartcards was especially for remote authentication, say on a laptop. I'm not sure what you mean by physical access, perhaps local access?

You are partly right, no CAL is required for _anonymous_ access to Win2k. Reassuring isn't it? :-)

I should have clarified my point a bit - in a heterogenous LAN / WAN it's not always practical to use Win2k services for all authentication. Quite apart from the expense of CALs, replicating ActiveDirectory to LDAP is a complete PITA. At a considerable price you can buy meta - directory products e.g. from SUN One and Novell to accomplish this more easily. For many instances you simply do not need to deliver NT services such as file and print or authentication to _everyone_ so then a meta - directory starts to feel like over - kill. Having *nix based smartcard tools, sans CAL costs can be a major project boon, for obvious reasons.

As I understand it, contrary to your asertion, Cert Services under Win2k offers X.509 support for the web _and_ smartcard services. Integration is the key - either a massive boon if you wish to standardise, or a liability with the licensing cops if you mix up your distinctions :). Here's a quote http://www.microsoft.com/technet/treeview/default. asp?url=/TechNet/prodtechnol/windows2000serv/deplo y/depopt/2000cert.asp :

Microsoft® Windows® 2000 Certificate Services offers customers an integrated public key infrastructure (PKI) that enables the secure exchange of information across the Internet, extranets, and intranets. Certificate Services verifies and authenticates the validity of each party involved in an electronic transaction and lets domain users log on to a domain using the additional security provided by smart cards.

And some evidence that they are inseparable can be found by a search for KB Q228831 "Cannot Overwrite Smart Card Key During Certificate Services Setup" at their site, which appears broken now.

A Laptop would not normally remote authenicate,except for web e.g., when on the move, so I don't see your point exactly, unless you mean that the laptop should be forced to call home to auth for OS login (useful to reduce risk damage from theft, and quite possible under Win2k). Smartcards are very useful for local access control under Win2k Workstation, standalone, which was my point. It's possible to use EFS to encrypt your data and locally install a X.509 cert locally to a machine, use that cert to authenticate your SSH sessions (hah!, finally back on topic :) and then use _without_ paying for more CAL's a neato smart card to secure _remote_ device access. Yup, there are subtle potential security flaws in that, as with any chain - of - systems but if your interest is not to move from machine to machine, and you keep an aggressive CRL for use with your SSH accounts, this idea is fairly useful, and way better than standard SSH + login and password. On a laptop especially you need every protection you can get :)

Hope that clears up any confusion arising from my tiredness last night. If you simply want to manage X.509 and CRLs, there are many third party or free tools to accomplish this. If you're just setting out, I recommend you spend your money and time learning how the infrastructure works, then worry about implementations later. Knowledge wil make you free of any ties to a particular OS, or at least save you from the worst rent charges ;) For certs, he "X.509 style Guide" (sorry no link, Google is there for you), is a fine place to start. For some Smartcard background, take a gander here, for example : http://www.citi.umich.edu/projects/smartcard/

Re:What's wrong with Win2k server?

[gcshaw2nd]

My friend, Windows 2000 default tunneling procedure utilizes L2TP for tunneling and IPSec for encryption.

What's the difference between MS IPSec and OpenBSD IPSec? Is not IPSec a standard?

Re:What's wrong with Win2k server?

[Mr.+Firewall]

My friend, Windows 2000 default tunneling procedure utilizes L2TP for tunneling and IPSec for encryption.
What's the difference between MS IPSec and OpenBSD IPSec? Is not IPSec a standard?

To paraphrase a favorite American President, "That depends upon what the definition of 'standard' is."

Remember that M$ also claims that the W2K version of Kerberos is "standards-compliant," yet Kerberos will only work with Win2K machines if the KDC is on a W2K server!

And isn't L2TP only a "standard" if you're using Windows 2000 servers AND Cisco routers?

In the case of IPSec, the problem is that the maximum key length you can use in Win2K is 56 bits. That may or may not be adequate for your needs (it is certainly NOT adequate if you're a bank, defense contractor, or a member of dozens of other industries where trade secrets are worth Billions of $$$). 56-bit keys can now be cracked in about a day by a determined, well-financed adversary.

As I said in my original post, just be aware. It may or may not be an issue for you.

They have the same problems...

[DrCode]

Last time I had a Windows problem, I did look on the net (DejaNews). What I found were that several other people had the same problem, but nobody had posted a solution.

Maybe this was because there was no solution!

Re:They have the same problems...

[kevin+lyda]

uh, i think they did.

OpenSSH port

there was a small thread on ssh server for windows back in april that you can find here. a guy mentioned a OpenSSH port for windows, get it here.

network simplicity

[dirty]

www.networksimplicity.com

It's just OpenSSH ported using cygwin, but it's meant to be installed on machines without cygwin, and it is really easy.

Then setup TightVNC for remote access. You can make ssh tunnel any connection so you can send VNC through ssh.

winblows ssh server

[Big_Horn_Dog]

Try this link -
http://www.freessh.org/windows.html

I have been using the ssh server by Network Simplicity and it works fine.

Horn_Dog

Cygwin & TTSSH

[cornice]

For the server side use SSH from cygwin and for the client side I really like TTSSH as an extension to Teraterm. It also looks like there is now a TTX SSL and an SSL OTP available too. By the way, all of these have source available.

Cygwin

[mangu]

I'm feeling redundant today.

Why not use Windows Terminal Services?

If you are just trying to log in to a Windows 2000 machine- why not use what is built in?

Windows Terminal Services will do a good job, and is encrypted.

The NSA can show you how: http://nsa2.www.conxion.com/win2k/guides/w2k-19.pd f

Terminal Server

The RDP protocol is encrypted by default.

Re:Terminal Server

[bizitch]

I totally agree - As long as you utilize the "Remote Admin" mode of terminal services and not the "Application Mode". Just poke a hole for TCP Port 3389 thru the firewall - keep a tight leash on who has "Admin" privilages - Rename the Administrator Account to something other than "administrator" (duh) and give it a decent password - and presto! Instant secure admin. M$ even makes a pretty bitchin web client for terminal services called the TSAC (Terminal Services Advanced Client) which transforms any piece of shit Windows 95 box into a 2000 client using IE 5.X or above. Dont get me wrong - I love M$ bashing as much as anyone else - but this nifty feature is pretty solid. I've scoured my fav hacker sites for exploits of Terminal Services and cant seem to find any other than a logging bug which may make it difficult to track intruders.

Re:Terminal Server

Also make sure you revoke "Log on Locally" right from "Domain Users", or they can still get to the machine. Admin mode just restricts you to two sessions.

Re:Terminal Server

[bizitch]

true - 2 sessions as well as restricted to only users belonging to the "Domain Admin" group

Re:Terminal Server

[blowdart]

Actually it's only users with local administrative rights to the box, not Domain Admins, it just so happens, of course, that if a machine is in a domain, then Domain Administrators have admin rights to every box.

He said it's for a server. NOT CLIENTS.

The clients can use putty, WinSCP (like I do to admin my Linux boxes) but the server needs sshd that is compatible with Windows Servers. I agree with the first poster, spend the cash and move on your way.

Re:He said it's for a server. NOT CLIENTS.

[GrenDel+Fuego]

I'm guessing that your point was that there are fewer servers than clients, but you have to realise that you don't know what he does for a living.

I personally work to support a network of thousands of Linux and Windows servers. Definitly more servers than clients owned by us.

Re:He said it's for a server. NOT CLIENTS.

[dameron]

Uh, unless you're just planning on having it on -one- server for the fun of it, you're going to have to buy client licenses for each workstation also. That's why, if you'll look at the navigation bar in the link included in the article, they list SSH for server and for workstations.

Or I suppose you imagine that you can use it to connect as many workstations as possible to one server?

-dameron

OpenSSH - server and client

[Nailer]

You can run both CMD and bash via OpenSSH on Windows with Cygwin. It works reliably, and there's quite a few useful command line utilities for the newer versions of windows (2000, XP), especially if you grab the resource kits. However, if you have the bandwidth (and hopefully you do) why not run terminal services?

Where to find the Windows programmers

[Carnage4Life]

Disclaimer: I work for Microsoft but this post contains my opinions and does not represent some official company statement

In my opinion the best places to find out information about Microsoft technologies and products are

1. Newsgroups: Most microsoft technologies have a newsgroup in the microsoft.public.* hierarchy that are read not only by Microsoft employees but by dozens of regular developers who just want to help others who are having problems. I personally monitor microsoft.public.xml and microsoft.public.dotnet.xml where I answer a lot of questions and pass many of those I can't answer to the actual devs who work on the applications and APIs in question.
   
   
2. Online Communities: There are a number of strong online communities where Windows developers congregate to share information, tips and tricks. These range from Microsoft sponsored sites like GotDotNet, ASP.NET, and Windows Forms.NET that are run by MSFT employees who participate actively in these communities to independent sites like 4 Guys from Rolla, Code Project, Dev Hood, DevelopMentor and CodeGuru
   
   
3. Microsoft Websites: Few places beat MSDN as a source of information about Microsoft technologies. By the way, if you are into XML check out my Extreme XML column
   
   
4. Mailing Lists: There are number of mailing lists hosted by various parties about Microsoft technologies. The ones I've seen with the most vibrance have been the DevelopMentor mailing lists and the ASP Friends lists

PS: So this post isn't offtopic I'll add something about SSH. OpenSSH in Windows is possible if one installs Cygwin.

Re:Where to find the Windows programmers

[Eil]

Disclaimer: I work for Microsoft but this post contains my opinions and does not represent some official company statement

Hmm, I see this getting modded down relatively quick...

Oh, but he plugged cygwin so it's okay. :)

Re:Where to find the Windows programmers

If you want him to reply, post your message again to the appropriate Microsoft newsgroup. That way, it will get the exposure of begin read by other Microsoft employees. I don't think a Microsoft employee would feel 'comfortable' having a conversation on Slashdot. Too many Slashdroids interupting with 'informative' comments such as 'linux= exellent!!! m$ sux!!@'

Some of my favorite goth poems

SUBMISSION
Your moist, warm breath upon my skin Ignites a pulsing flame within.
Words can't describe the burn I feel. My world is false, but you are real.
One lasting taste, one fatal kiss Will leave me in eternal bliss.
You know your power over me, So why prolong my misery?
I can't withstand your deadly lure. My life is yours. Of that, I'm sure.
So when you choose to seal my fate, It will be worth the gruelling wait.

THE LIGHT...
Light pours forth on blinded eyes. I face thetruth of my demise.
I'll not resist, though pain is strong - The ending notes of one last song.
Deprived of thought, my mind is numb. At last this final day has come.
The hand of death wraps 'round my throat Asdevils cloaked in sorrow float Around my body, scorched by sin,
But I won't let the demons in. The image of your face appears.
I cannot wipe away your tears. They fall so gently to the ground
And say so much yet make no sound. I reachouttoward the brilliant sky.
I've lived enough. Now let me die.

THE ENDLESS THIRST
I awaken in my icy tomb, Imprisoned by its walls.
I cry for you to set me free, But no one hears my call. Alone within the confines Of this cold, damp concrete cell, I find comfort in the darkness Which shields me from my hell. The pains of hunger eat at me. My body's worn and weak. I feel the stinging in my eyes As a tear streams down my cheek. Tinted with a tinge of red,
The tear stops at my lips.
I close my eyes and think of you. Your light has been eclipsed.
I can almost taste your blood,
So rich and filled with life...
My teeth piercing your silky flesh
As if they were a knife.
The perfect drink - so warm and lush -
Would make me feel alive... It's essence permeating me,
My immortal soul revived. But alas it will not happen For you are nowhere near. I've waited countless days and nights In hopes that you'll appear. I pray someday it will come true, And you will be my feast. Until then, I must still remain A lone, blood-thirsty beast.

THE SWEETEST KILL
My movements make no sound.
My footsteps quick and light...
I glide on down the darkened street Accompanied by night.
Passing mortal strangers
Who look the other way,
I'm intoxicated by their scent.
These creatures are my prey.
I stop beneath a streetlamp
Where they can view my face. Seeing my unnatural skin, They soon quicken their pace. Their cowardess amuses me. Those eyes so full of fear. I throw my head back, and I laugh For all of them to hear.Stepping from the light, I'm hidden by the dark. Continuing along my path, I reach a lonely park. Sitting on a wooden bench, A man cries silently.
His face is streaked with salty tears.
He fails to notice me. His eyes are tightly shut.
His body shakes with sobs,
Yet still I hear his beating heart. Within his chest, it throbs. Slowly, I approach him Until I'm by his side. Admiring his tender cheeks,
I see his tears have dried. I move my face in towards his neck
And hover for awhile.
Much to my surprise, I see
His frown turn to a smile.
He looks directly at me,
Her eyes of deepest blue...
With the softest lips I've ever seen He mouths the words "Thank you."
I sink my teeth into his flesh.
On blood is what I thrive.
I drink till I can drink no more.
Again, I am alive.

BEAST
Deep within my hungry soul raged a tormented beast Who yearned for freedom, wings to fly; its moaning never ceased. In darkest hours of sullen nights as shrouded as the dead, Tears sprang up from my fragile wounds and drowned me in my bed.I cried out in vain. The beast won again. The beast made no sound. All sorrows had drowned.

NIGHT IN DEMENTIA I turn to face the setting sun, It burns into my eyes And awakens every sorrow's breath To yield my soul's demise. I sink into an ageless mire Of scorn, and hate, and lust; I soon pass into nothingness And dance freely 'mongst the dust Of countless eras passed away That share my mindless gloom, Each one's evil intentions
Concealed beneath perfume. Behind a glass, night summons me To dance with visions gold; Each one a promise of my fate But misfortunes untold. But I, awakened by my sight, Must beckon night to flee; As I return to nothingness And slowly cease to see.

ANATOMY A thousand lips, a thousand tongues A thousand throats, a thousand lungs A thousand ways to make it true I want to do terrible things to you....

DEATH OF AN INNOCENT
I went to a party, Mom, I remembered what you said.
You told me not to drink, Mom, so I drank soda instead.
I really felt proud inside, Mom, the way you said I would.
I didn't drink and drive, Mom, even though
the others said I should.
I know I did the right thing, Mom, I know you are always right.
Now the party is finally ending, Mom,
as everyone is driving out of sight.
As I got into my car, Mom, I knew I'd get home in one piece.
Because of the way you raised me, so responsible and sweet.
I started to drive away, Mom,
but as I pulled out into the road, the
other car didn't see me, Mom, and hit me like a load.
As I lay there on the pavement, Mom, I hear the policeman say,
the other guy is drunk, Mom, and now I'm the one who will pay.
I'm lying here dying, Mom. I wish you'd get here soon.
How could this happen to me, Mom?
My life just burst like a balloon.
There is blood all around me, Mom, and most of it is mine.
I hear the medic say, Mom, I'll die in a short time.
I just wanted to tell you, Mom, I swear I didn't drink.
It was the others, Mom. The others didn't think.
He was probably at the same party as I.
The only difference is, he drank and I will die.
Why do people drink, Mom? It can ruin your whole life.
I'm feeling sharp pains now. Pains just like a knife.
The guy who hit me is walking, Mom, and I don't think it's fair..
I'm lying here dying and all he can do is stare.
Tell my brother not to cry, Mom. Tell Daddy to be brave.
And when I go to heaven, Mom, put "Daddy's Girl" on my grave
Someone should have told him, Mom, not to drink and drive.
If only they had told him, Mom, I would still be alive.
My breath is getting shorter, Mom. I'm becoming very scared.
Please don't cry for me, Mom.
When I needed you, you were always there.
I have one last question, Mom, before I say good bye.
I didn't drink and drive, so why am I the one to die?

You can not stop us
We have the AC
You die now
Are you afraid?
Death to Commander Taco
Death to Cowboy Neal
Goatse is Great

A possible other alternative

[Matey-O]

While attending a security session put on by the SANS institute, they had a REALLY cool solution for protecting machine to machine communication in an 'unsafe' network environment.

They used a feature of IPSEC that didn't encrypt the packets, but CRC'd them anyway. Then they configured the machines that were supposed to listen to the outside world (Business logic servers/ database servers) to punt all packets that didn't have an IPSEC crc on 'em.

The system does the decoding at IIRC the 2nd or 3rd layer, using some very efficient code Microsoft got from Cisco. The teacher reported pounding on a laptop on a 100mbit segment with 6 orther attacking computers and the laptop registered about 12% utilization whil punting illegal packets.

Re:A possible other alternative

MS calls this feature Authentication Header or AH, you can use it in conjunction with Encapsulating Security Protocol (ESP) to provide very secure tunnels over untrusted networks. (all this and you get to choose your encryption algorithm)

Good stuffs for windows...
Why do people still think in terms of NT/95 when they talk about MS networking?

This should be in .NET server and ported to W2K

[MsGeek]

Now that Microsoft has woken up to the need for improved security it is imperative that they should have SSH as an integral part of .NET Server and back-port it, Security Configurator and Analysis-style, to W2K Server and NT4 Server.

SSH, SFTP and SCP would be wonderful tools to have. Just yank out Telnet, yank out IIS FTP Server and so forth and put this in instead. Terminal Services is fine and all but sometimes you need to do remote file transfers. The current alternatives MS provides are just not any good.

Re:This should be in .NET server and ported to W2K

[ergo98]

Microsoft has already provided L2TP (and its predecessor PPTP) and IPSec: It is backwards, and quite frankly quite silly, to try to program encryption into every single program when you can utilize these system features to add encryption to any and all applications (and yes you can make it mandatory if you want. In 20 seconds I can configure my system to only allow IPSec high security communications to my HTTP server).

Re:This should be in .NET server and ported to W2K

[GigsVT]

I guess you have never heard of ssh tunneling. Yes, there is slightly more overhead, but it works just fine, and doesn't force you to use closed source facist operating systems.

Re:This should be in .NET server and ported to W2K

[ergo98]

SSH tunneling is basically a predecessor to IPSec (and a hackish one at that). Both IPSec and L2TP are standards, and neither are proprietary to Windows: Both are supported in Linux, or any other major operating system, as well.

Networksimplicity and a cake walk

[GangstaLean]

I've been using Network Simplicity's Openssh package to admin several win2k servers, plus tunneling for VNC. Works ace, no compliants. One thing, VNC gets kind of fussy about connecting to localhost ports that are tunneled, it requires a little tweaking on the server (WinVNC) side to make it work (you need to add a localloopback key). There's a registry hack that allows it, details on ORL's VNC site. Tunneling Terminal Server works without any modifications.

In the end if you're planning on working for free,

it's a mute point. However if you charge to support your clients then there is no problem. This could be part of the setup fee. For example, my company requires the clients buy pc anywhere and have a modem for us to dial in to do tech support related to our product. They do not have any problem with this so why you do is beyond me.

Actually PC Anywhere is an excellent solution for windows, or VNC for that matter.

IPSec

[ergo98]

You possibly are approaching this problem in a "like UNIX" sort of way, however security on Windows system depends more on all encompassing technologies like L2TP or IPSec: Take a look at IPSec. It separates encryption and payload integrity from the application, and of course works with all applications because they're unaware that it's acting as a pipe between systems. If you're concerned about performance then get yourself a NIC that offloads encryption processing. Note that your system can be configured to only allow connections to certain services if an IPSec connection has already been established: Launch an MMC console (Start/Run/mmc.exe) and add the snap-in "IP Security Policies" for the local computer and play around: The possibilities are endless.

Next time you're at your local book store, take a look for the Microsoft training book for their exam number 70-220 : Designing Windows 2000 Network Security. Because XP is 2000 with a nice GUI it is entirely relevant.

Re:IPSec

[SuiteSisterMary]

Yup, another classic example of 'when all you know how to use is a hammer, every problem starts to look like a nail.

Re:IPSec

[Mr.+Firewall]

Be aware that Micro$oft's implementation of IPSec uses weak encryption.

Re:IPSec

Please...
Oh mighty Mr. Firewall, tell me how the windows implementation of IPsec is less secure than the Unucks(MIT) implementation of IPsec?

3DES is week?

MD5 is week?

Diffie-Hellman is week?

Pick... and then back your shit up with some credible linkage?

As some have pointed out... Looks like BSD, smells like BSD - It's frigging BSD.

fsecure

[E.S+Taog]

I've found the F-Secure products to be very good. They also have excellent documentation and tech support.

OpenDirectory Says. . ..

[Com2Kid]

The OpenDirectory (or at least Google's listing of it) gave me a list of two SSH servers (not exactly comprehensive I admit but. . . .)

One of which was WinSSHD which has a $95 business license.

How about filesystem encryption for Linux?

[treat]

How about filesystem encryption for Linux? Something that works effectively, well enough that it can be used in the real world. The kernel loopback encryption would be perfect, except it breaks with each kernel release and an indefinite time must be waited for patches - and patches might make old data unreadable. Is there any practical solution?

Re:How about filesystem encryption for Linux?

[Verizon+Guy]

You fuckers. This was a question about Windows... which has encryption built in... yet you can't keep it in... sheesh!

Yep -- sshd configuration instructions

[KMSelf]

Second all of the above.

For configuring sshd, see http://tech.erdelynet.com/cygwin-sshd.html.

Re:Yep -- sshd configuration instructions

[Halvard]

While the instructions mentioned above, if you are clueful regarding an NT flavored MS product, you can work through the errors. Having a sshd running as a service is wonderful.

Having a bash prompt didn't bug me in the least.

This is by absolutely the way to go. You don't even have to install all of Cygwin to get it to work, just some select pieces.

Re:Yep -- sshd configuration instructions

[lobster_sew]

I've just followed these instructions. Cutting a long story short, if you enable NTSEC and priviledge separation (and if not, why not?) then you'll need to take one more step to get the daemon working.

Just do:
chown 18:18 /var/empty
chmod 755 /var/empty

Kudos to Christopher Snyder. Check out his posting to the mailing list for more info.

I set up SSHD on winnt...

[rimdo]

...by using cygwin and this very informative site.

Important!

http://somafm.com/fax/

Not a troll...just a suggestion

[johnlcallaway]

Our company had to set up a complete production system that was redundant and had to be administered remotely (120 miles away). That is why we went with Solaris servers and OpenSSH/VanDyke Windows client, and tossed MS for the servers out. Of course, we were fortunate enough that none of our applications had to run on a specific platform (web server, weblogic, Oracle, C++, and Java).

Why am I telling you all this?? Not to bash MS. I ask that you look really close at your requirements and remote administration. Do they say 'I have to run on Windows??'. If not, maybe it's time to look elsewhere for solutions.

Nothing to do with security or scalability or reliability (ok ... maybe a little) but when it came right down to brass tacks, Unix is far easier and has far more options to administer remotely than Windows. That darn command line thing where I can change any setting easily from using a 24K dialup modem is a godsend when doing remote administration.

If you have to have a Windows solution, I saw a lot of good ones above that we use, Cygwin and VanDyke being my favorite.

Re:Not a troll...just a suggestion

[emptybody]

Unless you are installing oracle.
they dropped commandline installation and require a graphical head for the Java install. Why does everything java have to be GUI? can't there be commandline variants to a java program?

stupid oracle.

alternative to srvany

Here's another option in case you can't find srvany (Microsoft used to distribute it, but as of late, it seems they are trying to make it disappear).

http://www.firedaemon.com

Get the Oreilly Book

[Llama+Keeper]

I too am an administrator of many Windows boxen and am very security conscious . The absolute best information I have found about Windows Security, was from this Oreilly book: Securing Windows NT/2000 Servers for the Internet
A Checklist for System Administrators I know its primarilly about creating Windows Bastion hosts, but there is an aweful lot of general Windows security and remote administration information as well. Every Windows sysadmin needs to give it a read!

Re:Lots of Options (+1, Obvious)

I think he's referring to server software.com

stupid question....

[Emugamer]

but what does ssh have over Terminal Services?

Is it more "secure"? It seems that win2k has very little command prompt ability and most people don't even know anything other then a few basics... So I guess my question I guess is Why?

Re:stupid question....

[extra88]

Win2k's command prompt is pretty good is fine, not as good as most UNIX shells, a lot better than DOS. If you're talking about non-gui apps for users, yes, there's not much there. NT and later sysadmins can and often do a lot at the command prompt. Therefore its useful for them to have something like an SSH server. Having an SFTP server is useful users who can't use windows file sharing, such as off-site users if there's no VPN server. I use it to move files from my Mac at home to Windows at work (no VPN client for Mac). Plus you can use SSH to tunnel other connections which lack their own encryption, like VNC.

BTW, another vote for networksimplicity's OpenSSH installer. If you don't need CygWin for other stuff, it's the way to go, user account setup is so much easier.

Of course it would

Junior programmers and NT Sysadmins don't really understand that good developers are priceless.

Re:Of course it would

And who is talking about developers here?

Either switch to a decent OS or ...

[MrJerryNormandinSir]

It's your bed you lie in it.
It's time to dump your bloated Windows.

USE GOOGLE

[Perdo]

latealy ive bean warking on teh secarity of teh few windows boxes i administar liek expee and zk stations i have had much of a problem finding decant solutions far file emale disk ancryption stuped suck pgp si no longar sealling tehlr products, ar far stupiedcard ar smartypantcardtbiomealctrric solutions besides teh limitations on key sise zoa8-bit rsaa maximum and flexability wehn it comes too ssh services far remot administration stuped windows filesharing and sfptp far file transfers i have hit a prox mine i have looked into sshhh but tehlr ssshh far winblows servers only runs on 2000 and costs ssgs and si hard too fing on kasaa i ask what solutions have /.er's fuond in teh realm of ssh netwark ancryption, and also in integrating all tehse componants simply and effectivealy

winssh

[beigeboy]

winssh from bitvise is your inexpensive first class sshd solution, I've used it on 2000 and XP winssh.com

OpenSSH from Network Simplicity

[omniplex]

I see that everyone wants to use cygwin, but there is also OpenSSH for windows that's been ported by Network Simplicity, you can go and get it at http://www.networksimplicity.com/openssh/
It's reliable, doesn't require cygwin to be installed, runs as a service on NT4/win2k. It's also command line, and I've used it with GNU CVS as well.

Your Options In A Nutshell

[rootmon]

The Windows Way: Use terminal services and/or telnet server and require IPSec for external connections.

The Hybrid Way: Install Cygwin from cgywin.com and use ssh, remote X, etc.

The Free/Open Way: Install Linux, *BSD, etc, and rid yourself of M$ dependency

The Sun Way: Spend a fortune on SPARC hardware and get Solaris, do everything in Java so when the JVM leaks and locks up it's secure from your staff and any hax0rs

Stunnel, TLSWrap, SSLWrap, Safetp.

[BrookHarty]

I personally use Stunnel on a few boxes, linux/windows/freebsd. It basically wraps your connection with ssl. You set it up on both servers, then connect to localhost:port and it forwards to the remote server ssl encrypted. Like ssh tunnels, but its a stand alone program. Also very transparent to the user.

TLSwrap is another ssl wrapper, used for ftp, but can be used for other ports.
Safetp seems to be a popular one with the college kids. Ive tested it out, and it does encrypt your session, and any ftp client will work since it encrypted the port.

Personally, I dont want command line on windows, I want a GUI for windows. Tight VNC isnt encrypted, but you can use stunnel to take care of that. But I find remote desktop, using rdp 5.1, is fast as hell(compared to tightvnc) and is designed for windows. Very usable over a modem too.

I Love computers and networking, 500 solutions to 1 problem.

Cygwin

[inkfox]

Someone else mentioned Cygwin, but I thought I'd provide more data.

You can download cygwin for free from cygwin.com. It includes both the client and the server for ssh. You can set up ssh as a service that runs even prior to login, so it's the real deal. All drives are accessible through the shell via the invisible /cygdrive/c, /cygdrive/d, etc directory. All the rest is explained on the Cygwin site. I believe commercial support for Cygwin is offered by Redhat, but it's worth noting that they have a very responsive free support list, frequented by all the major developers/porters.

Give it a go. I think you'll be impressed.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Who the hell cares

anyway...

Have you tried google?

www.google.com

it will lead you to many sources about ssh, even reviews and evaluations..

Slashdot: News for Nerds. Stuff that matters. Gigantic fat-asses that are so lazy they can't even use a search engine.

OMG

Do we actually allow Microsoft to post on Slashdot?

And modded up to 5? Wow, this has been quite a day. three major software releases and a MS post modded up to 5. getting kinda cold down below, huh? :P

Re:OMG

MS post modded up to 5. getting kinda cold down below, huh?

They're just making us more comfortable with MS, before OSDN introduce VAMS... :-)

Not Legal...

[jmoore2333]

The Microsoft licensing agreement for windows XP says that you cannot use other remote desktop sharing unless it's the one built into windows, and if you are looking for security, you better off just giving someone your information and saving them 5 minutes of work.

Good SSH based on Openssh Portability code...

[RuneVitki]

Try http://www.networksimplicity.com/openssh. Currently at 3.4p1. Works quite well actually.

OpenSSH SERVER/Client for WIndows - FREE

[RuneVitki]

Based on OpenSSH portability code, currently at 3.4p1. Look at http://www.networksimplicity.com/openssh. Comes with windows installer/unistaller. Fairly good docs and they guy is very prompt in maintaining it. I've used it before works quite well if you have an OpenSSH environment on the unix side (I do, and key management is a pain....)..

Is stilll a problem with Cygwin shared memory?

I see to remember a problem with the cygwin sshd was that due to the cygwin libs users didn't have partitioned memory, i.e. I could log in as "userA" and have access to the administrators/another users memory space. The would be a BIG problem when using ssh-agent and the like (or just about any program really!)
Has this been fixed yet?

what DO you use for secure filesystem/disk?

[Artifex]

I've looked at BestCrypt, Scramdisk, and DiskCrypt.
What have you found that works for you?

Cygwin is STANDARD on my Windows systems

[BitMan]

As a long-time NT administrator (original NT 3.1 beta tester), no Windows system goes on my network without Cygwin . In recent years, they've added XFree86 4.x (which works flawlessly nowdays), and other goodies like OpenSSH.

And on Win/NT versions (NT, 2K, XP), you can setup OpenSSH in full server mode which is especially sweet for automation. You can find more information on how to configure OpenSSH as a server on NT/2K/XP here.

There is not a week that goes by without me needing something (let alone another user on our local support list) that Cygwin doesn't solve quickly and effectively. Again, that's why its on all my Windows systems by default.

Re:Cygwin is STANDARD on my Windows systems

[Verizon+Guy]

Personally, I think you're full of BS.

From Openssh.com

[RedSynapse]

The following "free" clients are recommended for interoperating with OpenSSH from Windows machines:

• PuTTY is an SSH1+SSH2 implementation. PSCP, an scp-style program for Windows, is also available.

  PuTTY is available under the MIT licence (BSD-like).

  "PuTTY is a free implementation of Telnet and SSH for Win32 platforms, written and maintained primarily by Simon Tatham, who lives in Great Britain."

• TTSSH (SSH1) is an SSH1-only implementation, by Robert O'Callahan.

  "TTSSH is a free SSH client for Windows. It is implemented as an extension DLL for Teraterm Pro. Teraterm Pro is a superb free terminal emulator/telnet client for Windows, and its source is available. TTSSH adds SSH capabilities to Teraterm Pro without sacrificing any of Teraterm's existing functionality. TTSSH is also free to download and use and its source is available too, with an open source license. Furthermore, TTSSH has been developed entirely in Australia [...]."

• Cygwin (POSIX software on top of Windows)

  OpenSSH (SSH1 and SSH2 protocol) with Cygwin can run on Windows using the portable version of OpenSSH.

• MSSH

  MSSH from the Metropolitan State College of Denver supports Windows 95 and Windows 98, supporting SSH1 protocol.

• OpenSSH for Windows

  Another OpenSSH running on top of Windows..

• Secure iXplorer

  Secure iXplorer is graphical front end to PuTTY's pscp.exe.

• WinSCP

  WinSCP is a scp(1) program for Windows, with PuTTY integrated into it.

The following clients are recommended for interoperating with OpenSSH from Mac machines:

• NiftyTelnet 1.1 SSH is an SSH1-only implementation which comes with a scp-style program. Written by Jonas Wallden.

  "NiftyTelnet 1.1 SSH r3 is an enhanced version of Chris Newman's NiftyTelnet 1.1 application which adds support for encrypted terminal sessions using the SSH (Secure Shell) protocol. Please read the included Readme file before distributing this version."

• MacSSH is an SSH2-only implementation.

  "MacSSH is a modified version of BetterTelnet with SSH2 support. [...] The only SSH2 client for MacOS that I could find is a commercial product thats costs more than $100, and it crashes my Mac when closing a session... Since it's best to do things by oneself, here's MacSSH."

Re:From Openssh.com

[L1nUx+h4x0r]

Maybe if you read that he wanted a server, not a client, this would be useful.

Re:From Openssh.com

[RedSynapse]

OpenSSH for Windows includes ssh, scp, and sftp servers for Win XP, NT, and 2000.

Re:In the end if you're planning on working for fr

mute? moot is more like it

SSH has much greater functionality than IPSEC.

[kcurrie]

The problem with using things like IPSEC is that you need IPSEC servers which are your choke points, unless you want to have a configuration nightmare and manage thousands of independant IPSEC configs on thousands of machines-- totally not practical. SSH gives you many handy things like X forwarding/arbitrary port forwarding, the ability to load a password into memory (via ssh-agent) and use it for automatic, passwordless authentication, file transfers (both with things like scp and sftp, and it can be used for a transport agent for things like rsync/unison, etc). It's easier to poke a SINGLE hole through a firewall on any port you want, with no compatability issues. Built in (variable) compression, very handy for speeding up your X sessions, as well as things like IMAP/POP mail transfers, etc. Using something like IPSEC, how can you say "I want to compress all IMAP and POP mail to hostA, but not web traffic on hostA, and I want X compressed to hostB, but not to hostC?" All of these things are easy to do with SSH.
With SSH I can use one standard protocol/app set that will run on everything from cell phones to PDAs to huge servers, running all kinds of OS's, generally at little to no cost. Show me an IPSEC solution that can do that. SSH requires no kernal mods, or even anything that must be installed as a root/administrator on any platform. The code is open, and free for you to mod as well. If you must have VPN type functionality you CAN do things like PPP over SSH if you must, although this isn't the highest performing option, it is possible.
The one thing SSH *IS* missing is the ability to forward UDP traffic.

Re:SSH has much greater functionality than IPSEC.

[ergo98]

The problem with using things like IPSEC is that you need IPSEC servers which are your choke points, unless you want to have a configuration nightmare and manage thousands of independant IPSEC configs on thousands of machine

I really don't see how either SSH or IPSec is different in this regard, unless you're claiming that instead you run SSH on every machine (just as I could run IPSec on every machine, and of course firewall wise they'd be identical: You open port 22 TCP to everyone, and I'd open port 500 UDP to everyone. Of course actually doing that would be insanity, but regardless). Personally I prefer IPSec to be on for all communications throughout the entire organization (versus just "from the Internet in". I'd do that via a L2TP VPN server). As far as "thousands of independant IPSec configs": In the Windows world this is a group policy, and can be applied to an entire domain in minutes. With literally a minimal amount of effort you can have every system communication, intranet/LAN or internet, via secure IPSec tunnels (for every application, and without any user interventions or even knowledge).

I'm not sure what exactly you mean regarding cell phones, etc: Again, IPSec and L2TP are as big or bigger of standards than SSH.

It's easier to poke a SINGLE hole through a firewall on any port you want, with no compatability issues.

IPSec to DMZ machines is a simple "Pass in UDP port 500 to my DMZ netmask". Again, IPSec isn't some esoteric, proprietary fringe standard: It is highly deployed (BTW: PGP adds IPSec to pre Windows 2000 machines if you choose that option) and heavily supported.

Regarding compression, authentication, etc: These are all separate elements of the communications layers, and personally I don't LIKE to see them all slammed together in some emacs type "cater to everyone" combination.

Re:SSH has much greater functionality than IPSEC.

[kcurrie]

> Personally I prefer IPSec to be on for all communications throughout the entire organization (versus just "from the Internet in". I'd do that via a L2TP VPN server).

I too would agree with this statement-- in an ideal world with mixed platforms (Solaris, Linux, Windows, HPUX) IPSEC everywhere would be ideal, I just fear that cross platform management would be a nightmare. One of the most attractive aspects of using IPSEC is as you mention, that you can do all of this without you users even being aware of it, and no tool changes are required.
I'm speaking out of my ass in a certain respect, as I haven't configured IPSEC on a mass scale for multiple platforms (but I have with SSH), but I'm not aware of any multiplatform (as mentioned above, all of them, not just a couple) IPSEC products where changes can be easily made by one person on one platform. Again, these may exist, and if you know of any, I'd be interested in hearing about them.

Of course I understand that IPSEC is fully documented and heavily deployed (I work at a company that makes many IPSEC products), I was just speaking about the ease of ssh implementation and light weight of the required apps. I'm not aware of any Java or Regarding compression, authentication, etc: These are all separate elements of the communications layers, and personally I don't LIKE to see them all slammed together in some emacs type "cater to everyone" combination.

It's all about what you want to use it for. Even in an all IPSEC environment, SSH is still very usefull ON TOP of it all for things like transparent X forwarding between machines (no more setting your $DISPLAY), authentication, etc.

As I mentioned, I wouldn't use SSH for a VPN, although I specifically DO use SSH instead of a VPN for telecommuting-- and I work from home 4 days a week.

Re:SSH has much greater functionality than IPSEC.

[Zeinfeld]

It is amazing how the clue density in this thread appears to be minimal.

IPSEC is an IETF standard, always has been. The standard has some problems, requiring servers that become bottlenecks is not on of them. IPSEC is peer to peer, always has been.

SSH began as an attempt to run Telnet over SSL, back in the very early days. Then they discovered that there were problems with that approach and the SSH protocol is now an application level security protocol while SSL is transport layer and IPSeC packet layer.

The big problem with IPSEC is that it is designed to be peer to peer and is not designed to support the VPN application as its priary objective. As a result it is sub-optimal as a VPN, but hardly sub-optimal enough to go to the hassle of installing something else. Certainly there is not going to be much advantage in running compressed X-Windows sessions off a Windows box...

PPTP is a legacy protocolbuilt in the days when the export controls limited crypto to 40 bits. in those days a lot of broken protocols got developed, there was little point in paying someone competent huge bucks ($5K a day) to design the protocol if you knew it was going to be broken by law. The early versions of SSL were not much better. Ever heard of SSLv1? It was broken at MIT before Marc Andressen had finished explaining it, he spent the rest of the meeting trying to call up his security guru on his cell phone.

The big problem with EFS, as with many Microsoft crypto products is that they don't give enough info on what it does and does not secure. Most people who use it don't even know that they have to export the master escrow certificate keys off the machine in order to get any security from it.

Re:SSH has much greater functionality than IPSEC.

[ergo98]

It is amazing how the clue density in this thread appears to be minimal.

As a participant in this thread, let me say that it's even more amazing how much of a self-righteous dickhead you are, especially considering the fact that you posted a method absolutely void of any useful facts, nor even relating to the conversation that was being had.

Piece of advice: The next time you feel the urge to show your self-promoted superiority, add something useful or at least relevant to the conversation.

Re:SSH has much greater functionality than IPSEC.

[Zeinfeld]

As a participant in this thread, let me say that it's even more amazing how much of a self-righteous dickhead you are, especially considering the fact that you posted a method absolutely void of any useful facts, nor even relating to the conversation that was being had.

I thought it was fairly relevant to the conversation to point out that on a Windows box the ability to compress X-Windows sessions was not going to be the first feature most users would be demanding. Equally if you are going to flame Microsoft over PPTP then you should also point out that many non-Microsoft protocols have come out with serious problems.

Bitvise WinSSHD

[blowdart]

I use Bitvise WinSSHD.

Aside from dropping you straight to the Win2k command prompt, it has

• Secure remote access via console (vt100, xterm and bvterm supported)
• Secure remote access via GUI (WinVNC or XP Remote Desktop required)
• Secure file transfer using SFTP and SCP (compatible with all major clients)
• Secure TCP/IP connection tunneling (port forwarding)

File and disk encryption program: BestCrypt

[MoFoQ]

BestCrypt has been around for quite some time. Some years ago, they also had a hardware version (the hardware helped speed things up). It's just like PGPDisk but with more features and it's the original. http://www.jetico.com They even have a Linux version. One of the few things I wished they add is the ability for ppl to write algorithms for it without a compiler (via a scripting language) though it'll take a performance hit.

Re:In the end if you're planning on working for fr

Man, it's really pitiful how much trouble people go through to use proprietary software. All this worrying about the number of clients allowed to connect to the server software, paying the license fees accordingly, all just to access some lame proprietary OS-- that they had to pay for as well.

Help with windows programming: the shareware way

I will help you with your questions, but: if you continue using any of my answers in your projects past the initial 30 days, you have to pay me a registration fee of $20! :P

An old Dick Van Dyke joke

Didn't they used to be called VonLesbian?

SFTP

[goofy183]

Serv-U http://www.serv-u.com/ has completely re-worked there FTP server and has SFTP options avalable. FlashFXP http://www.flashfxp.com has V2RC1 of their FTP client out which supports SFTP. I've played with both and they work very well and offer 128 bit SSL encryption for both data and control connections.

Linux or BSD with SSH, Xforward, Rdesktop

[rliebsch]

so, I don't put windows on the internet. who does? So, have a linux box which DOES NOT route and is locked down to the best of your ability. Run SSH and let it do X11 forwarding. Install rdesktop on the linux box. SSH to your host, rdesktop to your windows server. I do this over dialup, various DSL, through VPN beautiful and simple.

Win2K security

[Mr.+Firewall]

You might want to take the one-day class on securing Windows 2000 currently being run in various cities by the SANS Institute or you won't have to worry about having secure remote access to your server(s) -- someone else will.

It won't help to have the best encryption in the world securing your front door to a system that has 120 vulnerabilities in the default install!

It's easy with an SSH tunnel

[Supp0rtLinux]

I had a similar issue. My solution was to host all shared files on a Linux server running Samba. I then set up SSH tunnels for the WINS/NetBIOS ports. Windows clients didn't know it was secure, but I did. Most Windows clients wouldn't know if their stuff was secure or not anyways...

Do what I did...

[pjt48108]

...and replace Win2k with Linux.

OK, granted this was on my home PC, but still, why buy an expensive knock-off of what u can get for cheap?

When it comes down to it, everyone is wedded to windows for some damn reasons, but usually, if you can convince the Powers That Be to let you do the research, you can prolly plan towards replacing such servicecs with open-source solutions.

Sure, you can't walk into CompUSA or Best Buy to buy them, but why be like all the other lemmings???? Lately, my guiding philosophy has been to face the damn cliff and simply refuse to leap off it.

The last lemming standing and staring down at the wrecked bodies of his brethren gets the gold.

Or, in the case of Linux, the herring. ;-)

EFS doesn't encrypt file names!

[GekkePrutser]

Why do you choose not to use the EFS capabilities of Windows, which, to my knowledge, are very secure and transparent to the user (provided (s)he has permission to decrypt).

Well, as I recently found out, the Encrypted File System in Windows 2000 doesn't encrypt the file names. So if you want to use it to hide things like pr0n pictures or something, you're fucked :-)

Anyone who uses the brilliant NTFSDOS tool can access the encrypted directories and list all the file names, which in the above example would be things like 'bigtit001.jpg'. In that case the encrypted content doesn't need to be known to inflict damage, the filename is enough to piss off your boss/wife/whatever ;-)

Of course, NTFSDOS is incapable of showing the contents of the files.

Addition: EFS doesn't encrypt file names!

[GekkePrutser]

Of course, NTFSDOS is incapable of showing the contents of the files.

With this I meant that NTFSDOS can not open encrypted files, normal unencrypted files on NTFS work fine, of course. Also, the link for this program is here.

GekkePrutser

how about WinSSHD ?

[BuR4N]

http://www.bitvise.com has a great SSH (2) server.

Warning about Cygwin!

[Ed+Avis]

From the Cygwin FAQ:

Cygwin is not secure in a multi-user environment. For example if you have a long running daemon such as "inetd" running as admin while ordinary users are logged in, or if you have a user logged in remotely while another user is logged into the console, one cygwin client can trick another into running code for it. In this way one user may gain the priveledge of another cygwin program running on the machine. This is because cygwin has shared state that is accessible by all processes.

This means that Cygwin is not suitable for running an ssh daemon unless you're sure that only one person will use the machine, or you're happy for all the users to have the same privileges.

Bitvise WinSSHD

[scratchor]

Try out WinSSHD from Bitvise.

I've had very good experiences with this one, and it's got a 30 day evaluation program.

oxy?

[loconet]

Secure * Windows ? is that not an Oxymoron?

Re:oxy?

hahahahaha. MICROSOFT WORKS! hahahahahahaHAHAHA! no. try again fag.

It's built in...

All of the features you want are built-in on W2K Server. So long as your server is talking to another W2K or XP box, there's no need for openssh.

Just use secedit.exe or the group policy mmc plug-in to setup the IPSec features on your machine. It really isn't that difficult and you can have 3DES encrypted sessions between all of your machines.

If you can get someone to pay for it, I'd strongly recommend a trip to a SANS conference. Track 5 is all about W2k(or maybe it's .net, now) security and there's a LOT of information presented there that's sparsely covered in (almost) ANY book.

This should be a USENET post, not slashdot!

You know, beginner technical questions like this should be posted to comp.security.ssh or something. Not on a giant billboard like slashdot.

Cygwin instructions

[rwa2]

As mentioned before, getting up and running with Cygwin is a snap! Here are your easy instructions:

• Go to the cygwin site and click on the "install now" box on the side of the screen. Run the setup.exe program off the site (don't bother to save it somewhere, it gets updated almost weekly).
• Tell it to install from the internet. Choose a mirror. It'll download a list of packages. Choose the Net | OpenSsh package. If you want to run the server, you might also want to choose everything in the Admin section. I also find Net | rsync more useful than the scp that comes with openssh.
• Once the install is complete, fire it up and run ssh-host-config to set up the server. It'll ask you a bunch of simple questions, generate your hostkey, and stick the server in the startup scripts.

With just this, the whole install takes about 32MB.
Enjoy!

OpenSSH For Windows

[DougReed]

OpenSSH For Windows is what I use. It works pretty well. The Server only works on NT/2000 I think, but the client works on everything.

http://www.networksimplicity.com/openssh/

pull your head out

administer ?? You are just now looking into SSH? Were you hired today? Get a clue.

Obvious answer...

[oPless]

FDISK ... install linux/*bsd :-)

WinSSHD from www.bitvise.com

[Elphin]

WinSSHD from http://www.bitvise.com is pretty inexpensive (cheaper than VShell) and works flawlessly for me.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Complete Help

[Futurepower(R)]

Freeware SSH and SCP for Windows 9x, NT, ME, 2000 and XP By John Fitzgibbon

Admin Interface

[ThePlumber2]

I have built an online web portal for just these things (In perl). BTW, for Windbloze, use cygwin.

It is an administrative interface that lets you enter the name or ip of an ssh server, a username, and password. From there, you login and it gives you a directory listing of the home dir of the user (on the remote system) via a web based file manager. It has editting capabilities, delete, copy, archive, mail, etc, etc, etc, and runs without any java, javascript, frames, or cookies. Just straight HTML 3.0.....

It's really great, but I have not finished it yet, the major parts are done, but I don't want to let it out till it's 100%.

Also, it has a webterm that I made, and will let you travel the tree easily (in file view mode). It will be up in a couple of months and I will post it on freshmeat.net

The site that hosts most of my stuff is

http://www.fixyoursink.net

One of the coolest web apps that I have made is popdot. It's an emailer that was built off of ATDOT, and is a simple emailer front end for your apached web server. You specify the pop server and your pop users can login and check mail, send mail, send attachements etc etc... All of this once again without java junk or any of the other "web pitfalls" that the major corps have "devised".

Peace.

SSH for windows

I use http://www.networksimplicity.com
It is based on openssh compiled for winblows

RemotelyAnywhere

[Marton]

...at remotelyanywhere.com is dirt-cheap compared to others, does not rely on the cygwin junk, and provides a full ssh1/ssh2/sftp implementation as well as a bunch of other admin stuff.