Re: Restricting SSH in windows

[Daniel Miessler <daniel () dmiessler com>]

On Feb 11, 2005, at 11:37 AM, Brian T wrote:

> I have a situation where a vendor is SSHing into a windows box on our 
> internal network that is connected to the console of a system that he 
> needs to support.  In an effort to restrict the vendor's access to our 
> network we disconnect the network connection of the supported system 
> during maintenance procedures.  There is, however still the issue of 
> the vendor having unrestricted shell access to the windows box.  The 
> ssh server is using Cygwin and Openssh v3.5p1.  I would like to 
> restrict the commands the vendor is allowed to execute (in this case 
> only ftp and telnet).  All research I have conducted so far has not 
> given me anything useful for windows.  Does anyone have any experience 
> is a situation such as this?

At first glance, I don't see how you could do this. My first idea would 
be to give them a very limited user account (in Active Directory or 
locally) that will limit their ability to do damage to the host itself; 
with proper NTFS permissions in place, you can gain a *decent* amount 
of protection by doing this.

It's not ideal, but it's something to do if you're forced to give them 
a shell and you have no other solution.

Regards,

-Daniel R. Miessler