Re: Restricting SSH in windows

[John Pettitt <jpp () cloudview com>]

Brian T wrote:

> I have a situation where a vendor is SSHing into a windows box on our 
> internal network that is connected to the console of a system that he 
> needs to support.  In an effort to restrict the vendor's access to our 
> network we disconnect the network connection of the supported system 
> during maintenance procedures.  There is, however still the issue of 
> the vendor having unrestricted shell access to the windows box.  The 
> ssh server is using Cygwin and Openssh v3.5p1.  I would like to 
> restrict the commands the vendor is allowed to execute (in this case 
> only ftp and telnet).  All research I have conducted so far has not 
> given me anything useful for windows.  Does anyone have any experience 
> is a situation such as this?
>
> Thanks,
> Brian T
Fundamentally whatever you do (even switching to a Linux live CD) won't 
solve the basic problem.  Once you let somebody you don't trust have 
shell access to a box you can no longer trust the box.   This is why 
they invented firewalls, the only secure solution is to put the now 
untrusted box on it's own DMZ network segment and to control what access 
rights is has from the firewall side.   Trying to sandbox a user who has 
command line access, ftp and telnet is a lost cause particularly on Windows.

John