How to Set Up an SSH Server on Windows Server

Overview

This article explains how to install and configure OpenSSH Server on Windows Server, including key-based authentication, service setup, and firewall configuration.

Variable Reference

Variable Example Description
<<SERVER>> 192.168.1.10 Target hostname or IP address for SSH connection

Step 1: Install OpenSSH Server

Open PowerShell with administrator privileges and execute:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Step 2: Start and Enable SSH Service

After installation, start the sshd service and enable automatic startup:

# Start the service
Start-Service sshd

# Enable automatic startup
Set-Service -Name sshd -StartupType Automatic

💡 Note
When sshd is started for the first time, initial configuration files and host keys are automatically generated:

  • %ProgramData%\ssh\sshd_config (Configuration file)
  • %ProgramData%\ssh\ssh_host_* (Host keys)

Edit these files only after they have been created.

Step 3: Configure the Firewall

Allow inbound SSH traffic (default port 22) through Windows Defender Firewall:

New-NetFirewallRule -Name "OpenSSH-Server" -DisplayName "OpenSSH Server (sshd)" `
  -Enabled True -Direction Inbound -Protocol TCP -LocalPort 22 -Action Allow

Step 4: Configure Key-Based Authentication (Recommended)

  1. See SSH key generation and setup on the client side

  2. Add the public key to the appropriate authorized_keys file:

    • For standard users: place it in C:\Users\<User>\.ssh\authorized_keys.
    • For Administrators: use %ProgramData%\ssh\administrators_authorized_keys.

  3. On the server, edit sshd_config (typically located at %ProgramData%\ssh\sshd_config) and confirm or add the following lines:

    PubkeyAuthentication yes
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Step 5: First Connection and Verification

Connect from the client using:

ssh Administrator@<<SERVER>>

The first connection will prompt you to confirm the host key.
Once logged in, run whoami to confirm that the expected user is connected.

Step 6: Restrictions and Security Hardening

Enhance security by updating the sshd_config file with the following settings:

Port 2222
AllowGroups SSHAdmins
AllowUsers Administrator deployuser
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes

Explanation

  • Port 2222
    Changing from the default port 22 reduces the risk of automated attacks.
  • AllowGroups SSHAdmins
    Restricts SSH access to a specific group, minimizing unauthorized access.

    ⚠️ Note:
    From Windows Server 2025 onward, SSH group-based restrictions are applied by default.
    Some localized environments may have issues with the built-in "OpenSSH Users" group.

  • AllowUsers Administrator deployuser
    Restricts SSH access to designated user accounts.
  • PasswordAuthentication no
    Disables password-based authentication for improved security.
  • KbdInteractiveAuthentication no
    Disables keyboard-interactive authentication to limit attack surfaces.
  • PubkeyAuthentication yes
    Ensures key-based authentication is enabled for secure access.

Ensure that the SSHAdmins group and deployuser account exist and have minimal privileges.
Set LogLevel VERBOSE to improve audit logging and connection visibility.

Step 7: Check SSH Logs

To view recent SSH event logs in PowerShell:

Get-WinEvent -LogName OpenSSH/Operational `
  | Where-Object { $_.TimeCreated -ge (Get-Date).AddHours(-1) } `
  | Select-Object TimeCreated, Id, LevelDisplayName, Message

💡 Tip
To verify available log names:

wevtutil el | findstr OpenSSH

Use the displayed name for the -LogName parameter.

Conclusion

By setting up OpenSSH Server on Windows Server, you can achieve Linux-like SSH management and secure remote administration.
Proper configuration of key authentication, service behavior, and firewall rules ensures a reliable and hardened remote access environment.