There's no SSH in Windows, so IPsec would be your choice if you don't want
to add third-party SSH.
On the server, create an IPsec policy with this rule:
filter list: from any-ip:any-port to my-ip:21/tcp
filter action: negotiate security, encryption and integrity
rule: no tunnel, all connections, preshared key authn
On the clients, create an IPsec policy with this rule:
filter list: from my-ip:any-port to server-ip:21/tcp
filter action: negotiate security, encryption and integrity
rule: no tunnel, all connections, preshared key authn
This will protect the authentication, but it won't protect data transfer.
If you do want to protect data transfer, add this rule to the server:
filter list: from my-ip:20/tcp to any-ip:any-port
filter action: negotiate security, encryption and integrity
rule: no tunnel, all connections, preshared key authn
And add this rule to the clients:
filter list: from server-ip:20/tcp to my-ip:any-port
filter action: negotiate security, encryption and integrity
rule: no tunnel, all connections, preshared key authn
Note that this will encrypt only port mode file transfers. If the client
requests passive mode, the transfer will be cleartext (but the authentication
is still encrypted). Passive mode is difficult to encrypt; the server can
choose any random high port it wants to for the data transfer. That means
you'd need this additional filter list on the server:
filter list: from any-ip:any-port to my-ip:any-port (PASV mode)
But see what that does? It requires *any* connection from *anywhere* to use
IPsec!
Steve Riley
(e-mail address removed)
