Person working outside on a laptop with grass and a boat in the background

How-to enable, login to, or disable Microsoft SSH Server in Windows 10

Windows 10 comes with a built-in secure shell (SSH) server for remote login and command line access to your files and programs.

A word of caution: To use the Microsoft SSH Server for Windows, which is the full formal name of the service, your Windows device must be put in Developer mode. Changing your device’s security level from regular user to developer mode will have implications for how Windows enforces security policies. Be sure to read up on and understand how this change will affect your device before proceeding.

Enabling the SSH Server service

  1. Open the Windows Settings app and go to Update and Security: For developers.
  2. Switch to Developer mode and wait for it to finish downloading any packages.
  3. If you’re asked to reboot after the previous step, do so now.
  4. Turn on the Device discovery option.
  5. Turn off the Device discovery option again, unless you want this feature (which adds mDNS support to Windows and allows for remote debugging).

This will enable the SSH Server Broker (SshBroker.dll) and SSH Server Proxy (SshProxy.dll) background services which will handle incoming connections to TCP port 22. The Windows Firewall on your device is automatically configured to allow the service to listen for incoming connections from both private and public networks. Read on to learn how to restrict access from trusted networks and block connections from the public internet.

Logging in to the SSH Server

You can use any standard SSH client to log in to your device.

You log in using your Windows Account name and either your Microsoft Account password or your local Windows Account password. Please note that your Windows Account name is not the same as your Microsoft Account or domain email address.

You can connect to your device’s IPv4 or IPv6 address, or use the device’s given NetBIOS name. You can find your device’s given name as well as your Windows Account name by executing the “whoami” command in PowerShell or Command Prompt. The first part is your NetBIOS name followed by a forward slash, and then your Windows Account name.

Note that you’re logged in to the Command Prompt by default and not the Bash shell for Windows. You can type in one of bash or powershell after logging to switch to either the Bash shell or PowerShell.

Protecting the SSH Server

There are currently no brute-force login protection mechanism built into the SSH Server, and Group Policies for rate-limiting login attempts are bypassed for the SSH Server service. This means a remote attacker can make as many guesses of your login credentials as they can possibly push through the network.

Linux and macOS utilities for thwarting brute-force login attempts like SSHGuard and Fail2Ban are not available on Windows. Although they both run in the Windows Subsystem for Linux, they don’t have access to nor parsers for the Windows Event Log nor backends for the Windows Firewall.

Without any brute-force login mechanism protections, you’re left with depending on a strong account password that you change regularly. You can limit the risk of a brute force attack by disabling login from remote networks. This will limit the service to only accept logins from what is identified in Windows as a local and private network source.

To disable remote network logins, follow the following instructions:

  1. Open the Start menu and search for “allow firewall”. Open Allow an app through the Windows Firewall.
  2. Authenticate yourself to modify the firewall rules by clicking the Change settings button.
  3. Locate “Ssh Server” in the list and disable the checkbox in the Public column.
  4. Click the OK button to apply the changes.

This does depend on having the correct trust levels configured for the networks your computer connects to. Explore the Network section of the Windows Settings app to see the currently configured level of trust in the various networks your device is connected to.

Disabling the SSH Server service

There is no on or off switch for the SSH server itself. As you might have guessed from the above section on how to enable the service, it was clearly a bit of an afterthought. To properly disable the service, follow these steps:

  1. Open the Windows Settings app and go to Update and Security: For developers.
  2. Turn off the Device discovery option if it was previously enabled.
  3. Switch to Windows Store apps mode.
  4. Switch back to Developer mode, if desired.

Microsoft SSH Server for Windows is not the same as Microsoft Win32-OpenSSH for PowerShell! Microsoft’s SSH Server is not a full SSH server implementation and is meant to be used for cross-device communication for development purposes. It doesn’t support all SSH authentication methods and features like compression and multiplexing. However, it has more than enough features for most light use cases.

Developer mode and the SSH Server is available for all editions of Windows 10 including Home and Professional starting with Windows 10 Anniversary Edition (released in ).

3 comments

  1. I don’t use Windows 10, unless I am helping or supporting someone with it installed already.

    However, I do install OpenSSH version from this location:
    https://github.com/PowerShell/Win32-OpenSSH/releases

    I choose OpenSSH-Win64.zip — I use restrictions as you would normally with sshd_config set to only accept logins via authorized_keys.

    It works very well, I think it will likely work just as well with Windows 10, so long as it isn’t conflicting with any built-in server (that you should disable). …. unless of course the code base is the same and the Win 10 included option actually has the sshd_config setup available to limit login to authorized_keys — it probably does.

      1. Well, if a service is running, then you should be able to disable one and enable the other. Obviously both cannot serve the same port on the same IP address. I couldn’t imagine sshd being there and not be able to be disabled, so you can use another ssh daemon (service).

Leave a Reply

Your email address will not be published. Be courteous and on-topic. Comments are moderated prior to publication.