Permissions Pane
Getting thereNotes:
- Changes you make on this pane do not affect permissions for existing client connections. You can restart the server to enforce these settings for all connections.
- Items on this pane can be configured globally or as part of a subconfiguration.
Caution: To ensure that the server launches the correct program for Terminal provider and Exec request prefix, use a fully-qualified path name and enclose any path name that includes spaces in double quotation marks. (If the executable or path name has a space in it, because of the way the Windows API function used by the server parses spaces, there is a risk that a different executable could be run. For details, see "Security Remarks" in the MSDN article at http://msdn.microsoft.com/en-us/library/ms682429.)
Permission settings
|
Deny all logins |
Select to configure the server to deny all new client connections.
|
|
Allow terminal shell |
Specifies whether to allow client users access to a command window. Note: You may also need to edit your operating system security settings to allow users access to a terminal shell. For more information, see Command Shell Access. |
|
Terminal provider |
Specifies which program to launch when a client connects to the server and Allow terminal shell is enabled. The program must be a text-based command-line utility. The default setting is cmd.exe, which launches a standard Windows DOS command window. |
|
Terminal default directory |
Specifies the login directory for terminal shell sessions. You can specify any physical directory, or use one of the supported pattern strings to specify user-specific directories. The default (%D) specifies the user profile. |
|
Allow exec requests |
Specifies whether to allow the client to execute commands on the server. |
|
Exec request prefix |
This setting is available only when Allow exec requests is enabled. Use it to specify text to prepend to a command sent by the client. |
|
Allow non-interactive users to log on |
Clear this setting to prevent non-interactive users from being able to connect to the server. Non-interactive users are those who do not have the right to "Allow log on locally" (or "Log on locally") as configured in the local computer Security Policy. Note: On Windows 2003, non-interactive users will typically be unable to create a terminal shell even when they are allowed access. This is because of default restrictive permissions on the command prompt. This restriction is removed on Vista and Windows 2008. |
File transfer
|
Allow SCP1 |
Clear to disable transfers using the SCP1 protocol. This protocol is used for scp commands from OpenSSH clients. The SCP1 protocol doesn't use the SFTP subsystem; it executes an rcp command through the secure channel. Note: When Allow exec requests is enabled, SCP1 transfers are still possible, even if you have cleared this check box. |
|
Use SFTP accessible directory settings for SCP1 |
Select to apply SFTP Directories pane settings to scp transfers from OpenSSH clients. |
|
Allow SFTP/SCP2 |
Clear to disable transfers using SFTP and SCP2 (which use the SFTP subsystem). |
|
Allow smart copy & resume |
Clear this setting to disable smart copy and checkpoint resume. Disabling these features means that existing files are always overwritten and file transfer always starts over after an interruption. Note: Disabling smart copy and checkpoint resume is product-dependent; it affects transfers to and from current versions of all Reflection for Secure IT clients, but does not affect the behavior of all SSH clients. |
Tunneling
|
Allow client to server (local) port forwarding |
Clear to disable local port forwarding requests made by the client. |
|
Allow server to client (remote) port forwarding |
Clear to disable remote port forwarding requests made by the client. |
 |