General Security Notes
SFTP Server allows a high degree of flexibility and control over the enabled key exchange, encryption, and MAC algorithms though Registry Keys. SFTP Server does not store passwords for virtual users in plaintext. All passwords are encrypted by DPAPI and stored in the regsitry.
Available Authentication Modes
The enabled authentication options for a user control the different ways the server will be able to authorize that user. SFTP Server supports three authentication mechanisms: Username/Password, Public Key Authentication, and GSSAPI Authentication (NTLM/Kerberos).
Clients connecting to the server need to provide a username and password combination. The credentials are then verified according to the type of user.
If the client is connecting with a username of a local Windows account, the server will verify the credentials using Windows Authentication mechanisms to make sure they match a valid local account on the server or on a domain trusted by it. In addition, the server will verify the user is a member of an enabled group in the Users List before allowing access.
If the client is connecting with a username of a virtual user, the server will decrypt the user's password in the registry and compare the provided password against it.
Public Key Authentication
If Public Key Authentication is enabled, connections to the server can also authenticate using the standard public key authentication mechanism supported by the SSH protocol instead of presenting a password. Possession of a private key serves as authentication.
GSSAPI Authentication (NTLM/Kerberos)
NTLM or Kerberos authentication can be enabled through the server user interface by enabling GSSAPI Authentication.
Note: When using Kerberos as an authentication mechanism, it is recommended that SFTP Server be run as a service. When not running as a service and instead running under a user account, the default SPN (Service Principal Name) format of host/machine@domain used may result in errors.
In that case, a new SPN should be registered (for instance ssh/machine) with the domain controller, and the KerberosSPN registry setting for SFTP Server must be set. Additionally any connecting SFTP client will need to be configured to use the newly defined SPN.