NSM On-Prem: Backups over SCP to Windows OpenSSH Server

This KB outlines the steps necessary to configure and prepare a remote Windows host for use as a backup destination for NSM on-premises backups. This guide assumes that the remote Windows host is a fresh installation of Windows Server 2022 Datacenter version. 

Step 1: Install and Enable OpenSSH Server

In Windows Settings, open Optional features, Add a feature, install Open SSH server. Once installed, make sure the service is set to Automatic start and start it:

Step 2: Create a Low Privilege Windows User Account

Using the default "Administrator" account for SCP file transfers is not best practice. The Administrator account has unrestricted access to the entire server. If the credentials used for SCP (e.g., a password or SSH key) were compromised, an attacker would gain full control over your server, posing a significant security risk. A better approach is to follow the principle of least privilege, which means creating a dedicated account with only the permissions necessary
for the task—transferring files via SCP. 
We can create a new, low-privileged local user account specifically for the purpose of NSM on-Prem backups - assume the account created is called "nsmbackup". A standard local user account is suitable for this scenario. A local account is straightforward to set up on a standalone server and can be restricted to the minimum privileges needed—accessing the SSH service and writing to a specific directory. 

Ensure the server’s firewall allows inbound traffic for OpenSSH Server (port 22 by default).

Step 3: Install and Configure Rsync

Login as the standard local user account in the Windows Server. Different versions of Windows Server may require users with admin rights to install and configure the PATH system variable. In our case, we need to set this user to be admin user first. Once this step completes, change it to standard local user. 

cwRsync - Rsync for Windows from itefix.net is a free lightweight rysnc client for windows.

Download the file from https://itefix.net/cwrsync/client/downloads. Unzip it to a suitablelocation and add the bin/ to the PATH system variable:

Edit PATH system variable. As mentioned earlier, different versions of Windows Server may require users with admin rights to install and configure the PATH system variable. In datacenter verisom, we need to configure this user to be admin user. Once this step completes, change it back to standard local user. 

Step 4: SCP Test and Transfer a Backup File

Log into NSM On-Prem web UI to test SCP connection. Then proceed with exporting the backup. In the example below, the backup file is downloaded to nsmbackup user's document folder.