How to Set Up SFTP Server on Windows

Olorunfemi Akinlua Feb 15, 2024
  1. Set Up SFTP Server for Older Windows
  2. Set Up SFTP Server for Newer Windows
  3. Use WinSCP to Set Up and Configure SFTP Client
How to Set Up SFTP Server on Windows

SFTP servers allow us access to their files and content via the SSH File Transfer Protocol, a secure network protocol. Within our OS environments, we can set up SFTP servers to allow us to retrieve and send resources to and from it.

This article will discuss setting up SFTP servers on Windows using the WinSCP software.

Set Up SFTP Server for Older Windows

To setup an SFTP server on Windows, you will need to install OpenSSH, which you can download from the PowerShell GitHub. You can check this installation guide for Linux environments.

You can download the msi or zip file, but we will only use the msi file in this article.

  • Install the msi file. Afterward, go to Services, and check for the status of OpenSSH server and OpenSSH Authentication Agent.

    Automatic Services

  • If the Status and Startup Type are not running and Automatic, right-click on both services and select Properties.


  • Change the Startup type to Automatic, click Start, and select OK.

    Startup Type

  • Do the same for OpenSSH Authentication Agent; now, both services should be Running and Automatic.

    OpenSSH Authentication Agent

Set Up SFTP Server for Newer Windows

  • For newer Windows, you can go to Settings > Apps > Optional Features to get OpenSSH.

    Optional Features

  • Select View Features and search for OpenSSH server in the Add an optional feature dialog box.

    Add an Optional Feature

  • Select the OpenSSH server checkbox option and click Install.

    OpenSSH server

  • Afterwards, configure the SSH server using the PowerShell command below to allow incoming connections to the server.
    New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "C:\\Windows\\System32\\OpenSSH\\sshd.exe"
  • Services Search

  • Find OpenSSH server within the list of Windows services.

    OpenSSH Server Services

  • Right-click on the service, and select Properties.


  • Change the Startup type to Automatic, click Start, and select OK.

    Startup Type

  • Do the same for OpenSSH Authentication Agent; now, both services should be Running and Automatic.

    OpenSSH Authentication Agent

Use WinSCP to Set Up and Configure SFTP Client

WinSCP is a GPL-3.0-only software that’s free to use and modify. It allows us to carry out secure file transfers across different protocols, including SSH File Transfer and Amazon S3.

It’s available only on Windows and can be downloaded from their download page.

  • Upon download, run the installer file, and select the Install Mode preferred.

    Select Install Mode

  • Accept the License Agreement and select the Typical Installion option.

    Typical Installion

  • Select your preferred user interface style, but we will use the Commander in this article.


  • Afterwards, click Install and launch the WinSCP application.


  • Upon launch, you should see a screen similar to the one below.

    Launch Screen

  • Fill in the hostname; use localhost. Use the default port number 22, and fill in your computer’s name and password. After that, click on the Login button.

    Fill Screen

  • The screen dialog below will appear, and you must select Yes.

    Screen Dialog

  • If successful, you should see the below screen.


  • If not successful, you might see a dialog like the one below because your OpenSSH service isn’t running, and you need to start the two OpenSSH services stated earlier.


  • Now, we can set up a public key-based authentication using the ssh-keygen command.

    The output of the command is below.

    Generating public/private rsa key pair.
    Enter file in which to save the key (C:\Users\akinl/.ssh/id_rsa):
    Created directory 'C:\Users\akinl/.ssh'.
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in C:\Users\akinl/.ssh/id_rsa.
    Your public key has been saved in C:\Users\akinl/.ssh/
    The key fingerprint is:
    SHA256:Ryrpy5HHTT1NK2OFzT3NjoIwORbzNV7/BfBfPLhHCEk akinl@Olorunfemi-PC
    The key's randomart image is:
    +---[RSA 3072]----+
    |        o .E=.o  |
    |         = +.Bo*.|
    |        * o oo*+O|
    |       o * o +o=*|
    |      o S + B.+.+|
    |     . + + . =.  |
    |      + o .      |
    |     . +         |
    |      o          |

    When the ssh-keygen tool requests a passphrase, you can enter one, but we don’t use one for this article. The ssh-keygen created a hidden directory named .ssh and saved the key pair within the file under the .ssh.

    The public key full path is C:\Users\akinl/.ssh/


    The public key is the file, and the private key is the id_rsa.

  • authorized_keys

  • There should be at least three files (authorized_keys, id_rsa, and within your .ssh directory.

    SSH Directory

  • To keep the authorized_keys file safe and only accessible to the administrators or core users, you have to configure the Access Control List (ACL). Use the below command to configure the access control.
    icacls.exe "C:\Users\<username>\.ssh\authorized_keys" /inheritance:r /grant "Adminstrators:F" /grant "SYSTEM:F"
  • Change the <username> to your username.
    icacls.exe "C:\Users\akinl\.ssh\authorized_keys" /inheritance:r /grant "Adminstrators:F" /grant "SYSTEM:F"

    The output of the command:

    processed file: C:\Users\akinl\.ssh\authorized_keys
    Successfully processed 1 file; Failed processing 0 files
  • Therefore, if you now open the same authorized_keys file, you should see the below dialog.

    No Access

  • To fully configure the SFTP server, we need to edit the sshd_config file to set up the public key-based authentication; the sshd_config file is available in the ProgramData directory. Copy the full path below to Windows Explorer and open the sshd_config file

    The sshd_config file is the last file within the directory.


  • Modify by uncommenting or changing the lines containing the config information in your sshd_config file. Also, open the sshd_config file as an Administrator.
    PubkeyAuthentication yes
    AuthorizedKeysFile .ssh/authorized_keys
    PasswordAuthentication no
    PermitEmptyPasswords no
    Subsystem sftp internal-sftp
    Match User <username>
    	X11Forwarding no
    	AllowTcpForwarding no
    	PermitTTY no
    	ForceCommand internal-sftp
    	PasswordAuthentication no

    In addition, make sure to change the <username> to your username. Furthermore, you can comment on the following configuration information within the file.

    Match Group administrators
    	   AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
  • The changes to your ssh_config file should look like the image below:


  • Now, let’s open WinSCP using the previous username and password login method.

    No supported authentication

    It’s no longer supported because we have changed the configuration file to support only public key authentication. To log in now, we need to use our public key.

  • Instead of using the Password, click on the Advanced button.

    Advanced Button

  • Go to the Authentication tab under SSH.


  • Under the Authentication parameters area, browse for the private key file and go to the .ssh directory (C:\Users\akinl\.ssh), and change the file options to All Files

    Authentication parameters

  • Select the id_rsa file, which should prompt the dialog below. Do select OK.


    After, the below dialog should show.

    Private Key Converted

  • Then, click OK.

    Save Settings

  • Now, click Login.


    And now, you have access to the SFTP server using public key authentication.

    Access via SSH

Olorunfemi Akinlua avatar Olorunfemi Akinlua avatar

Olorunfemi is a lover of technology and computers. In addition, I write technology and coding content for developers and hobbyists. When not working, I learn to design, among other things.


Related Article - Python Server