Secure File Transfer Protocol (SFTP) is a safe way to transfer files to and from your Windows EC2 instance. This guide walks you through setting up an SFTP server using OpenSSH on Windows, covering everything from installation to configuration with both GUI and PowerShell options.
Table Of Content
- Step 1: Install OpenSSH Server
- Using GUI
- Using PowerShell
- Step 2: Create a Dedicated SFTP User
- Using GUI
- Using PowerShell
- Step 3: Create Directory Structure for Chroot
- Using GUI
- Using PowerShell
- Step 4: Set Folder Permissions (Important for Security)
- Using GUI
- Using PowerShell
- Step 5: Configure OpenSSH Server for SFTP and Password Authentication
- Step 6: Restart SSH Service
- Using GUI
- Using PowerShell
- Step 7: Test Your SFTP Server
Step 1: Install OpenSSH Server
Using GUI:
- Open Settings → Apps → Optional Features.
- Click Add a feature and search for OpenSSH Server.
- Click Install.
- Open Services (
services.msc
), find sshd, set Startup type to Automatic, and Start the service. - Open Windows Firewall → Inbound Rules, create a new rule allowing TCP port 22.
Using PowerShell:
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (SSH)' `
-Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
Step 2: Create a Dedicated SFTP User
Using GUI:
- Open Computer Management → Local Users and Groups → Users.
- Right-click Users → New User…
- Enter the username (e.g.,
sftpuser
) and password. - Uncheck User must change password at next logon, check Password never expires.
- Click Create.
Using PowerShell:
net user sftpuser StrongPassword123! /add
Step 3: Create Directory Structure for Chroot
Using GUI:
- Create
C:\\SFTP
. - Inside, create a folder named after the user:
C:\\SFTP\\sftpuser
. - Inside that, create an
upload
folder:C:\\SFTP\\sftpuser\\upload
.
Using PowerShell:
mkdir C:\SFTP
mkdir C:\SFTP\sftpuser
mkdir C:\SFTP\sftpuser\upload
Step 4: Set Folder Permissions (Important for Security)
Using GUI:
- Right-click
C:\\SFTP\\sftpuser
→ Properties → Security → Advanced. - Change the Owner to
NT SERVICE\\TrustedInstaller
. - Remove
sftpuser
from the permissions list for this folder. - On the
upload
folder, grant Modify or Full Control permission tosftpuser
.
Using PowerShell:
icacls C:\SFTP\sftpuser /setowner "NT SERVICE\TrustedInstaller"
icacls C:\SFTP\sftpuser /grant "Administrators:F"
icacls C:\SFTP\sftpuser /remove "sftpuser"
icacls C:\SFTP\sftpuser\upload /grant "sftpuser:M"
Step 5: Configure OpenSSH Server for SFTP and Password Authentication
- Open the SSH config file:
notepad "$env:ProgramData\ssh\sshd_config"
- Find and uncomment or add the line:
PasswordAuthentication yes
- Add these lines at the end (replace
sftpuser
and paths as needed):
Subsystem sftp sftp-server.exe
Match User sftpuser
ChrootDirectory C:\SFTP\sftpuser
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
AllowUsers sftpuser
Step 6: Restart SSH Service
Using GUI:
- Open Services (
services.msc
). - Find sshd, right-click, and click Restart.
Using PowerShell:
Restart-Service sshd
Step 7: Test Your SFTP Server
Connect using any SFTP client (like WinSCP or FileZilla):
sftp sftpuser@<your-ec2-public-ip>
- The root directory will be
C:\\SFTP\\sftpuser
. - You can upload files into the
upload
folder.