How to Set Up an SFTP Server on Windows EC2 Using OpenSSH

Secure File Transfer Protocol (SFTP) is a safe way to transfer files to and from your Windows EC2 instance. This guide walks you through setting up an SFTP server using OpenSSH on Windows, covering everything from installation to configuration with both GUI and PowerShell options.

Step 1: Install OpenSSH Server

Using GUI:

1. Open Settings → Apps → Optional Features.
2. Click Add a feature and search for OpenSSH Server.
3. Click Install.
4. Open Services (services.msc), find sshd, set Startup type to Automatic, and Start the service.
5. Open Windows Firewall → Inbound Rules, create a new rule allowing TCP port 22.

Using PowerShell:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (SSH)' `
    -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

Step 2: Create a Dedicated SFTP User

Using GUI:

1. Open Computer Management → Local Users and Groups → Users.
2. Right-click Users → New User…
3. Enter the username (e.g., sftpuser) and password.
4. Uncheck User must change password at next logon, check Password never expires.
5. Click Create.

Using PowerShell:

net user sftpuser StrongPassword123! /add

Step 3: Create Directory Structure for Chroot

Using GUI:

1. Create C:\\SFTP.
2. Inside, create a folder named after the user: C:\\SFTP\\sftpuser.
3. Inside that, create an upload folder: C:\\SFTP\\sftpuser\\upload.

Using PowerShell:

mkdir C:\SFTP
mkdir C:\SFTP\sftpuser
mkdir C:\SFTP\sftpuser\upload

Step 4: Set Folder Permissions (Important for Security)

Using GUI:

1. Right-click C:\\SFTP\\sftpuser → Properties → Security → Advanced.
2. Change the Owner to NT SERVICE\\TrustedInstaller.
3. Remove sftpuser from the permissions list for this folder.
4. On the upload folder, grant Modify or Full Control permission to sftpuser.

Using PowerShell:

icacls C:\SFTP\sftpuser /setowner "NT SERVICE\TrustedInstaller"
icacls C:\SFTP\sftpuser /grant "Administrators:F"
icacls C:\SFTP\sftpuser /remove "sftpuser"
icacls C:\SFTP\sftpuser\upload /grant "sftpuser:M"

Step 5: Configure OpenSSH Server for SFTP and Password Authentication

1. Open the SSH config file:

notepad "$env:ProgramData\ssh\sshd_config"

1. Find and uncomment or add the line:

PasswordAuthentication yes

1. Add these lines at the end (replace sftpuser and paths as needed):

Subsystem sftp sftp-server.exe

Match User sftpuser
    ChrootDirectory C:\SFTP\sftpuser
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no

AllowUsers sftpuser

Step 6: Restart SSH Service

Using GUI:

1. Open Services (services.msc).
2. Find sshd, right-click, and click Restart.

Using PowerShell:

Restart-Service sshd

Step 7: Test Your SFTP Server

Connect using any SFTP client (like WinSCP or FileZilla):

sftp sftpuser@<your-ec2-public-ip>

• The root directory will be C:\\SFTP\\sftpuser.
• You can upload files into the upload folder.