In this guide, you will learn how to install and configure an SFTP (Secure File Transfer Protocol) server on Windows Server 2025 using the built-in OpenSSH feature. We will also cover creating users, configuring firewall rules, and hardening the server for better security.
Windows Server 2025 typically includes the OpenSSH Server feature by default, but older versions like 2019 or 2016 may require manual installation via Optional Features.
Once the feature is installed, open the Services management console (services.msc). Locate the OpenSSH SSH Server service. By default, it is not running automatically. Double-click it, set the "Startup type" to Automatic, and click Start to run the service immediately.
We need a dedicated user account to connect to the SFTP server.
Open Computer Management > Local Users and Groups > Users. Create a new user (e.g., "Timmy") with a strong password. You can set the password to never expire for convenience in a lab environment.
Add the new user to the OpenSSH Users group. This group is created automatically when you install the OpenSSH feature and grants the necessary permissions to connect via SSH/SFTP.
If your server's network profile is set to Public (which is common default behavior), the default firewall rules might block incoming connections on port 22.
Open Windows Defender Firewall with Advanced Security. Go to Inbound Rules and locate the rule named "OpenSSH SSH Server (sshd)". Double-click it, go to the Advanced tab, and ensure that the Public profile is checked (along with Private and Domain if needed).
By default, an SFTP user can browse the entire C: drive, which is a significant security risk. We will restrict this.
Create a dedicated folder for SFTP data (e.g., C:\SFTP_Root).
Edit the OpenSSH configuration file located at C:\ProgramData\ssh\sshd_config. Open Notepad as Administrator to edit this file. Find the commented-out line for ChrootDirectory and change it to:
ChrootDirectory C:\SFTP_Root
This restricts users to this specific directory.
To prevent users from running shell commands via SSH (like creating or deleting system folders), add the following line to the sshd_config file:
ForceCommand internal-sftp
This ensures that connection attempts via SSH terminal (like PuTTY) will fail immediately, while file transfer clients (like WinSCP) will work perfectly.
After saving the configuration file, restart the OpenSSH SSH Server service for the changes to take effect.