SFTP Server for Windows: How to Choose the Right One
Most "best SFTP server" lists are ranked alphabetically or written by whoever paid for the placement. Neither helps when you actually have to choose one and run it in production.
This is a buyer's guide instead. We make an SFTP server for Windows, CompleteFTP, so we won't pretend to be neutral. But the useful part isn't a leaderboard of brand names. It's understanding the handful of structural decisions that determine which kind of server fits your shop. Get those right and the shortlist picks itself.
What SFTP is, in 30 seconds
SFTP (SSH File Transfer Protocol) is a protocol for transferring files securely over an SSH connection. It's not FTP-over-SSH; it's a completely different protocol that happens to be transported the same way, and it's the standard secure file-transfer protocol on Windows and Linux. If you want the deeper explainer including SCP and SSH, skip to the full section further down.
Which kind of server fits your shop
| If your shop looks like... | The kind of server to use |
|---|---|
| One or two users, a dev box, command line is fine | Windows's built-in OpenSSH |
| Small team, simple file drops, no compliance pressure | A lightweight SFTP server (where CompleteFTP Standard fits) |
| Mid-market Windows with Active Directory, needs audit logs | A commercial Windows-native SFTP server (where CompleteFTP Professional fits) |
| Compliance-driven (HIPAA, PCI DSS, encryption at rest) | A commercial server or MFT platform with audit logging and encryption at rest (where CompleteFTP Enterprise MFT fits) |
| Full workflow automation, partner onboarding, EDI | A managed file transfer platform |
The rest of this page explains those choices and covers the protocol basics underneath them.
How to choose: the four things that matter
Most comparisons never define their criteria. They list ten products with 200-word blurbs each. That's a directory, not a decision aid.
Here are the four things that actually separate SFTP servers in production, in roughly the order they matter for most Windows shops.
Active Directory and Windows integration
If you have a domain, you want AD integration. The alternative is creating and managing SFTP users in a separate database, which is a maintenance treadmill and a security risk because offboarding gets forgotten.
What "AD integration" means varies. The minimum bar: authenticate users against AD with their domain credentials. The next bar up: map AD groups to permission sets on the server. The top bar: pick up AD changes automatically, including group membership changes that revoke access without admin intervention.
Windows's built-in OpenSSH doesn't have any of this. Commercial Windows-native servers generally do.
Licensing model
There are three patterns:
- Free. OpenSSH, and the free tier of some third-party servers. Lowest cost, highest operational burden. Worth knowing: many "free" Windows file transfer servers only do FTP and FTPS, not SFTP.
- Perpetual license, per server. You pay once and own the version you bought. Support and updates renew annually, but the software keeps running if you stop renewing. This is the CompleteFTP model.
- Annual subscription. The usual model for enterprise managed file transfer platforms. You pay every year, and costs typically scale by user count, feature tier, or data volume, often into the tens of thousands per server, per year.
That last gap is why this category has so much pricing opacity: vendors charging enterprise subscription rates generally don't list prices. A perpetual license, priced per server with no per-user fees, is a very different total cost over three to five years.
Operational maturity
What this means in practice: clustering for high availability, real audit logs you can ship to a SIEM, scripting hooks for custom workflows, and an API you can automate against.
Free options skip most of these. Mid-tier commercial servers include some. Full managed file transfer platforms include all of them, plus partner onboarding portals and EDI translation that you probably don't need unless you're already asking for them.
Maintenance burden
Every SFTP server has to be patched, host-hardened, monitored, and backed up. Some make this easier than others.
OpenSSH inherits all the standard SSH hardening guidance (disable password auth, restrict cipher suites, rate-limit connections), but the work is yours to do. Commercial servers ship hardened defaults and expose the configuration through a GUI. Whether that matters depends on how much sysadmin time you have to spend.
The types of SFTP server for Windows
Four broad categories cover almost every Windows deployment. Match the category to your shop first, then shortlist within it.
Windows's built-in OpenSSH — the free baseline
Microsoft ships OpenSSH as an optional feature on Windows 10 (build 1809+) and Windows Server 2019+. Enable it, start the service, open port 22, and you have SFTP. No license, no GUI, no per-user fees.
This is the right answer for a single-server dev environment, a CI/CD artifact drop, or a one-user transfer endpoint. It's the wrong answer if you have more than a handful of users, want AD integration without manual config, need audit logs for compliance, or want a UI for your less-technical admins. It doesn't grow into those things. Outgrowing it means migrating to a different product, so plan for that early.
Lightweight SFTP servers
A range of small commercial and free servers sit just above the OpenSSH baseline: easy to install, friendlier than editing sshd_config, fine for simple file drops. What they typically lack is real AD integration, audit logging suited to an auditor, and any form of clustering. Good for small teams without compliance pressure; limiting once you need governance. CompleteFTP's Standard edition sits at the top of this tier — a real admin GUI and full protocol support for small teams — with a clean upgrade path to Professional when you outgrow it.
Commercial Windows-native SFTP servers
This is where most production Windows shops land, and where CompleteFTP Professional belongs. Full protocol support, Active Directory integration, audit logging, a real admin GUI, and licensing that doesn't punish you for adding users. Built to run as a hardened production service rather than a convenience tool.
If you have a domain, more than a handful of users, and any compliance pressure, this is the category to shortlist in.
Enterprise managed file transfer platforms
At the top end, enterprise MFT vendors add workflow automation, partner onboarding, EDI translation, and broad analyst coverage, usually on annual subscriptions that run into the tens of thousands per server, per year. Worth it if you genuinely need the workflow depth. Overkill, and over-priced, if you just need a solid, secure SFTP server.
CompleteFTP Enterprise MFT covers most of this ground (automation, clustering, encryption at rest, cloud storage backends) on a perpetual license rather than a subscription.
Where CompleteFTP fits
CompleteFTP runs on Windows (and now Linux) and supports SFTP, FTPS, SCP, HTTP, HTTPS, and FTP. SFTP is available from the Standard edition up, with Professional and Enterprise MFT adding more on top. Per-server perpetual licensing. You pay once and own the version you bought. Unlimited users at every tier.
As you move up the editions you get AD integration with group-to-permission mapping, full audit logging suitable for HIPAA and PCI DSS, .NET and JavaScript extensibility, scheduled transfers, encryption at rest (Enterprise MFT), active-active clustering (Enterprise MFT), and cloud storage backends including Azure Blob and Amazon S3 (Enterprise MFT).
Built on 20+ years of active development, with customers including NASA, Boeing, Audi 3 Italia, Global Payments, and TeliaSonera.
The honest gap: CompleteFTP doesn't have the analyst mindshare of the big subscription platforms. That's a buying-process problem more than a product problem. Most teams that run CompleteFTP got here by trialing the actual software, not by reading analyst reports. So that's the suggestion: download it and run it against your own environment before you decide.
Picks by scenario
Windows shop with Active Directory and 50+ users
You need AD integration with group-to-permission mapping, audit logs, and a UI your other admins can use. Shortlist in the commercial Windows-native category. If pricing matters and you want a perpetual license rather than a subscription, that points to CompleteFTP (Professional or Enterprise MFT edition). If you need the broader workflow feature set — partner portals, complex automation, EDI — step up to CompleteFTP Enterprise MFT or an enterprise MFT platform.
Healthcare or finance with HIPAA/PCI compliance
You need audit logs an auditor can read, encryption in transit (SFTP gives you that) and at rest, role-based access, and multi-factor auth. Shortlist commercial servers and MFT platforms that publish HIPAA/PCI support. The main differentiators are licensing model and how cleanly each one's audit reporting maps to the framework your auditors actually use. CompleteFTP Enterprise MFT covers all of these on a perpetual license.
Dev team that just needs SFTP working today
Use OpenSSH. It's free, it's already on the box, and it takes about ten minutes to enable. If the use case grows into something production-shaped (multiple users, audit needs, AD integration), move to a commercial Windows-native server such as CompleteFTP, with SFTP from the Standard edition up. OpenSSH doesn't grow into those features, so plan the migration rather than being surprised by it.
What to avoid
A few anti-patterns that show up regularly in SFTP deployments:
- Port 22 exposed to the public internet with password auth enabled. Disable password auth, enable key-only or AD-backed authentication, and rate-limit or geo-IP-restrict connections.
- No audit log retention policy. Logs rotated out after 7 days are useless for compliance and post-incident forensics. Ship them to a SIEM or a long-term log store.
- Shared service accounts for partner transfers. Each external partner should authenticate as a distinct user, scoped to their drop folder. Shared credentials make offboarding impossible.
- Old TLS or SSH versions. TLS 1.0/1.1 and SSH-1 should be off. TLS 1.2 minimum, TLS 1.3 preferred, SSH-2 only. Most modern servers ship this way, but check.
- Skipping vendor due diligence. Every product in this space will have a vulnerability eventually. Ask any vendor (including us) about patch cadence and advisory history before you commit.
- No backup of the server config. The host can be rebuilt. The user database, key pairs, and trigger configuration cannot, unless you have a backup.
What is SFTP?
SFTP is an abbreviation of SSH File Transfer Protocol, and is exactly that: a protocol for transferring files over an SSH connection.
SFTP is not standard FTP running over SSH. Although it has similar capabilities and even similar commands to standard FTP, those similarities are superficial. The protocol is completely different and incompatible with FTP and its secure extension, FTPS. (For that distinction, see FTPS vs SFTP.)
SCP is also a file transfer protocol that runs over SSH connections. It's a precursor to SFTP and allows copying files and directories over SSH, but provides no other file operations: no listing, deleting, renaming, or directory navigation.
A quick word on SSH
SSH is a standard for logging in and executing commands on a remote computer over an encrypted network connection. To accept SSH connections, a computer must run an SSH server (such as sshd) on a publicly accessible port, usually port 22.
Authentication works two ways. In password authentication, the client supplies a password the server verifies. In public key authentication, the client signs data with its private key and the server verifies the signature with the client's public key. Clients validate the server in turn via a known-hosts file that pairs each host with its public key. For the full picture, see how SSL, TLS and SSH work.
Frequently asked questions
Does Windows have a built-in SFTP server?
Yes. Windows 10 (build 1809+) and Windows Server 2019+ include OpenSSH server as an optional feature. It's free and functional, but it has no GUI, no Active Directory wizard, and no built-in audit log viewer. Fine for one or two users, painful at scale.
What is the best free SFTP server for Windows?
OpenSSH (built into Windows 10 and Server 2019+) is the main genuinely-free option. See the "Windows's built-in OpenSSH" section above for detail.
Is SFTP more secure than FTPS?
Both can be configured to be equally secure. SFTP uses a single port and SSH-based encryption, which is friendlier to firewalls. FTPS uses TLS and typically requires multiple ports. Most modern Windows deployments default to SFTP because firewall configuration is simpler, but FTPS remains common in B2B contexts where SSL/TLS infrastructure already exists. See our SFTP vs FTPS comparison for the deeper protocol difference.
Can an SFTP server integrate with Active Directory?
Yes, but only if the server supports it. OpenSSH on Windows has no GUI for Active Directory integration. You can map AD users manually, but there's no wizard. Commercial Windows-native SFTP servers, including CompleteFTP, offer AD and LDAP integration as a configurable feature. If you have a domain and 10 or more users, AD support saves a lot of administrative work.
How do I set up an SFTP server on Windows Server?
Three common approaches: (1) Enable OpenSSH via Optional Features, open port 22 in Windows Defender Firewall, and start the OpenSSH SSH Server service. (2) Install a commercial SFTP server such as CompleteFTP and use its setup wizard. (3) Use the IIS FTP server with FTPS enabled. Note this is FTPS, not SFTP. Approach 2 is the standard production path for shops past the dev or test stage.
Do SFTP servers support HIPAA and PCI DSS compliance?
The protocol itself doesn't make you compliant; your configuration does. For HIPAA or PCI DSS you need encryption in transit (SFTP gives you that), audit logging of every transfer, access controls per user, and typically encryption at rest for stored files. Commercial SFTP servers expose these as built-in features. With OpenSSH you'd build the audit and access layers yourself, which auditors generally don't like.
Try CompleteFTP as your Windows SFTP server
CompleteFTP supports SFTP, SCP and SSH alongside FTPS, HTTPS and FTP. It's compact, simple to install, and you can be running in a couple of minutes. SFTP is supported from the Standard edition up.
- Compare editions: Standard, Professional, and Enterprise MFT. Per-server perpetual licensing.
- Download the 30-day trial: full feature set, no credit card, no sales call.
- MFT vs SFTP guide: if you're still deciding whether you need a full managed file transfer platform or just an SFTP server.