Secure file copying with WinSCP

In his latest Downloads column, Scott Sidel examines WinSCP, an open source SFTP and FTP client for Windows. Sidel explains how the tool's optional interfaces, multiple secure authentication mechanisms and strong security features make it a must-have for securely copying files.

Scott Sidel

WinSCP is an open source SFTP and FTP client for Windows. It is used to safely copy files between local and remote...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please log in.

You have exceeded the maximum character limit.

Please provide a Corporate Email Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

computers. Windows has built-in support for FTP, which is available at the command prompt for command-line execution and Internet Explorer provides a basic graphical front-end. Both Windows-native methods lack security, since file transfers via FTP authenticate and take place in the clear.

WinSCP is easy to use, providing two optional interfaces: one that looks similar to the old Norton Commander file manager and the other similar to Windows Explorer. It supports securely dragging and dropping files for transfer across a network and can be integrated directly into the Windows shell. It supports directory synchronization, allowing directory comparisons and highlighting files that are different, and then transferring new and updated files. It also supports automation scripting and command line option flags.

From a security standpoint, WinSCP delivers the goods. It supports file transfers using encrypted tunnels, DES, 3DES, Blowfish and AES. It can use SSH v1 and v2, or can be set to only accept connections from hosts/clients employing the stronger v2.

For more information:

In this expert Q&A, Mike Chapple discusses why FTP will never be a secure way to transfer files.

Information security threats expert Ed Skoudis explains the malware-related risks of copying files.

Michael Cobb reviews the strengths and weaknesses of Internet protocols FTPS, SCP and SFTP.

WinSCP supports multiple secure authentication mechanisms, including"keyboard-interactive" two-factor authentication. With keyboard-interactive authentication, the server can prompt for special credentials such as an S/Key one-time password or RSA SecurID generated value. These "disposable" credentials are preferable when using a public computer. WinSCP also supports cryptographic certificates using public and private keys. To avoid having your private key stolen and used to authenticate sessions on your behalf, WinSCP supports requiring that a passphrase be entered when authenticating your key. WinSCP also supports storing standard single-factor passwords with saved sessions, a convenience that is not recommended, but can be restricted and disallowed by a system administrator.

In addition to strong security, WinSCP provides another thing that some free tools may not: an excellent Web site with well-written documentation. There are lots of screen shots and pages of helpful explanations and how-to's.

WinSCP has won many awards, is well supported and has a very active community, making it an easy tool to recommend.

About the author:
Scott Sidel is an ISSO with Lockheed Martin.

This was last published in January 2008

FTP (File Transfer Protocol)

Automate vCenter backup to avoid the hassle of manual backup

The security pros and cons of using a free FTP tool

FTP security best practices for the enterprise