Show Contents / Index / Search

Permissions Pane

Getting there


  • Changes you make on this pane do not affect permissions for existing client connections. You can restart the server to enforce these settings for all connections.
  • Items on this pane can be configured globally or as part of a subconfiguration.

Permission settings


Deny all logins

Select to configure the server to deny all new client connections.


  • This setting does not affect existing client sessions.
  • This setting is not available for subconfigurations. Use Access Control to control access by host, group, and/or user.



Allow terminal shell

Specifies whether to allow client users access to a command window.

Note: You may also need to edit your operating system security settings to allow users access to a terminal shell. For more information, see Command Shell Access.


Terminal default directory

Specifies the login directory for terminal shell sessions. You can specify any physical directory, or use one of the following pattern strings to specify user-specific directories. For details see Pattern Strings in Directory Paths.




The user's User profile folder .




The user's Home folder.




The user's login name.




The user's domain name and login in the format domain.username.


Terminal provider

Specifies which program to launch when a client connects to the server and Allow terminal shell is enabled. The program must be a text-based command-line utility. The default setting is cmd.exe, which launches a standard Windows DOS command window.


Allow exec requests

Specifies whether to allow the client to execute commands on the server.


Exec request prefix

This setting is available only when Allow exec requests is enabled. Use it to specify text to prepend to a command sent by the client.


Caution: To ensure that the server launches the correct program for Terminal provider and Exec request prefix, use a fully-qualified path name and enclose any path name that includes spaces in double quotation marks. (If the executable or path name has a space in it, because of the way the Windows API function used by the server parses spaces, there is a risk that a different executable could be run. For details, see "Security Remarks" in the MSDN article at

File transfer


Allow SCP1

Clear to disable transfers using the SCP protocol used by OpenSSH. This protocol does not use the SFTP subsystem; it executes an rcp command through the secure channel.

Note: When Allow exec requests is enabled, SCP1 transfers are still possible, even if you have cleared this check box.



Clear to disable transfers using SFTP and SCP2 (which use the SFTP subsystem).



Allow client to server (local) port forwarding

Clear to disable local port forwarding requests made by the client.


Allow server to client (remote) port forwarding

Clear to disable remote port forwarding requests made by the client.

Subconfiguration Features


Reload inherited settings

Removes subconfiguration-specific values from all settings on this pane. All settings values revert to their current inherited state.

Note: This change is not finalized until you save your configuration using File > Save.


non-inherited setting icon (asterisk) (asterisk)

Indicates that the value of a setting is specific to the current subconfiguration. The server always applies the specified value, regardless of any subsequent changes you make to global or inherited settings.

Related Topics

Access Control Settings

Customize Directory Access for File Transfers

Port Forwarding Overview