diff --git a/contrib/win32/openssh/install-sshd.ps1 b/contrib/win32/openssh/install-sshd.ps1
index 142664bcc..bd85fb164 100644
--- a/contrib/win32/openssh/install-sshd.ps1
+++ b/contrib/win32/openssh/install-sshd.ps1
@@ -274,13 +274,29 @@ sc.exe privs sshd SeAssignPrimaryTokenPrivilege
 Add-Privilege -Account $sshdSid -Privilege SeAssignPrimaryTokenPrivilege
 Add-Privilege -Account $sshdSid -Privilege SeServiceLogonRight
 
+# create logs folder and set its permissions
 if(-not (test-path $logsdir -PathType Container))
 {
     $null = New-Item $logsdir -ItemType Directory -Force -ErrorAction Stop
 }
-$rights = [System.Security.AccessControl.FileSystemRights]"Read, Write"
-$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($sshdAccount, $rights, "ContainerInherit,ObjectInherit", "None", "Allow")
 $acl = Get-Acl -Path $logsdir
-$Acl.SetAccessRule($accessRule)
+# following SDDL implies 
+# - owner - built in Administrators
+# - disabled inheritance
+# - Full access to System
+# - Full access to built in Administrators
+$acl.SetSecurityDescriptorSddlForm("O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)")
 Set-Acl -Path $logsdir -AclObject $acl
+
+$agentlog = Join-Path $logsdir "ssh-agent.log"
+if(-not (test-path $agentlog)){ $null | Set-Content $agentlog }
+Set-Acl -Path $agentlog -AclObject $acl
+
+$sshdlog = Join-Path $logsdir "sshd.log"
+if(-not (test-path $sshdlog)){ $null | Set-Content $sshdlog }
+$rights = [System.Security.AccessControl.FileSystemRights]"Read, Write"
+$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($sshdAccount, $rights, "None", "None", "Allow")
+$acl.SetAccessRule($accessRule)
+Set-Acl -Path $sshdlog -AclObject $acl
+
 Write-Host -ForegroundColor Green "sshd and ssh-agent services successfully installed"